liquibase.examples.json.checks-packages.liquibase.checks.schema-protection.yaml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of liquibase-core Show documentation
Show all versions of liquibase-core Show documentation
Liquibase is a tool for managing and executing database changes.
The newest version!
## Policy Checks Settings File
########## IMPORTANT: NEVER EDIT THIS KEY
## id: 'some-l0ng-uni4ue-id3nt1fier-c0d3'
########## ALWAYS EDITABLE KEY VALUES and PARAMETERS
## severity:
## enabled:
########## EDITABLE PARAMETERS
## Standard value options:
## ALLOWED_LIST:
## ATTRIBUTE:
## CASE_SENSITIVE:
## CHANGE_TYPE_LIST:
## COLUMN_NAME:
## CONSTRAINT:
## CONSTRAINT_OPERATOR:
## DEFAULTS_FILENAME:
## EXCEPTIONS_LIST:
## FILETYPE:
## JDBC_URL:
## LOGIC_CONDITIONAL:
## LOOKAHEAD_MESSAGE:
## LOOKAHEAD_SEARCH_STRING:
## LOOKBEHIND_MESSAGE:
## LOOKBEHIND_SEARCH_STRING:
## MAX_COLUMNS:
## MAX_ROWS:
## MESSAGE:
## NEGATIVE_LOOKAHEAD_MESSAGE:
## NEGATIVE_LOOKBEHIND_MESSAGE:
## OBJECT_TYPES:
## OPERATOR:
## PASSWORD:
## PATH_FILTER_REGEX:
## PATTERN_A:
## PATTERN_B:
## PRIMARY_SEARCH_STRING:
## PRIVILEGE_LIST:
## PROJECT_DIR:
## REQUIRES_SNAPSHOT:
## RUN_IN_TRANSACTION_VALUE:
## SAMPLE_CHANGELOG_NAME:
## SCRIPT_ARGS:
## SCRIPT_DESCRIPTION:
## SCRIPT_MESSAGE:
## SCRIPT_PATH:
## SCRIPT_SCOPE:
## SCRIPT_TYPE:
## SEARCH_STRING:
## SPLIT_STATEMENTS:
## STRIP_COMMENTS:
## TABLE_NAME:
## USERNAME:
fileCreated: 2024-10-21T22:20:42.230Z
fileModified: 2024-10-21T22:22:49.658Z
rules:
- description: This check warns a user when SQL contains 'GRANT' statements so that
they can ensure that the privilege being granted won't lead to security issues.
enabled: false
id: '38fc7edf-9a60-3d00-8b40-23c7e719745f'
name: Warn on Detection of 'GRANT' Statements
severity: '0'
shortName: SqlGrantWarn
- description: This check warns a user when SQL contains 'REVOKE' statements so that
they can ensure that the privilege being revoked won't lead to data access and
dependency issues.
enabled: false
id: '0b73828f-2e8d-3c36-b1c3-7153bcb6f160'
name: Warn on Detection of 'REVOKE' Statements
severity: '0'
shortName: SqlRevokeWarn
- description: This check warns a user when generated or raw SQL contains 'USE DATABASE'
directive.
enabled: true
id: '9197d8c1-86e7-3277-b3d9-677c2f2b4213'
name: Warn on Detection of 'USE DATABASE' statements
severity: '0'
shortName: WarnOnUseDatabase
- description: This check warns a user when a table is being dropped so that they
can ensure that dropping the table won't lead to unintentional loss of data.
enabled: true
id: '218fa8f2-ea81-308e-b010-5c25cf62c8fc'
name: Warn when 'DROP TABLE' detected
severity: '0'
shortName: ChangeDropTableWarn
- description: This check warns a user when a column is being dropped so that they
can ensure that dropping the column won't lead to unintentional loss of data.
