Schema diffs tell you what changed. A schema lockfile tells you whether the schema you committed is still the schema you are running.
Most teams detect schema drift by comparing two SQL dumps and eyeballing the diff. That works for planned migrations, but it is noisy for CI gates. A dump can change for reasons that do not matter: column order, indentation, comment formatting, or environment-specific defaults like CURRENT_TIMESTAMP. You end up reviewing diff noise instead of real drift.
Today we are shipping the Schema Lockfile Generator. It turns any SQL schema dump into a deterministic SHA-256 fingerprint. Commit the lockfile, run the generated verification script in CI, and fail the build when the schema drifts from the agreed state.
What a schema lockfile gives you: a single hash that represents the canonical shape of your database. Regenerate it whenever you intentionally change the schema. Your CI pipeline verifies the hash on every push and rejects unexpected drift.
A text diff of two SQL dumps is useful for human review, but it makes a poor gate. These common situations create false positives:
DEFAULT CURRENT_TIMESTAMP or DEFAULT gen_random_uuid() differ between local and CI dumps.A lockfile solves this by canonicalizing the schema before hashing. It removes comments, lowercases keywords, sorts tables and indexes alphabetically, optionally sorts columns within each table, and strips environment-specific defaults. The result is a stable fingerprint that only changes when the actual schema shape changes.
Open the Schema Lockfile Generator, paste your schema dump, and click Generate lockfile. You get:
The generator supports PostgreSQL, MySQL, SQLite, SQL Server, and Oracle. Everything parses in your browser, so your schema dump never leaves your machine unless you choose to run the optional CI script.
Here is what a generated schema.lock looks like for a small application:
{
"version": 1,
"generator": "https://schemalens.tech/tools/schema-lockfile-generator.html",
"project": "blog",
"dialect": "postgres",
"generatedAt": "2026-07-07T20:00:00.000Z",
"hashAlgorithm": "sha256",
"hash": "a3f7c2...",
"options": {
"sortColumns": true,
"stripDefaults": true
},
"tables": 2,
"columns": 8,
"indexes": 2,
"normalizedBytes": 412
}
The hash is the only value your CI pipeline needs to check. The metadata is there to make the lockfile human-readable and debuggable.
The generator produces a complete workflow. Save it as .github/workflows/schema-verify.yml, commit db/schema.sql and schema.lock, and the workflow regenerates the canonical hash on every PR that touches either file:
name: Schema Lockfile Verification
on:
push:
paths: ['db/schema.sql', 'schema.lock']
pull_request:
paths: ['db/schema.sql', 'schema.lock']
jobs:
verify-schema-lock:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Verify schema fingerprint
run: |
EXPECTED_HASH="a3f7c2..."
CANONICAL=$(node -e '/* canonicalization script */')
ACTUAL_HASH=$(printf '%s' "$CANONICAL" | sha256sum | awk '{print $1}')
if [ "$ACTUAL_HASH" != "$EXPECTED_HASH" ]; then
echo "โ Schema drift detected. Regenerate schema.lock."
exit 1
fi
echo "โ
Schema fingerprint matches."
If someone changes db/schema.sql without updating the lockfile, the build fails. If the change is intentional, the developer regenerates the lockfile and commits it alongside the migration.
The lockfile is not a replacement for semantic schema diffing. It is a complement. Use each for the right job:
Teams that use both get the best of both worlds: a lightweight, deterministic gate in CI and a detailed review tool for the migrations that are supposed to change the schema.
The lockfile generator joins the rest of the SchemaLens CI/CD toolkit:
You can generate your first schema lockfile in under a minute:
CREATE TABLE dump or click Load sample schemaschema.lock and copy the CI verification scriptGenerate a deterministic schema.lock fingerprint and CI verification script in one click.
Open Schema Lockfile GeneratorSchemaLens is a browser-based SQL schema diff tool with a free GitHub Action, GitLab/CircleCI/Jenkins/Bitbucket/Azure DevOps support, an MCP server for AI agents, 80+ micro-tools, and a Team plan for shared workspaces. Built in public.