Guardrails Library
100+ Guardrails Out of the Box
Get instant value from day one. Pre-built guardrails for reliability, quality, operational readiness, and security — no need to build from scratch.
Write once, enforce everywhere. Each guardrail runs on every PR and in AI coding workflows, turning standards into automated enforcement in minutes, not quarters.
Policies
6Guardrails
29container.no-latest
Devex Build And Ci
Prevents use of the :latest tag (explicit or implicit) in base images. Using :latest creates non-reproducible builds and makes debugging difficult.
container.stable-tags
Devex Build And Ci
Requires base images to use stable tags: digests (sha256:...) or full semver (1.2.3). Partial versions like "node:20" can change unexpectedly and break builds.
container.allowed-registries
Devex Build And Ci
Restricts base images to approved container registries only. Prevents supply chain attacks from untrusted image sources.
container.required-labels
Devex Build And Ci
Ensures Dockerfiles include required OCI labels for traceability. Common labels: org.opencontainers.image.source, version, maintainer.
container.healthcheck
Devex Build And Ci
Requires a HEALTHCHECK instruction in the final stage of multi-stage builds. Enables container orchestrators to detect and restart unhealthy containers.
container.user
Devex Build And Ci
Requires a USER instruction to run the container as a non-root user. Running as root inside containers is a security risk and violates least privilege.
coverage.collected
Testing And Quality
Verifies that code coverage data is being collected. Catches misconfigurations where coverage tools are not running or uploading.
coverage.reported
Testing And Quality
Ensures that a coverage percentage is available and reported. Fails if coverage runs but the percentage metric is not captured.
coverage.min-coverage
Testing And Quality
Enforces a minimum code coverage threshold (default 80%). Fails when coverage percentage is below the configured minimum.
dependencies.min-versions
Security And Compliance
Ensures dependencies meet minimum safe version requirements. Validates that project dependencies are at or above specified versions to enforce security patches and compatibility standards.
linter.ran
Testing And Quality
Ensures linting was executed for the specified language. Fails if no lint data is found, indicating the linter was not configured or did not run.
linter.max-warnings
Testing And Quality
Ensures lint warnings are at or below the maximum allowed threshold. Validates that the codebase maintains acceptable lint warning counts.
readme.readme-exists
Repository And Ownership
Verifies that a `README.md` or `README` file exists in the repository root. Every repository should have basic documentation for discoverability.
readme.readme-min-line-count
Repository And Ownership
Requires the README to have a minimum number of lines (default 25). Prevents placeholder READMEs that lack useful information.
readme.readme-required-sections
Repository And Ownership
Ensures the README contains required section headings (e.g., Installation, Usage). Configurable via the required_sections input parameter.
vcs.branch-protection-enabled
Repository And Ownership
Requires branch protection rules to be enabled on the default branch. Branch protection is the foundation for all other VCS security controls.
vcs.require-pull-request
Repository And Ownership
Requires all changes to go through pull requests before merging. Prevents direct pushes to protected branches without review.
vcs.minimum-approvals
Repository And Ownership
Enforces a minimum number of approving reviews before merge (default 1). Configurable via the min_approvals input for stricter requirements.
vcs.require-codeowner-review
Repository And Ownership
Requires approval from designated code owners defined in CODEOWNERS file. Ensures domain experts review changes to critical paths.
vcs.dismiss-stale-reviews
Repository And Ownership
Automatically dismisses approvals when new commits are pushed to a PR. Prevents merging outdated approvals after significant changes.
vcs.require-status-checks
Repository And Ownership
Requires CI status checks to pass before merging pull requests. Prevents merging code that fails tests or linting.
vcs.require-branches-up-to-date
Repository And Ownership
Requires PR branches to be up-to-date with the base branch before merging. Prevents merging stale branches that may have integration issues.
vcs.disallow-force-push
Repository And Ownership
Prohibits force pushes to protected branches to preserve commit history. Force pushes can destroy audit trails and cause data loss.
vcs.disallow-branch-deletion
Repository And Ownership
Prevents deletion of protected branches (typically main/master). Protects against accidental or malicious branch removal.
vcs.require-linear-history
Repository And Ownership
Enforces linear commit history by requiring squash or rebase merges. Makes git history cleaner and easier to bisect for debugging.
vcs.require-signed-commits
Repository And Ownership
Requires all commits to be GPG or SSH signed for authenticity verification. Proves commits were made by the claimed author.
vcs.require-private
Repository And Ownership
Ensures repository visibility is set to private, not public. Prevents accidental exposure of proprietary code.
vcs.require-default-branch
Repository And Ownership
Validates the default branch name matches the required name (default "main"). Helps standardize branch naming across repositories.
vcs.allowed-merge-strategies
Repository And Ownership
Restricts merge strategies to an allowed list (merge, squash, rebase). Enforces consistent merge practices across the organization.
How Integrations Power Guardrails
Integrations Gather Data
Collectors and catalogers automatically extract metadata from your codebase, CI/CD pipelines, and external systems
Guardrails Enforce Standards
Guardrails evaluate the collected data and provide real-time feedback in PRs and AI workflows
Need a Custom Guardrail?
Build your own collectors and policies with simple Bash and Python scripts. Enforce any engineering standard specific to your organization.
Ready to Automate Your Standards?
See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Infrastructure conventions
Post-mortem action items
Security & compliance policies
Testing & quality requirements