enabled: true
id: '223ed841-5f53-3eab-8ca8-f66393c689a4'
name: Warn when 'DROP COLUMN' detected
severity: '0'
shortName: ChangeDropColumnWarn
- description: This check warns a user when a change will result in modification of
a data type so they can ensure that modifying the data type won't lead to unintentional
loss of data
enabled: false
id: 'e98e0a4d-0582-360b-a89f-37b2f65e65d2'
name: Warn when 'MODIFY ' detected
severity: '0'
shortName: ModifyDataTypeWarn
- description: This check warns a user when generated or raw SQL contains 'SELECT
*' statements so that they can ensure selecting all fields from a table in a
query is safe and necessary
enabled: false
id: 'b36ff4e4-b647-3bfa-b73f-33c7a588c567'
name: Warn on Detection of 'SELECT *'
severity: '0'
shortName: SqlSelectStarWarn
- description: This check scans SQL for the presence of specific patterns in specified
changelog paths, and warns the user when they are found.
enabled: false
id: '6fe07581-c90d-3add-9057-1547a1439727'
name: Check for specific patterns in sql
parameters:
- parameter: SEARCH_STRING
value: null
- parameter: MESSAGE
value: A match for regular expression was detected in Changeset
in changelog path .
- parameter: STRIP_COMMENTS
value: true
- parameter: PATH_FILTER_REGEX
value: null
- parameter: SPLIT_STATEMENTS
value: false
parentRuleId: null
severity: '0'
shortName: SqlUserDefinedPatternCheck
- description: This check triggers when a changeset contains the supplied pattern
string or regex, but does not have an end delimiter set specifically in the changeset
or via options such as 'pro-global-end-delimiter' or 'endDelimiter' attribute
in a modifyChangesets tag.
enabled: false
id: 'd2fc6f01-8ddd-35f3-bc03-f516a8f611ac'
name: End delimiter exists when pattern exists
parameters:
- parameter: SEARCH_STRING
value: null
- parameter: CASE_SENSITIVE
value: true
- parameter: STRIP_COMMENTS
value: true
- parameter: MESSAGE
value: The pattern '' was found without an end delimiter in Changeset
''.
parentRuleId: null
severity: '0'
shortName: EndDelimiterExistsWhenPatternExists
- description: Check triggers if the user-supplied regex pattern A is followed by
the user-supplied regex pattern B
enabled: false
id: '840a30f4-b3c5-3ad5-ac9b-6251d1f7b99d'
name: Pattern a followed by pattern b
parameters:
- parameter: PATTERN_A
value: null
- parameter: PATTERN_B
value: null
- parameter: CASE_SENSITIVE
value: true
- parameter: MESSAGE
value: 'Match found: '''' is followed by '''' in Changeset
''''.'
- parameter: STRIP_COMMENTS
value: true
parentRuleId: null
severity: '0'
shortName: PatternAFollowedByPatternB
- description: Check triggers if the user-supplied regex pattern A is preceded by
the user-supplied regex pattern B
enabled: false
id: 'e5faa299-31c1-361e-89f3-8c5ad9e49a22'
name: Pattern a preceded by pattern b
parameters:
- parameter: PATTERN_A
value: null
- parameter: PATTERN_B
value: null
- parameter: CASE_SENSITIVE
value: true
- parameter: MESSAGE
value: 'Match found: '''' is preceded by '''' in Changeset
''''.'
- parameter: STRIP_COMMENTS
value: true
parentRuleId: null
severity: '0'
shortName: PatternAPrecededByPatternB
- description: Check triggers if the user-supplied regex pattern A is NOT followed
by the user-supplied regex pattern B
enabled: false
id: 'f9a6e39d-0799-3041-9b5a-6b61db4bc630'
name: Pattern a not followed by pattern b
parameters:
- parameter: PATTERN_A
value: null
- parameter: PATTERN_B
value: null
- parameter: CASE_SENSITIVE
value: true
- parameter: MESSAGE
value: 'Match found: '''' is NOT followed by '''' in Changeset
''''.'
