Hamburger Cross Icon

Earthly Lunar + OPA:
Better Together

Use both tools for comprehensive policy enforcement
across your entire SDLC
from pull requests to production deployments

Book a Demo Learn More

Supercharge Your Existing Setup

Earthly Lunar

Earthly Lunar

Shift Left: Feedback in PRs
  • ✓ Immediate feedback in pull requests
  • ✓ Technology-agnostic data collection
  • ✓ Works across entire SDLC
  • ✓ Supports Python & Rego guardrails
  • ✓ 100+ pre-built guardrails
Plus Icon
Works seamlessly with

Open Policy Agent

Deployment & Runtime Enforcement
  • ✓ Proven admission control
  • ✓ Commonly used for K8s & IaC
  • ✓ Rego policy language
  • ✓ Large ecosystem & community
  • ✓ Production-proven at scale

Badge The Best of Both Worlds

Lunar catches policy violations before code is merged, giving developers immediate, contextual feedback. OPA provides the final enforcement layer at deployment time, ensuring nothing reaches production that shouldn't.

Why Shift Left Matters

The later you catch a policy violation, the more expensive and disruptive it becomes.

✅ Early Detection
❌ Late Detection
Lunar

Pull Request

Minutes after commit

Developer sees feedback immediately, in context, while they're still working on the feature

Cost: Quick fix, same PR
OPA

Admission Control

Days later

Deployment blocked at the gate, team scrambling, release delayed

Cost: Deployment delay, urgent fix blocked
Alarm

Production Incident

Weeks later

Issue made it to production, causing outage or security incident

Cost: Incident response, postmortem, revenue loss

Side-by-Side Comparison

Capability
Lunar
Earthly Lunar
OPA
Open Policy Agent
Primary Use Case
SDLC-wide standards enforcement with PR-level feedback
General-purpose policy engine (commonly used for K8s admission control, IaC validation, API authorization)
Feedback Timing
Real-time in PRs (minutes after commit)
In CI or deployment-time (depends on integration: Conftest in CI vs. cluster admission control)
Technology Coverage
Any technology (Docker, K8s, Terraform, code, CI/CD, etc.)
General-purpose; most commonly used for K8s, Terraform, microservices, and API gateways
Data Collection
Automatic collectors for code, config files, CI/CD processes
Evaluates data provided to it. Doesn't crawl SDLC.
Policy Language
Python (easy) or Rego (compatible with OPA)
Rego (declarative, learning curve)
Pre-built Guardrails
100+ guardrails across security, compliance, infrastructure
Community library available
Developer Experience
Contextual, immediate feedback in PR comments
Admission denials via K8s API response. In CI, tools like Conftest/Actions work per repo (or via shared workflows that repos must opt into).
Instrumentation
Central: 1-click GitHub App + 1-line CI agent
Per‑cluster/environment setup. CI feedback requires either repo‑by‑repo integration or shared CI templates that each repo must adopt and keep up to date.
Component Classification
Central cataloger detects which repos/components are sensitive or production‑critical (via IDP/GitHub/custom classifiers), then applies guardrails accordingly. No per‑repo wiring or template plumbing required.
No built-in classification. Requires per‑repo configuration or custom tooling to determine component criticality.
Best For
Platform teams wanting to shift left & prevent incidents
Final enforcement gate for K8s & infrastructure deployments

The takeaway: These tools complement each other perfectly

Lunar provides early developer feedback. OPA provides final production safety and runtime authorization.

Integration Approaches

Choose the approach that fits your needs—or combine them for maximum value

1

Migrate OPA Policies to Lunar Guardrails

Port your existing OPA policies to Lunar guardrails and get PR-level feedback instead of deployment-time blocks.

Keep your existing policy logic
Gain early feedback in PRs
Reduce deployment friction
Best for: Teams frustrated with deployment-time surprises, with basic OPA setups
⭐ Recommended
2

Dual-Layer Enforcement

Use Lunar for PR feedback on all standards. Keep OPA as your final enforcement gate for critical production policies.

Defense in depth
Early feedback + final gate
Best developer experience
Best for: OPA users that want to increase delivery quality and velocity, while reducing deploy-time surprises
3

Enhance OPA with Lunar Data

Keep OPA as your main enforcement tool, but feed it richer context from Lunar's SDLC data collection.

Richer policy decisions
Keep existing OPA setup
Add SDLC context to policies
Best for: Teams heavily invested in OPA who want to apply it to more areas of the SDLC
💡

Maximum Value: Combine Approaches 2 & 3

Get the best of both worlds: Use Lunar to provide early PR feedback to developers (approach #2), while feeding Lunar's rich SDLC data into OPA for more intelligent policy decisions (approach #3). This gives you defense in depth with enhanced context—developers get helpful guidance early, and your final enforcement gate makes smarter decisions with better data.

Frequently Asked Questions

Can I run my existing OPA policies in Lunar?

Yes! Lunar supports Rego policies natively. If your policies expect standard K8s AdmissionReview or Terraform plan JSON shapes, they'll typically run as-is. Otherwise, you may need a small input-mapping wrapper. You'll get PR-level feedback instead of deployment-time blocks.

Can Lunar enforce policies at deployment time like OPA?

Yes! Lunar supports multiple enforcement levels including "block-deploy" which prevents production deployments. However, its key strength is providing earlier feedback in PRs.

Can Lunar collect data that OPA can't?

Strictly speaking, OPA can evaluate any JSON data you feed it. But it does not have any capabilities to collect that data from your SDLC. Lunar, however, adds a built‑in collector system and central Component JSON, so you get that SDLC data without building your own crawlers and wiring.

Do I need to choose between Lunar and OPA?

No! They work great together. Most customers use Lunar for early PR feedback and keep OPA as their final production gate. This gives you defense in depth and the best developer experience.

How does Lunar know which repos need stricter guardrails?

Lunar's central cataloger automatically detects which repositories are sensitive or production-critical by integrating with your existing catalog information — such as an IDP (Internal Developer Portal), GitHub metadata, or custom classifiers.

Once classified and tagged, the appropriate guardrails can be applied globally per-tag — no need to configure each repo individually or maintain templates across thousands of repositories.

Can’t we just use OPA in CI to provide PR feedback?

You can, and it works fine for repo-local checks. The issue is scale: OPA-in-CI still needs per-repo wiring, doesn’t know which repos are production-critical, and gives you PR‑by‑PR feedback and doesn’t, by itself, give you a PR‑centric, SDLC‑wide control plane or org‑wide guardrail view — you have to build that around it.

Lunar adds that missing layer — catalog-aware targeting, built-in SDLC data collection, centralized rollout/enforcement, and unified visibility — so guardrails (including Rego policies) are applied consistently to the right repos.

Ready to Shift Left?

Start catching policy violations in PRs, not at deployment time.
See how Lunar guardrails can automate your existing OPA workflows and manual processes.

Book a Demo See How It Works

Already using OPA? We'll show you how to integrate Lunar alongside your existing setup.