Guardrails Library
100+ Guardrails Out of the Box
Get instant value from day one. Pre-built guardrails for reliability, quality, operational readiness, and security — no need to build from scratch.
Write once, enforce everywhere. Each guardrail runs on every PR and in AI coding workflows, turning standards into automated enforcement in minutes, not quarters.
Policies
24Guardrails
118ai-use.instruction-file-exists
Devex Build And Ci
Verifies that an agent instruction file exists at the repository root. Passes if any recognized file is found (AGENTS.md, CLAUDE.md, GEMINI.md, CODEX.md).
ai-use.canonical-naming
Devex Build And Ci
Verifies the root instruction file uses the canonical vendor-neutral name (AGENTS.md by default). Repos with only CLAUDE.md pass the existence check but fail this naming check.
ai-use.instruction-file-length
Devex Build And Ci
Validates that the root instruction file is within reasonable length bounds. Too short means insufficient context; too long wastes context window budget and can reduce AI task success rates.
ai-use.instruction-file-sections
Devex Build And Ci
Ensures the root instruction file contains required section headings. Validates that essential information like project overview and build commands is documented for AI agents.
ai-use.symlinked-aliases
Devex Build And Ci
Verifies that CLAUDE.md symlinks exist alongside AGENTS.md files. Claude Code does not support the AGENTS.md filename natively, so a symlink is required for compatibility. Other tools (Gemini, Codex) support AGENTS.md directly.
ai-use.plans-dir-exists
Devex Build And Ci
Verifies that a dedicated plans directory exists for AI agent task planning. A dedicated directory keeps AI-generated plans organized and reviewable.
ai-use.ai-cli-safe-flags
Devex Build And Ci
Ensures AI CLI tools running in CI do not use dangerous permission-bypassing flags. Flags like --dangerously-skip-permissions (Claude), --yolo (Codex/Gemini), and --sandbox danger-full-access (Codex) remove safety guardrails.
ai-use.ai-cli-structured-output
Devex Build And Ci
Ensures AI CLI tools in CI headless mode use structured JSON output instead of plain text. JSON output makes AI automation deterministic and parseable.
ai-use.ai-authorship-annotated
Devex Build And Ci
Verifies that commits include AI authorship annotations. Supports the Git AI standard (usegitai.com) for automated line-level tracking and git trailers as a lightweight manual alternative.
codeowners.exists
Repository And Ownership
Requires a CODEOWNERS file to be present in the repository. Checks standard locations: root, .github/, or docs/.
codeowners.valid
Repository And Ownership
Validates that the CODEOWNERS file has correct syntax. Checks that all owner references use valid formats (@user, @org/team, or email).
codeowners.catchall
Repository And Ownership
Requires a default catch-all rule (*) in CODEOWNERS so that every file in the repository has at least one owner.
codeowners.min-owners
Repository And Ownership
Ensures each CODEOWNERS rule has a minimum number of owners for redundancy. Configurable via the min_owners_per_rule input.
codeowners.team-owners
Repository And Ownership
Requires at least one team-based owner (@org/team) in the CODEOWNERS file for better ownership continuity.
codeowners.no-individuals-only
Repository And Ownership
Ensures each CODEOWNERS rule includes at least one team owner, not just individual users. Stricter than team-owners which only checks that teams exist somewhere in the file.
codeowners.no-empty-rules
Repository And Ownership
Flags CODEOWNERS rules that have no owners assigned, which effectively un-assigns ownership for matching files.
codeowners.max-owners
Repository And Ownership
Flags CODEOWNERS rules with too many owners. Excessive owners often means diffused responsibility where nobody truly owns the code. Configurable via the max_owners_per_rule input.
compliance-docs.dr-plan-exists
Operational Readiness
Verifies that a disaster recovery plan exists in the repository. Every production service should have documented recovery procedures to ensure teams can respond effectively during outages.
compliance-docs.dr-plan-rto-rpo-defined
Operational Readiness
Requires that Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined in the DR plan. These targets establish clear expectations for acceptable downtime and data loss during disasters.