- parameter: STRIP_COMMENTS
value: true
parentRuleId: null
severity: '0'
shortName: PatternANotFollowedByPatternB
- description: Check triggers if the user-supplied regex pattern A is NOT preceded
by the user-supplied regex pattern B
enabled: false
id: 'a089037f-4fd5-3873-a07e-16105ded71c0'
name: Pattern a not preceded by pattern b
parameters:
- parameter: PATTERN_A
value: null
- parameter: PATTERN_B
value: null
- parameter: CASE_SENSITIVE
value: true
- parameter: MESSAGE
value: 'Match found: '''' is NOT preceded by '''' in Changeset
''''. '
- parameter: STRIP_COMMENTS
value: true
parentRuleId: null
severity: '0'
shortName: PatternANotPrecededByPatternB
- description: Ensures that no table has more than a threshold number of columns.
enabled: true
id: '2abde5de-a71d-3ead-8fd6-e13a743c0aec'
name: Check Table Column Count
parameters:
- parameter: MAX_COLUMNS
value: 50
parentRuleId: null
severity: '0'
shortName: TableColumnLimit
- description: This checks triggers when the Max Affected Rows Allowed value is exceeded
by the number of rows DELETED by a SQL statement. The SQL statement is executed
against the database, and then rolled back.
enabled: false
id: '99b1c0d2-6dda-3acb-85f3-68002c3b07c1'
name: Check Affected Rows Count on Delete
parameters:
- parameter: MAX_ROWS
value: 50
- parameter: MESSAGE
value: rows will be affected, which is more than the allowed ''
rows. The SQL statement is '' in ''.
parentRuleId: null
severity: '0'
shortName: MaxAffectedRowsAllowedDelete
- description: This checks triggers when the Max Affected Rows Allowed value is exceeded
by the number of rows INSERTED by a SQL statement. The SQL statement is executed
against the database, and then rolled back.
enabled: false
id: 'bbd74a72-77d4-3517-9125-c771f790178b'
name: Check Affected Rows Count on Insert
parameters:
- parameter: MAX_ROWS
value: 50
- parameter: MESSAGE
value: rows will be affected, which is more than the allowed ''
rows. The SQL statement is '' in ''.
parentRuleId: null
severity: '0'
shortName: MaxAffectedRowsAllowedInsert
- description: This checks triggers when the Max Affected Rows Allowed value is exceeded
by the number of rows UPDATED by a SQL statement. The SQL statement is executed
against the database, and then rolled back.
enabled: false
id: 'e9e2055d-e837-3418-96ac-352416cd43ee'
name: Check Affected Rows Count on Update
parameters:
- parameter: MAX_ROWS
value: 50
- parameter: MESSAGE
value: rows will be affected, which is more than the allowed ''
rows. The SQL statement is '' in ''.
parentRuleId: null
severity: '0'
shortName: MaxAffectedRowsAllowedUpdate
- description: This check confirms the listed object names conform to the supplied
pattern.
enabled: false
id: '51362082-ddc1-34dc-98f6-c7413345b19b'
name: Object name pattern match
parameters:
- parameter: OPERATOR
value: STARTS_WITH
- parameter: SEARCH_STRING
value: null
- parameter: OBJECT_TYPES
value: null
- parameter: CASE_SENSITIVE
value: true
parentRuleId: null
severity: '0'
shortName: ObjectNameMustMatch
- description: Executes a custom check script.
enabled: false
id: '68592fc1-8c79-3026-990f-da80c1c6d6e0'
name: Custom Check Template
parameters:
- parameter: SCRIPT_DESCRIPTION
value: Custom check
- parameter: SCRIPT_SCOPE
value: CHANGELOG
- parameter: SCRIPT_MESSAGE
value: The message to display when the check is triggered
- parameter: SCRIPT_TYPE
value: PYTHON
- parameter: SCRIPT_PATH
value: null
- parameter: SCRIPT_ARGS
value: null
- parameter: REQUIRES_SNAPSHOT
value: false
parentRuleId: null
severity: '0'
shortName: CustomCheckTemplate
- description: This check confirms the listed object names do not match the supplied
pattern.
