Secure 5.1: ChangesetContextCheck

ChangesetContextCheck

Last updated: January 22, 2026

This check enforces the Liquibase best-practice recommendation to assign a context to every changeset to provide better deployment control and to enhance traceability and granularity of deployments across changesets.

Uses

Property	Value
Liquibase version required	4.5.0+
Scope (--checks-scope)	changelog
Default status	enabled
Default severity (exit code)	0 ("INFO")
Customizable settings	No (static)

Uses

Use the check to enhance deployment control of specific changesets by requiring one or more contexts be assigned to every changeset in a changelog. Whether in automation or manual testing of proposed schema changes at the dev level, contexts provide better deployment control. Using contexts allows just the changesets that match the specified contexts filter(s) to be run. For example, a team could provide contexts to change sets by "dev," "staging," "prod," or all three "dev, staging, prod," and when a Liquibase job is run, only the specified subset of context-matching changesets will be deployed. This policy check, like other checks, can be configured with a "severity" level that returns an exit code designed to stop automated jobs, giving your team time to apply this Liquibase best practice.

Note: Contexts and Labels are similar, but the best-practice is to use context for deployment environments and labels more like free-form tags for features, content, release, or other process-centric filter.

Before you begin

Ensure that you have correctly specified your Liquibase Secure license key.
Ensure that the --checks-scope parameter includes the scope of this check.

Changelog checks prerequisites

--license-key=<string>
--checks-scope=<string>

globalArgs: { license-key: "<string>" }
cmdArgs: { checks-scope: "<string>" }

liquibase.licenseKey: <string>
liquibase.command.checksScope: <string>
liquibase.command.checks.run.checksScope: <string>

JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checksScope=<string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checks.run.checksScope=<string>

LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_SCOPE=<string>
LIQUIBASE_COMMAND_CHECKS_RUN_CHECKS_SCOPE=<string>

--license-key=<string>
--checks-scope=<string>

globalArgs: { license-key: "<string>" }
cmdArgs: { checks-scope: "<string>" }

liquibase.licenseKey: <string>
liquibase.command.checksScope: <string>
liquibase.command.checks.run.checksScope: <string>

JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checksScope=<string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checks.run.checksScope=<string>

LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_SCOPE=<string>
LIQUIBASE_COMMAND_CHECKS_RUN_CHECKS_SCOPE=<string>

Procedure

Enable

This check is enabled by default. To verify that it is currently enabled, run the checks show command:

liquibase checks show --check-name=<string>

To run the check, use the checks run command.

liquibase checks run --check-name=<string>

stages:
  Default:
    actions:
      - type: liquibase
        command: checks run
        cmdArgs: {check-name: <string>}

liquibase checks run --check-name=<string>

stages:
  Default:
    actions:
      - type: liquibase
        command: checks run
        cmdArgs: {check-name: <string>}

Note: For flow files you'll need to run liquibase flow to apply your changes.

Example output

Check 'ChangesetContextCheck' has been enabled.

Short Name	Scope	Status	Severity	Customization	Description
SqlGrantWarn	changelog		0	None	This check warns a user when SQL contains 'GRANT' statements so that they can ensure that the privilege being granted won't lead to security issues.