compliance-docs.dr-plan-required-sections
Operational Readiness
Ensures the DR plan contains required section headings covering key recovery topics. Configurable via the plan_required_sections input.
compliance-docs.dr-exercise-recent
Operational Readiness
Ensures a DR exercise (tabletop, failover, or full) was conducted within the configured threshold (default: 365 days). Checks the most recent exercise record in the exercises directory.
compliance-docs.dr-exercise-required-sections
Operational Readiness
Ensures the most recent DR exercise record contains required section headings documenting what was tested and the outcomes. Configurable via the exercise_required_sections input.
container.no-latest
Devex Build And Ci
Prevents use of the :latest tag (explicit or implicit) in base images. Using :latest creates non-reproducible builds and makes debugging difficult.
container.stable-tags
Devex Build And Ci
Requires base images to use stable tags: digests (sha256:...) or full semver (1.2.3). Partial versions like "node:20" can change unexpectedly and break builds.
container.allowed-registries
Devex Build And Ci
Restricts base images to approved container registries only. Prevents supply chain attacks from untrusted image sources.
container.required-labels
Devex Build And Ci
Ensures containers have required labels, checking both Dockerfile LABEL instructions and docker build --label flags. A label present in either source satisfies the requirement.
container.healthcheck
Devex Build And Ci
Requires a HEALTHCHECK instruction in the final stage of multi-stage builds. Enables container orchestrators to detect and restart unhealthy containers.
container.user
Devex Build And Ci
Requires a USER instruction to run the container as a non-root user. Running as root inside containers is a security risk and violates least privilege.
container.build-tagged
Devex Build And Ci
Requires container builds to use an explicit image tag via -t/--tag. Untagged builds produce anonymous images that cannot be tracked or deployed.
container-scan.executed
Security And Compliance
Verifies that container scanning was executed on the component. Fails if no scanner has written to .container_scan.
container-scan.max-severity
Security And Compliance
Ensures no findings at or above the configured severity threshold. Configure min_severity to set the threshold (critical, high, medium, low).
container-scan.max-total
Security And Compliance
Ensures total container vulnerabilities are under a configurable threshold.
dependencies.min-versions
Security And Compliance
Ensures dependencies meet minimum safe version requirements. Validates that project dependencies are at or above specified versions to enforce security patches and compatibility standards.
feature-flags.feature-flags-age
Testing And Quality
Detects feature flags that have existed longer than a configurable threshold. Feature flags should be temporary and removed once a feature is fully rolled out. Stale flags add complexity and technical debt to the codebase.
golang.go-mod-exists
Devex Build And Ci
Ensures the project has a go.mod file for module management. Required for all Go projects using modules.
golang.go-sum-exists
Devex Build And Ci
Ensures the project has a go.sum file for dependency verification. Required for reproducible builds.
golang.min-go-version
Devex Build And Ci
Ensures the project uses at least the minimum required Go version. Helps maintain security and compatibility standards.
golang.min-go-version-cicd
Devex Build And Ci
Ensures the Go version used in CI/CD commands meets the minimum required version. Helps maintain security and compatibility standards for build environments.
golang.tests-recursive
Devex Build And Ci
Ensures tests run recursively (./...) to cover all packages. Prevents accidentally missing tests in subpackages.
golang.vendoring
Devex Build And Ci
Enforces vendoring policy - can require vendor directory exists or forbid it, depending on team standards.
iac.valid
Deployment And Infrastructure
Validates that all IaC configuration files are syntactically correct. Invalid configurations will fail deployment.
iac.waf-protection
Deployment And Infrastructure
Requires WAF protection for internet-facing services. Checks each IaC module for public resources and verifies WAF is configured.
iac.datastore-destroy-protection
Deployment And Infrastructure
Ensures stateful resources (databases, storage buckets, caches) have lifecycle { prevent_destroy = true } to prevent accidental data loss.