enabled: false
id: '1bd2ac39-66fd-31fc-ac37-d6ba4c6319cc'
name: Object name pattern not match
parameters:
- parameter: OPERATOR
value: STARTS_WITH
- parameter: SEARCH_STRING
value: null
- parameter: OBJECT_TYPES
value: null
- parameter: CASE_SENSITIVE
value: true
parentRuleId: null
severity: '0'
shortName: ObjectNameMustNotMatch
- description: This check warns a user when changeset includes or generates sql that
grants specific privileges to a user or role
enabled: false
id: '751a7709-1676-36eb-b1fb-31819ff4b681'
name: Warn on Grant of Specific Privileges
parameters:
- parameter: PRIVILEGE_LIST
value: null
- parameter: STRIP_COMMENTS
value: true
parentRuleId: null
severity: '0'
shortName: SqlGrantSpecificPrivsWarn
- description: ' This check triggers when a changeset contains the user-specified
runInTransactions value of ''true'' or ''false''. Note: Changesets without a runInTransactions
value are not checked.'
enabled: false
id: '1fdc2bbb-67a4-3d45-baad-09e69f1108cd'
name: Check Changeset runInTransaction value
parameters:
- parameter: RUN_IN_TRANSACTION_VALUE
value: false
- parameter: MESSAGE
value: A match for regular expression was detected in Changeset
.
parentRuleId: null
severity: '0'
shortName: CheckRunInTransactionValue
- description: This check warns a user when a table is being truncated so that they
can ensure that truncating the table won't lead to unintentional loss of data.
enabled: false
id: '136bed9a-17c5-3edc-b1e7-30065052e859'
name: Warn when 'TRUNCATE TABLE' detected
severity: '0'
shortName: ChangeTruncateTableWarn
- description: This check warns a user when SQL contains 'GRANT' statements that include
the 'WITH GRANT OPTION' clause so that they can ensure that the privilege being
granted won't lead to security issues
enabled: false
id: '892b5881-6d02-3846-bdf0-c8538e7b013f'
name: Warn on Detection of grant that contains 'WITH GRANT OPTION'
severity: '0'
shortName: SqlGrantOptionWarn
- description: Disallow Oracle reserved keywords from being used in database object
names. See https://docs.oracle.com/cd/B19306_01/em.102/b40103/app_oracle_reserved_words.htm
for complete list of keywords.
enabled: false
id: 'b0530bd6-986c-3084-b2d7-d01261a6337e'
name: Disallow oracle reserved keywords
parameters:
- parameter: OBJECT_TYPES
value: null
- parameter: ALLOWED_LIST
value: null
- parameter: CASE_SENSITIVE
value: true
parentRuleId: null
severity: '0'
shortName: OracleReservedKeywords
- description: Disallow SQL Server reserved keywords from being used in database object
names. See https://docs.microsoft.com/en-us/sql/t-sql/language-elements/reserved-keywords-transact-sql?view=sql-server-ver16
for complete list of keywords.
enabled: false
id: '3328f158-14fe-389e-ad3d-ed633c07cd8b'
name: Disallow sql server reserved keywords
parameters:
- parameter: OBJECT_TYPES
value: null
- parameter: ALLOWED_LIST
value: null
- parameter: CASE_SENSITIVE
value: true
parentRuleId: null
severity: '0'
shortName: SQLServerReservedKeywords
- description: Disallow SQL Server's future reserved keywords from being used in database
object names. See https://docs.microsoft.com/en-us/sql/t-sql/language-elements/reserved-keywords-transact-sql?view=sql-server-ver16
for complete list of keywords.
enabled: false
id: 'e373a890-b092-3c11-b204-d71b84282a26'
name: Disallow sql server future reserved keywords
parameters:
- parameter: OBJECT_TYPES
value: null
- parameter: ALLOWED_LIST
value: null
- parameter: CASE_SENSITIVE
value: true
parentRuleId: null
severity: '0'
shortName: SQLServerFutureReservedKeywords
- description: Disallow Postgres reserved keywords from being used in database object
names. See https://www.postgresql.org/docs/14/sql-keywords-appendix.html for complete
list of keywords.
