After reading this article, I have a suggestion:
https://www.red-gate.com/hub/product-learning/flyway/simple-safeguards-for-powershell-scripting-with-flyway?topic=audit-and-compliance

Flyway's versioned migrations are reliably tracked and secured through the flywayschemahistory table with checksums. This provides strong immutability, auditability, and tamper detection.

However, callback scripts (like beforeMigrate.ps1, afterClean.sql) — which are executed automatically — are not checksummed or protected. They can be modified, injected, or reordered without Flyway detecting any change. This creates a critical security gap, especially in CI/CD and regulated environments.

Problem Summary:
Callbacks are executed without validation.

No checksums or signatures exist for callback or helper scripts.

A malicious script (e.g. beforeMigrate_000backdoor.ps1) can run before any in-script "security check" — defeating defense attempts.

Flyway provides no native mechanism to enforce validation or immutability of these files.