Detect breaking schema changes in SQL migrations, data models, and schema files before they reach production
Project description
🛡️ SchemaGuard
Catch breaking schema changes before they reach production.
A GitHub Action and CLI that scans SQL migrations, Pydantic models, Avro schemas, Protobuf files, and dbt models for changes that will break your application or data pipeline — and explains exactly what to fix.
Why?
Schema changes are the #1 cause of production data incidents that nobody sees coming. A developer drops a column in a migration, the PR review looks fine, tests pass, and it ships on Friday afternoon. By Saturday morning the app is returning 500s because a critical query references a column that no longer exists. The post-mortem always says the same thing: "We didn't connect the migration to the application code."
The problem compounds in data pipelines. A RENAME TABLE in an Alembic migration breaks three downstream dbt models, two Kafka consumers, and a Spark job — none of which are in the same repository. Existing CI tools catch syntax errors and test failures, but they have no awareness of structural compatibility between your schema and everything that depends on it.
SchemaGuard closes that gap by running in CI as a GitHub Action or local CLI. It diffs your branch against a base ref, classifies every schema change by severity, and fails the build before a breaking change can merge. No config files, no external services, no dependencies beyond the Python standard library — just a fast, transparent analysis of the diff that already exists in your PR.
✨ What It Catches
🗄️ SQL Migrations (Alembic, Django, Flyway, Liquibase, raw SQL)
| Operation | Severity |
|---|---|
DROP TABLE |
🔴 Critical |
DROP COLUMN |
🔴 Critical |
TRUNCATE |
🔴 Critical |
RENAME COLUMN / RENAME TABLE |
🟠 High |
ALTER COLUMN ... TYPE |
🟠 High |
NOT NULL without DEFAULT |
🟠 High |
DROP CONSTRAINT / DROP PRIMARY KEY |
🟠 High |
DROP INDEX |
🟡 Medium |
DROP VIEW |
🟡 Medium |
📐 Python Data Models
| Change | Severity |
|---|---|
Pydantic BaseModel field removed |
🔴 Critical |
SQLAlchemy Column removed |
🔴 Critical |
TypedDict key removed |
🟠 High |
@dataclass field removed |
🟡 Medium |
| Pydantic validator removed | 🟢 Low |
📄 Schema Files
| Change | Severity |
|---|---|
Avro field removed (.avsc) |
🔴 Critical |
Protobuf field removed (.proto) |
🔴 Critical |
| JSON Schema required field removed | 🟠 High |
dbt column removed from schema.yml |
🟠 High |
🚀 Quick Start
GitHub Action
name: Schema Safety Check
on: [pull_request]
jobs:
schemaguard:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v7
with:
fetch-depth: 0
- uses: Tahiram32/schemaguard@v0.1.0
with:
base-ref: origin/main
format: github
fail-on: high
CLI
pip install schema-guardian
# Diff current branch against origin/main
schemaguard --base origin/main
# Output as Markdown
schemaguard --base origin/main --format markdown
# Output as SARIF for GitHub Code Scanning
schemaguard --base origin/main --format sarif > results.sarif
# Generate a status badge
schemaguard --base origin/main --badge
⚙️ Configuration
All options are available as CLI flags and as GitHub Action inputs.
| Flag / Input | Default | Description |
|---|---|---|
--repo / repo |
$GITHUB_WORKSPACE |
Path to the repository root to scan |
--base / base-ref |
origin/main |
Git ref to diff against |
--format / format |
markdown |
Output format: text, json, markdown, github, sarif |
--fail-on / fail-on |
high |
Minimum risk level for non-zero exit: none, low, medium, high, critical |
--badge / badge |
false |
Write schemaguard-badge.svg to the repository root |
Output Formats
text— plain-text summary for terminalsjson— machine-readable JSON array of findingsmarkdown— GitHub-flavoured Markdown table (default)github— GitHub Actions workflow commands (::error::,::warning::)sarif— SARIF 2.1.0 for GitHub Code Scanning upload
🔬 How It Works
SchemaGuard operates in three independent analysis layers, each targeting a different class of schema artifact.
1. migration_analyzer — Runs git diff <base>...HEAD and extracts all changed SQL and migration files (.sql, Alembic versions/, Django migrations/, Flyway V*.sql, Liquibase changelogs). It then applies a set of pattern rules against the added lines to detect dangerous DDL operations ranked by severity.
2. model_analyzer — Parses the diff for changes to Python source files and identifies removed class attributes in BaseModel, DeclarativeBase/Column, TypedDict, and @dataclass definitions. Field removal is detected by comparing the set of defined names in the before/after snapshots of each class.
3. schema_file_analyzer — Handles structured schema formats: Avro (.avsc), Protobuf (.proto), JSON Schema (.json/.yaml with $schema), and dbt schema.yml. For each file type it parses the before/after states of changed files and computes structural diffs to detect removed fields, required properties, and column definitions.
All three analyzers produce a unified list of Finding objects with a file path, line number, description, and severity. The CLI aggregates these into the requested output format and exits with a non-zero code if any finding meets or exceeds the --fail-on threshold.
🗺️ Roadmap
- SQL migration danger detection (
DROP,RENAME,ALTER TYPE,NOT NULL) - Pydantic / SQLAlchemy / dataclass model analysis
- Avro, Protobuf, JSON Schema file diffing
- dbt
schema.ymlcolumn change detection - SARIF output for GitHub Code Scanning
- GitHub Action composite workflow
- GraphQL schema change detection
- Prisma schema support
- Django model field analysis
- Custom ignore rules via
.schemaguardignore
❤️ Sponsor
If SchemaGuard saves you from a production incident, consider sponsoring continued development:
Contributing
See CONTRIBUTING.md for how to get started. All contributions are welcome — bug reports, feature requests, and pull requests.
License
MIT © 2026 Tahiram32 — see LICENSE for details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file schema_guardian-0.1.0.tar.gz.
File metadata
- Download URL: schema_guardian-0.1.0.tar.gz
- Upload date:
- Size: 14.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
20eec5e501b11b16380b45f167aa58d7b295b66fc0adcb91df9d4460410a2c26
|
|
| MD5 |
5f7d14826e977dfb21bf296b8626f88f
|
|
| BLAKE2b-256 |
4dbbb1ed4dabe8bd3a8fa394b640bda77d3189e0ca781d199cb19b954005afde
|
File details
Details for the file schema_guardian-0.1.0-py3-none-any.whl.
File metadata
- Download URL: schema_guardian-0.1.0-py3-none-any.whl
- Upload date:
- Size: 16.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bc4db3b8adff19df988a2208cf5b64845612cd8ca72509c2fc632b2a7420005f
|
|
| MD5 |
b9e6d7869622a87bb8e5a79e36ee11dd
|
|
| BLAKE2b-256 |
b9f7b24c94d8c4f70f674043e424347c77510f47e88a1aab12673955b341b5a9
|