enabled: false
id: '23ba52ce-5e52-3025-8404-6c455797e53a'
name: Disallow postgres reserved keywords
parameters:
- parameter: OBJECT_TYPES
value: null
- parameter: ALLOWED_LIST
value: null
- parameter: CASE_SENSITIVE
value: true
parentRuleId: null
severity: '0'
shortName: PostgresReservedKeywords
- description: Disallow SQL Server's ODBC reserved keywords from being used in database
object names. See https://docs.microsoft.com/en-us/sql/t-sql/language-elements/reserved-keywords-transact-sql?view=sql-server-ver16
for complete list of keywords.
enabled: false
id: '534bf3f7-941c-35a0-8127-a3b869f7eec2'
name: Disallow sql server odbc reserved keywords
parameters:
- parameter: OBJECT_TYPES
value: null
- parameter: ALLOWED_LIST
value: null
- parameter: CASE_SENSITIVE
value: true
parentRuleId: null
severity: '0'
shortName: SQLServerODBCReservedKeywords
- description: Disallow Postgres non-reserved keywords from being used in database
object names. See https://www.postgresql.org/docs/14/sql-keywords-appendix.html
for complete list of keywords.
enabled: false
id: 'f731c06a-1f37-31e4-82e2-1e7df7d9c930'
name: Disallow postgres non reserved keywords
parameters:
- parameter: OBJECT_TYPES
value: null
- parameter: ALLOWED_LIST
value: null
- parameter: CASE_SENSITIVE
value: true
parentRuleId: null
severity: '0'
shortName: PostgresNonReservedKeywords
- description: This check warns a user when SQL contains 'GRANT' statements that include
the 'WITH ADMIN OPTION' clause so that they can ensure that the privilege being
granted won't lead to security issues
enabled: false
id: 'a85a72fd-9d93-33cd-bbdb-59f21538af9d'
name: Warn on Detection of grant that contains 'WITH ADMIN OPTION'
severity: '0'
shortName: SqlGrantAdminWarn
- description: This check warns a user when a ChangeSet includes a ChangeType listed
by the user as forbidden
enabled: true
id: '467fd8ba-a898-30a7-b265-aa48a023ae21'
name: Warn on Use of User Defined ChangeTypes
parameters:
- parameter: CHANGE_TYPE_LIST
value: dropTable,dropColumn
parentRuleId: null
severity: '0'
shortName: DetectChangeType
- description: This check triggers when a changeset does not have a rollback defined.
enabled: false
id: 'd517b518-8a6f-3084-a5be-97e7d89c6860'
name: Rollback Required for Changeset
severity: '0'
shortName: RollbackRequired
- description: This check enforces the Liquibase recommendation that labels be assigned
to each changeset to provide better deployment control and to enhance traceability
of efforts across changesets.
enabled: false
id: '00da80be-8adf-3c05-9380-b2538ae3015a'
name: Changesets Must Have a Label Assigned
severity: '0'
shortName: ChangesetLabelCheck
- description: This check enforces the Liquibase recommendation that contexts be assigned
to each changeset to provide better deployment control and to enhance traceability
of efforts across changesets.
enabled: false
id: 'e56b7a4a-5953-3be3-96d2-0814eb8e7a02'
name: Changesets Must Have a Context Assigned
severity: '0'
shortName: ChangesetContextCheck
- description: This check enforces the Liquibase recommendation that comments be added
to each changeset to document the purpose of a changeset for other/future consumers
of this changelog
enabled: false
id: '517fcf2f-769c-3916-af1c-4c6aeef37914'
name: Changesets Must Have a Comment Assigned
severity: '0'
shortName: ChangesetCommentCheck
- description: This check enforces the Liquibase Best Practice of keeping individual
changesets small by limiting them to one statement or change.
enabled: false
id: '2b02222f-32cf-3761-add0-9615b821678f'
name: One Change Per Changeset
severity: '0'
shortName: OneChangePerChangeset
- description: This check confirms that a specific label or a label that matches a
specific pattern is present on all changesets.
enabled: false
id: 'e854b95b-4256-3d23-985d-f9e1f2659983'
name: Check for User Defined Label
parameters:
- parameter: OPERATOR
value: STARTS_WITH
- parameter: SEARCH_STRING
value: null
parentRuleId: null
severity: '0'
shortName: UserDefinedLabelCheck
- description: This check confirms that a specific context or a context that matches
a specific pattern is present on all changesets.