| 20 | Warn on Detection of 'REVOKE' | | Statements | | | | | | | | | | | | | | | | +-----+--------------------------------+ | 30 | Warn when 'DROP TABLE' | | detected | | | | | | | | | | +-----+--------------------------------+ | 40 | Warn when 'DROP COLUMN' | | detected | | | | | | | | | | +-----+--------------------------------+ | 50 | Warn when 'MODIFY column' | | detected | | | | | | | | | | | | | +-----+--------------------------------+ | 60 | Check for specific patterns | | sql | | | | | | | | | | | | | +-----+--------------------------------+ | 70 | Check Table Column Count | | | | | | +-----+--------------------------------+ | 80 | Object name pattern match | | | | | | | | | +-----+--------------------------------+ | 85 | Object name pattern not match | | | | | | | | | +-----+--------------------------------+ | 90 | Warn on Grant of Specific | | Privileges | | | | | | | | | | +-----+--------------------------------+ | 100 | Warn when 'TRUNCATE TABLE' | | detected | | | | | | | | | | | | | +-----+--------------------------------+ | 110 | Warn on Detection of grant | | that contains 'WITH GRANT | | | OPTION' | | | | | | | | | | | | +-----+--------------------------------+ | 130 | Warn on Detection of grant | | that contains 'WITH ADMIN | | | OPTION' | | | | | | | | | | | | +-----+--------------------------------+ | 160 | Rollback Required for | | Changeset | | | | +-----+--------------------------------+ | 170 | Changesets Must Have a Label | | Assigned | | | | | | | | | | | | | | | | +-----+--------------------------------+ | 173 | Changesets Must Have a | | Assigned | | | | | | | | | | | | | | | | +-----+--------------------------------+ | 176 | Changesets Must Have a | | Assigned | | | | | | | | | | | | | | | | +-----+--------------------------------+ | 500 | Table must have a comment | | | | | | | | | | | | | | | | | | +-----+--------------------------------+ | 510 | Table Comment Pattern Check | | | | | | | | | +-----+--------------------------------+ | 510 | Table Comment Pattern Check | | | | | | | | | | | | +-----+--------------------------------+ | 570 | Constraint must exist | | | | | | | | | | | | | | | +-----+--------------------------------+ | 570 | Constraint must exist | | | | | | | | | | | | | | | | | | | | | | | | | | | +-----+--------------------------------+ | 570 | Constraint must exist | | | | | | | | | +-----+--------------------------------+ Liquibase command 'checks | SqlRevokeWarn | This check warns a user when | false | None | 0 | changelog | | SQL contains 'REVOKE' | | | | | | statements so that they can | | | | | | ensure that the privilege | | | | | | being revoked won't lead to | | | | | | data access and dependency | | | | | | issues. | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | ChangeDropTableWarn | This check warns a user when a | false | None | 0 | changelog | | table is being dropped so that | | | | | | they can ensure that dropping | | | | | | the table won't lead to | | | | | | unintentional loss of data. | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | ChangeDropColumnWarn | This check warns a user when a | false | None | 0 | changelog | | column is being dropped so | | | | | | that they can ensure that | | | | | | dropping the column won't lead | | | | | | to unintentional loss of data. | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | ModifyDataTypeWarn | This check warns a user when a | false | None | 0 | changelog | | change will result in | | | | | | modification of a data type so | | | | | | they can ensure that modifying | | | | | | the data type won't lead to | | | | | | unintentional loss of data | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ in | SqlUserDefinedPatternCheck | This check scans raw SQL for | false | SEARCH_STRING = null | 0 | changelog | | the presence of specific | | MESSAGE = A match for regular | | | | patterns and warns the user | | expression SEARCH_STRING was | | | | when they are found. | | detected in Changeset | | | | | | CHANGESET. | | | | | | STRIP_COMMENTS = true | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | TableColumnLimit | Ensures that no table has more | true | MAX_COLUMNS = 2 | 1 | changelog, | | than a threshold number of | | | | database | | columns. | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | ObjectNameMustMatch | This check confirms the listed | false | OPERATOR = STARTS_WITH | 0 | changelog, | | object names conform to the | | SEARCH_STRING = null | | database | | supplied pattern. | | OBJECT_TYPES = null | | | | | | CASE_SENSITIVE = true | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | ObjectNameMustNotMatch | This check confirms the listed | false | OPERATOR = STARTS_WITH | 0 | changelog, | | object names do not match the | | SEARCH_STRING = null | | database | | supplied pattern. | | OBJECT_TYPES = null | | | | | | CASE_SENSITIVE = true | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | SqlGrantSpecificPrivsWarn | This check warns a user when | false | PRIVILEGE_LIST = null | 0 | changelog | | changeset includes or | | | | | | generates