iac.resource-destroy-protection
Deployment And Infrastructure
Ensures stateless infrastructure resources (EC2 instances, load balancers, networking) have lifecycle { prevent_destroy = true } to prevent accidental destruction of critical infrastructure.
iac-scan.executed
Security And Compliance
Verifies that IaC scanning was executed on the component. Fails if no scanner has written to .iac_scan.
iac-scan.max-severity
Security And Compliance
Ensures no findings at or above the configured severity threshold. Configure min_severity to set the threshold (critical, high, medium, low).
iac-scan.max-total
Security And Compliance
Ensures total IaC findings are under a configurable threshold.
java.build-tool-wrapper-exists
Devex Build And Ci
Ensures a build tool wrapper exists (mvnw for Maven projects, gradlew for Gradle projects). Wrappers ensure reproducible builds without requiring a pre-installed build tool.
java.min-java-version
Devex Build And Ci
Ensures the Java version configured in the build file meets the minimum requirement. Checks pom.xml or build.gradle for the target Java version.
java.min-maven-version
Devex Build And Ci
Ensures the Maven version used in CI/CD commands meets the minimum requirement. Helps maintain build tool security and compatibility.
java.min-gradle-version
Devex Build And Ci
Ensures the Gradle version used in CI/CD commands meets the minimum requirement. Helps maintain build tool security and compatibility.
java.tests-all-modules
Devex Build And Ci
Ensures tests run across all modules rather than a subset. Prevents accidentally skipping tests in multi-module projects.
k8s.valid
Deployment And Infrastructure
Validates that all Kubernetes manifests in the repository are syntactically correct and conform to K8s schema. Invalid manifests will fail deployment.
k8s.requests-and-limits
Deployment And Infrastructure
Ensures all containers have CPU and memory requests and limits defined. Missing resource specs can cause scheduling failures and noisy neighbor issues.
k8s.probes
Deployment And Infrastructure
Requires liveness and readiness probes on all containers. Probes enable Kubernetes to detect unhealthy pods and route traffic correctly.
k8s.min-replicas
Deployment And Infrastructure
Enforces minimum replica counts on HorizontalPodAutoscalers. Ensures services maintain capacity during scaling events and failures.
k8s.pdb
Deployment And Infrastructure
Requires PodDisruptionBudgets for Deployments and StatefulSets. PDBs protect availability during voluntary disruptions like node drains.
k8s.non-root
Deployment And Infrastructure
Requires containers to run as non-root users via securityContext. Running as root inside containers violates least privilege principles.
linter.ran
Testing And Quality
Ensures linting was executed for the specified language. Fails if no lint data is found, indicating the linter was not configured or did not run.
linter.max-warnings
Testing And Quality
Ensures lint warnings are at or below the maximum allowed threshold. Validates that the codebase maintains acceptable lint warning counts.
nodejs.lockfile-exists
Devex Build And Ci
Ensures a package lockfile exists (package-lock.json, yarn.lock, or pnpm-lock.yaml). Lockfiles are essential for reproducible builds and dependency integrity.
nodejs.typescript-configured
Devex Build And Ci
Ensures TypeScript is configured via tsconfig.json. TypeScript provides type safety and improved developer experience.
nodejs.engines-pinned
Devex Build And Ci
Ensures the engines.node field is set in package.json. Pinning the Node.js engine version prevents compatibility issues across environments.
nodejs.min-node-version
Devex Build And Ci
Ensures the Node.js version detected in the project meets the minimum required version. Helps maintain security and compatibility standards.
nodejs.min-node-version-cicd
Devex Build And Ci
Ensures the Node.js version used in CI/CD commands meets the minimum required version. Helps maintain security and compatibility standards for build environments.
python.lockfile-exists
Devex Build And Ci
Ensures the project has a dependency lockfile (poetry.lock, Pipfile.lock, or pinned requirements.txt) for reproducible builds.
