Skip to main content

Detect breaking schema changes in SQL migrations, data models, and schema files before they reach production

Project description

🛡️ SchemaGuard

Catch breaking schema changes before they reach production.

CI PyPI version License: MIT GitHub Sponsors

A GitHub Action and CLI that scans SQL migrations, Pydantic models, Avro schemas, Protobuf files, and dbt models for changes that will break your application or data pipeline — and explains exactly what to fix.


Why?

Schema changes are the #1 cause of production data incidents that nobody sees coming. A developer drops a column in a migration, the PR review looks fine, tests pass, and it ships on Friday afternoon. By Saturday morning the app is returning 500s because a critical query references a column that no longer exists. The post-mortem always says the same thing: "We didn't connect the migration to the application code."

The problem compounds in data pipelines. A RENAME TABLE in an Alembic migration breaks three downstream dbt models, two Kafka consumers, and a Spark job — none of which are in the same repository. Existing CI tools catch syntax errors and test failures, but they have no awareness of structural compatibility between your schema and everything that depends on it.

SchemaGuard closes that gap by running in CI as a GitHub Action or local CLI. It diffs your branch against a base ref, classifies every schema change by severity, and fails the build before a breaking change can merge. No config files, no external services, no dependencies beyond the Python standard library — just a fast, transparent analysis of the diff that already exists in your PR.


✨ What It Catches

🗄️ SQL Migrations (Alembic, Django, Flyway, Liquibase, raw SQL)

Operation Severity
DROP TABLE 🔴 Critical
DROP COLUMN 🔴 Critical
TRUNCATE 🔴 Critical
RENAME COLUMN / RENAME TABLE 🟠 High
ALTER COLUMN ... TYPE 🟠 High
NOT NULL without DEFAULT 🟠 High
DROP CONSTRAINT / DROP PRIMARY KEY 🟠 High
DROP INDEX 🟡 Medium
DROP VIEW 🟡 Medium

📐 Python Data Models

Change Severity
Pydantic BaseModel field removed 🔴 Critical
SQLAlchemy Column removed 🔴 Critical
TypedDict key removed 🟠 High
@dataclass field removed 🟡 Medium
Pydantic validator removed 🟢 Low

📄 Schema Files

Change Severity
Avro field removed (.avsc) 🔴 Critical
Protobuf field removed (.proto) 🔴 Critical
JSON Schema required field removed 🟠 High
dbt column removed from schema.yml 🟠 High

🚀 Quick Start

GitHub Action

name: Schema Safety Check

on: [pull_request]

jobs:
  schemaguard:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v7
        with:
          fetch-depth: 0
      - uses: Tahiram32/schemaguard@v0.1.0
        with:
          base-ref: origin/main
          format: github
          fail-on: high

CLI

pip install schema-guardian

# Diff current branch against origin/main
schemaguard --base origin/main

# Output as Markdown
schemaguard --base origin/main --format markdown

# Output as SARIF for GitHub Code Scanning
schemaguard --base origin/main --format sarif > results.sarif

# Generate a status badge
schemaguard --base origin/main --badge

⚙️ Configuration

All options are available as CLI flags and as GitHub Action inputs.

Flag / Input Default Description
--repo / repo $GITHUB_WORKSPACE Path to the repository root to scan
--base / base-ref origin/main Git ref to diff against
--format / format markdown Output format: text, json, markdown, github, sarif
--fail-on / fail-on high Minimum risk level for non-zero exit: none, low, medium, high, critical
--badge / badge false Write schemaguard-badge.svg to the repository root

Output Formats

  • text — plain-text summary for terminals
  • json — machine-readable JSON array of findings
  • markdown — GitHub-flavoured Markdown table (default)
  • github — GitHub Actions workflow commands (::error::, ::warning::)
  • sarifSARIF 2.1.0 for GitHub Code Scanning upload

🔬 How It Works

SchemaGuard operates in three independent analysis layers, each targeting a different class of schema artifact.

1. migration_analyzer — Runs git diff <base>...HEAD and extracts all changed SQL and migration files (.sql, Alembic versions/, Django migrations/, Flyway V*.sql, Liquibase changelogs). It then applies a set of pattern rules against the added lines to detect dangerous DDL operations ranked by severity.

2. model_analyzer — Parses the diff for changes to Python source files and identifies removed class attributes in BaseModel, DeclarativeBase/Column, TypedDict, and @dataclass definitions. Field removal is detected by comparing the set of defined names in the before/after snapshots of each class.

3. schema_file_analyzer — Handles structured schema formats: Avro (.avsc), Protobuf (.proto), JSON Schema (.json/.yaml with $schema), and dbt schema.yml. For each file type it parses the before/after states of changed files and computes structural diffs to detect removed fields, required properties, and column definitions.

All three analyzers produce a unified list of Finding objects with a file path, line number, description, and severity. The CLI aggregates these into the requested output format and exits with a non-zero code if any finding meets or exceeds the --fail-on threshold.


🗺️ Roadmap

  • SQL migration danger detection (DROP, RENAME, ALTER TYPE, NOT NULL)
  • Pydantic / SQLAlchemy / dataclass model analysis
  • Avro, Protobuf, JSON Schema file diffing
  • dbt schema.yml column change detection
  • SARIF output for GitHub Code Scanning
  • GitHub Action composite workflow
  • GraphQL schema change detection
  • Prisma schema support
  • Django model field analysis
  • Custom ignore rules via .schemaguardignore

❤️ Sponsor

If SchemaGuard saves you from a production incident, consider sponsoring continued development:

github.com/sponsors/Tahiram32


Contributing

See CONTRIBUTING.md for how to get started. All contributions are welcome — bug reports, feature requests, and pull requests.

License

MIT © 2026 Tahiram32 — see LICENSE for details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

schema_guardian-0.1.0.tar.gz (14.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

schema_guardian-0.1.0-py3-none-any.whl (16.6 kB view details)

Uploaded Python 3

File details

Details for the file schema_guardian-0.1.0.tar.gz.

File metadata

  • Download URL: schema_guardian-0.1.0.tar.gz
  • Upload date:
  • Size: 14.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for schema_guardian-0.1.0.tar.gz
Algorithm Hash digest
SHA256 20eec5e501b11b16380b45f167aa58d7b295b66fc0adcb91df9d4460410a2c26
MD5 5f7d14826e977dfb21bf296b8626f88f
BLAKE2b-256 4dbbb1ed4dabe8bd3a8fa394b640bda77d3189e0ca781d199cb19b954005afde

See more details on using hashes here.

File details

Details for the file schema_guardian-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for schema_guardian-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 bc4db3b8adff19df988a2208cf5b64845612cd8ca72509c2fc632b2a7420005f
MD5 b9e6d7869622a87bb8e5a79e36ee11dd
BLAKE2b-256 b9f7b24c94d8c4f70f674043e424347c77510f47e88a1aab12673955b341b5a9

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page