sql that grants | | | | | | specific privileges to a user | | | | | | or role | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | ChangeTruncateTableWarn | This check warns a user when a | false | None | 0 | changelog | | table is being truncated so | | | | | | that they can ensure that | | | | | | truncating the table won't | | | | | | lead to unintentional loss of | | | | | | data. | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | SqlGrantOptionWarn | This check warns a user when | false | None | 0 | changelog | | SQL contains 'GRANT' | | | | | | | statements that include the | | | | | | 'WITH GRANT OPTION' clause so | | | | | | that they can ensure that the | | | | | | privilege being granted won't | | | | | | lead to security issues | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | SqlGrantAdminWarn | This check warns a user when | false | None | 0 | changelog | | SQL contains 'GRANT' | | | | | | | statements that include the | | | | | | 'WITH ADMIN OPTION' clause so | | | | | | that they can ensure that the | | | | | | privilege being granted won't | | | | | | lead to security issues | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | RollbackRequired | This check triggers when a | false | None | 0 | changelog | | changeset does not have a | | | | | | rollback defined. | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | ChangesetLabelCheck | This check enforces the | false | None | 0 | changelog | | Liquibase recommendation that | | | | | | labels be assigned to each | | | | | | changeset to provide better | | | | | | deployment control and to | | | | | | enhance traceability of | | | | | | efforts across changesets. | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ Context | ChangesetContextCheck | This check enforces the | false | None | 0 | changelog | | Liquibase recommendation that | | | | | | contexts be assigned to each | | | | | | changeset to provide better | | | | | | deployment control and to | | | | | | enhance traceability of | | | | | | efforts across changesets. | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ Comment | ChangesetCommentCheck | This check enforces the | false | None | 0 | changelog | | Liquibase recommendation that | | | | | | comments be added to each | | | | | | changeset to document the | | | | | | purpose of a changeset for | | | | | | other/future consumers of this | | | | | | changelog | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | TableCommentCheck | This check flags any Table | true | None | 0 | database | | described in a changelog or | | | | | | existing on a database target | | | | | | which does not have a Comment. | | | | | | (Note: This is not a check for | | | | | | a Liquibase changelog | | | | | | comment.) | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | ExamplePatternCheck | This check triggers when | true | OPERATOR = CONTAINS | 1 | changelog, | | specific user-supplied | | SEARCH_STRING = PRIMARY_TABLE | | database | | patterns are found in Table | | MESSAGE = MATCH | | | | Comments. | | | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | TableCommentPatternCheck | This check triggers when | false | OPERATOR = CONTAINS | 0 | changelog, | | specific user-supplied | | SEARCH_STRING = null | | database | | patterns are found in Table | | MESSAGE = A match for regular | | | | Comments. | | expression SEARCH_STRING was | | | | | | detected in IDENTIFIER. | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | ConstraintCheckShortName | Check for and alert when | true | CONSTRAINT_OPERATOR = CONTAINS | 1 | database | | specified table does not | | TABLE_NAME = PRIMARY_TABLE | | | | contain the required | | COLUMN_NAME = NULLABLECOL | | | | constraint(s). | | CONSTRAINT = PRIMARYKEY | | | | | | CASE_SENSITIVE = false | | | | | | MESSAGE = Example Message | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | ConstraintMustExist | Check for and alert when | false | CONSTRAINT_OPERATOR = | 0 | database | | specified table does not | | STARTS_WITH | | | | contain the required | | TABLE_NAME = null | | | | constraint(s). | | COLUMN_NAME = null | | | | | | CONSTRAINT = PRIMARYKEY | | | | | | CASE_SENSITIVE = true | | | | | | MESSAGE = The specified table | | | | | | 'TABLE_NAME' does not | | | | | | contain the required | | | | | | 'CONSTRAINT' constraint. | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ | ConstraintMustExistTEST | Check for and alert when | true | CONSTRAINT_OPERATOR = ALL | 0 | database | | specified table does not | | CONSTRAINT = Primarykey | | | | contain the required | | CASE_SENSITIVE = false | | | | constraint(s). | | MESSAGE = any | | | ----------------------------+--------------------------------+---------+--------------------------------+----------+------------+ enable' was executed successfully.

ChangesetContextCheck

Uses

Uses

Before you begin

Changelog checks prerequisites

CLI

Flow

liquibase.properties

JAVA_OPTS

Environment variable

Procedure

Enable

To run the check, use the checks run command.

CLI example

Flow example

Example output