python.linter-configured
Devex Build And Ci
Ensures a Python linter is configured (ruff, flake8, or pylint). Linters catch bugs and enforce consistent code style.
python.min-python-version
Devex Build And Ci
Ensures the project uses at least the minimum required Python version. Helps maintain security and compatibility standards.
python.min-python-version-cicd
Devex Build And Ci
Ensures the Python version used in CI/CD commands meets the minimum required version for build environments.
readme.readme-exists
Repository And Ownership
Verifies that a `README.md` or `README` file exists in the repository root. Every repository should have basic documentation for discoverability.
readme.readme-min-line-count
Repository And Ownership
Requires the README to have a minimum number of lines (default 25). Prevents placeholder READMEs that lack useful information.
readme.readme-required-sections
Repository And Ownership
Ensures the README contains required section headings (e.g., Installation, Usage). Configurable via the required_sections input parameter.
rust.cargo-toml-exists
Devex Build And Ci
Ensures the project has a Cargo.toml file for crate configuration. Required for all Rust projects.
rust.cargo-lock-exists
Devex Build And Ci
Ensures the project has a Cargo.lock file for dependency pinning. By default required for applications, skipped for libraries (following Cargo conventions). Configurable via lock_mode.
rust.min-rust-edition
Devex Build And Ci
Ensures the project uses at least the minimum required Rust edition. Editions enable new language features while preserving backward compatibility.
rust.min-rust-version-cicd
Devex Build And Ci
Ensures the Rust toolchain version used in CI/CD commands meets the minimum required version. Helps maintain security and compatibility standards for build environments.
rust.clippy-clean
Devex Build And Ci
Ensures clippy reports no warnings (or fewer than the configured threshold). Clippy catches common mistakes and enforces idiomatic Rust patterns.
rust.max-unsafe-blocks
Devex Build And Ci
Limits the number of unsafe blocks in the codebase. Unsafe code bypasses Rust's safety guarantees and should be minimized and carefully reviewed.
sast.executed
Security And Compliance
Verifies that SAST scanning was executed on the component. Fails if no scanner has written to .sast.
sast.max-severity
Security And Compliance
Ensures no findings at or above the configured severity threshold. Configure min_severity to set the threshold (critical, high, medium, low).
sast.max-total
Security And Compliance
Ensures total code findings are under a configurable threshold.
sbom.sbom-exists
Security And Compliance
Ensures an SBOM was generated, either automatically or detected in CI.
sbom.has-licenses
Security And Compliance
Verifies that SBOM components have license information populated. Fails if license coverage is below the configured threshold.
sbom.disallowed-licenses
Security And Compliance
Checks for disallowed licenses in SBOM components. Matches component licenses against configurable regex patterns.
sbom.min-components
Security And Compliance
Verifies the SBOM contains a minimum number of components. Catches trivially empty SBOMs that may indicate detection failures.
sbom.standard-format
Security And Compliance
Validates the SBOM uses an approved format (CycloneDX, SPDX). Auto-passes if no format restriction is configured.
sca.executed
Security And Compliance
Verifies that SCA scanning was executed on the component. Fails if no scanner has written to .sca.
sca.max-severity
Security And Compliance
Ensures no findings at or above the configured severity threshold. Configure min_severity to set the threshold (critical, high, medium, low).
sca.max-total
Security And Compliance
Ensures total vulnerabilities are under a configurable threshold.
terraform.provider-versions-pinned
Deployment And Infrastructure
Requires Terraform providers to specify version constraints in required_providers. Unpinned providers can introduce breaking changes unexpectedly.
terraform.module-versions-pinned
Deployment And Infrastructure
Requires Terraform modules to use pinned versions or commit SHAs. Unpinned modules make infrastructure deployments non-reproducible.
terraform.remote-backend
Deployment And Infrastructure
Requires Terraform to use a remote backend for state management. Local state files are fragile and cannot be shared across teams.
terraform.min-provider-versions
Deployment And Infrastructure
Enforces minimum version requirements for Terraform providers. Ensures providers meet security and compatibility baselines.