enabled: false
id: '435d5958-9c70-3ae3-947a-9a80df8fdf7a'
name: Check for User Defined Context
parameters:
- parameter: OPERATOR
value: STARTS_WITH
- parameter: SEARCH_STRING
value: null
parentRuleId: null
severity: '0'
shortName: UserDefinedContextCheck
- description: This check warns when a create table action doesn't also include a
primary key.
enabled: false
id: '8164f717-c798-323b-b268-65b5eca0784e'
name: Require primary key when creating table
parameters:
- parameter: EXCEPTIONS_LIST
value: ''
- parameter: CASE_SENSITIVE
value: true
parentRuleId: null
severity: '0'
shortName: PrimaryKeyOnCreateTable
- description: This check scans your target URL database tables to find tables which
do not have an associated index.
enabled: false
id: 'b945447e-9e2a-3422-b40c-543d7505568a'
name: Table must have an index
severity: '0'
shortName: CheckTablesForIndex
- description: 'With database-scope, this check flags any table which does not have
a comment. With changelog-scope, this check triggers on changesets with a CREATE
table changetype that does not also add a comment for the table in that same changeset.
(Note: This is not a check for a Liquibase changelog comment.)'
enabled: false
id: 'f9a9e270-09b1-3a4c-90b1-e3ae1de98d77'
name: Table must have a comment
severity: '0'
shortName: TableCommentCheck
- description: This check triggers when specified attributes do not match TRUE or
FALSE, as configured by the user.
enabled: false
id: '8339bc72-ae9e-3678-8a86-2af1b8aa2d1c'
name: Changeset attributes set true or false
parameters:
- parameter: ATTRIBUTE
value: null
- parameter: SEARCH_STRING
value: null
parentRuleId: null
severity: '0'
shortName: ChangesetAttributesSetTrueOrFalse
- description: This check triggers when specific user-supplied patterns are found
in Table Comments.
enabled: false
id: '52e205f6-185c-3e14-9e90-18c66f1267a9'
name: Table Comment Pattern Check
parameters:
- parameter: OPERATOR
value: CONTAINS
- parameter: SEARCH_STRING
value: null
- parameter: MESSAGE
value: A match for regular expression was detected in .
parentRuleId: null
severity: '0'
shortName: TableCommentPatternCheck
- description: This check triggers when specified attributes do not match the user-supplied
string or regex pattern.
enabled: false
id: '84092e22-894a-3452-a778-5bfae8ba03ca'
name: Changeset attributes and value
parameters:
- parameter: ATTRIBUTE
value: null
- parameter: SEARCH_STRING
value: null
parentRuleId: null
severity: '0'
shortName: ChangesetAttributesAndValue
- description: This check triggers when the logic conditional evaluates to true
enabled: false
id: 'b3fc0c29-7070-345d-acdd-761e28e99766'
name: Chained checks template
parameters:
- parameter: LOGIC_CONDITIONAL
value: null
- parameter: MESSAGE
value: The conditions in '' were met for ''. The
chained checks include .
parentRuleId: null
severity: '0'
shortName: ChainedChecksTemplate
- description: Check for and alert when specified table does not contain the required
constraint(s).
enabled: false
id: 'c3a5ceda-c901-3864-8394-18c04139036c'
name: Constraint must exist
parameters:
- parameter: CONSTRAINT_OPERATOR
value: STARTS_WITH
- parameter: TABLE_NAME
value: null
- parameter: COLUMN_NAME
value: null
- parameter: CONSTRAINT
value: PRIMARYKEY
- parameter: CASE_SENSITIVE
value: true
- parameter: MESSAGE
value: The specified table '' does not contain the required ''
constraint.
parentRuleId: null
severity: '0'
shortName: ConstraintMustExist
- description: Alerts when a changeset ID does not follow the 8-4-4-4-12 pattern of
UUID or GUID.
enabled: false
id: 'af508207-cd38-3498-8a56-187ed76caebb'
name: Require Changeset ID is valid UUID
severity: '0'
shortName: RequireChangesetIDisUUID
version: '1.1'