testing.executed
Testing And Quality
Ensures tests were executed in CI. Fails if no test execution data is found.
testing.passing
Testing And Quality
Ensures all tests pass. Fails if test pass/fail data is not available.
testing.coverage-collected
Testing And Quality
Ensures coverage data is being collected in CI. Fails if no coverage data is found.
testing.coverage-reported
Testing And Quality
Ensures coverage percentage is being reported. Fails if coverage runs but percentage is not captured.
testing.min-coverage
Testing And Quality
Enforces a minimum code coverage threshold (default 80%). Fails if coverage data is not available.
ticket.ticket-present
Devex Build And Ci
Ensures PRs reference an issue tracker ticket in the title.
ticket.ticket-valid
Devex Build And Ci
Ensures the referenced ticket exists and is valid in the issue tracker.
ticket.ticket-source
Devex Build And Ci
Ensures the ticket comes from an approved issue tracker.
ticket.ticket-status
Devex Build And Ci
Ensures the ticket is in an acceptable workflow status.
ticket.ticket-type
Devex Build And Ci
Ensures the ticket is an acceptable issue type.
ticket.ticket-reuse
Devex Build And Ci
Prevents teams from recycling the same ticket across too many PRs.
vcs.branch-protection-enabled
Repository And Ownership
Requires branch protection rules to be enabled on the default branch. Branch protection is the foundation for all other VCS security controls.
vcs.require-pull-request
Repository And Ownership
Requires all changes to go through pull requests before merging. Prevents direct pushes to protected branches without review.
vcs.minimum-approvals
Repository And Ownership
Enforces a minimum number of approving reviews before merge (default 1). Configurable via the min_approvals input for stricter requirements.
vcs.require-codeowner-review
Repository And Ownership
Requires approval from designated code owners defined in CODEOWNERS file. Ensures domain experts review changes to critical paths.
vcs.dismiss-stale-reviews
Repository And Ownership
Automatically dismisses approvals when new commits are pushed to a PR. Prevents merging outdated approvals after significant changes.
vcs.require-status-checks
Repository And Ownership
Requires CI status checks to pass before merging pull requests. Prevents merging code that fails tests or linting.
vcs.require-branches-up-to-date
Repository And Ownership
Requires PR branches to be up-to-date with the base branch before merging. Prevents merging stale branches that may have integration issues.
vcs.disallow-force-push
Repository And Ownership
Prohibits force pushes to protected branches to preserve commit history. Force pushes can destroy audit trails and cause data loss.
vcs.disallow-branch-deletion
Repository And Ownership
Prevents deletion of protected branches (typically main/master). Protects against accidental or malicious branch removal.
vcs.require-linear-history
Repository And Ownership
Enforces linear commit history by requiring squash or rebase merges. Makes git history cleaner and easier to bisect for debugging.
vcs.require-signed-commits
Repository And Ownership
Requires all commits to be GPG or SSH signed for authenticity verification. Proves commits were made by the claimed author.
vcs.require-private
Repository And Ownership
Ensures repository visibility is set to private, not public. Prevents accidental exposure of proprietary code.
vcs.require-default-branch
Repository And Ownership
Validates the default branch name matches the required name (default "main"). Helps standardize branch naming across repositories.
vcs.allowed-merge-strategies
Repository And Ownership
Restricts merge strategies to an allowed list (merge, squash, rebase). Enforces consistent merge practices across the organization.
How Integrations Power Guardrails
Integrations Gather Data
Collectors and catalogers automatically extract metadata from your codebase, CI/CD pipelines, and external systems
Guardrails Enforce Standards
Guardrails evaluate the collected data and provide real-time feedback in PRs and AI workflows
Need a Custom Guardrail?
Build your own collectors and policies with simple Bash and Python scripts. Enforce any engineering standard specific to your organization.
Ready to Automate Your Standards?
See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Infrastructure conventions
Post-mortem action items
Security & compliance policies
Testing & quality requirements