ArgoCD Guardrails
ArgoCD-specific guardrails over the argocd collector's data: validate Application, ApplicationSet, and AppProject manifests against the argoproj CRD schemas, and require scoped (non-default) AppProjects. Pairs with the tool-agnostic gitops policy set for the cross-tool checks.
argocd to your lunar-config.yml:uses: github://earthly/lunar-lib/policies/argocd@v1.0.5
Included Guardrails
This policy includes 2 guardrails that enforce standards for your deployment and infrastructure.
valid
Validates that all ArgoCD manifests (Applications, ApplicationSets, and AppProjects) conform to the argoproj CRD schemas. Invalid manifests can silently fail to sync or behave unexpectedly once applied to the cluster.
non-default-project
Requires Applications to belong to a named AppProject rather than the
permissive built-in default project, and (optionally) to a project on
an allow-list. Scoped AppProjects bound what an Application may deploy and
where — an ArgoCD-specific tenancy boundary.
How Guardrails Fit into Lunar
Lunar guardrails define your engineering standards as code. They evaluate data collected by integrations and produce pass/fail checks with actionable feedback.
Policies support gradual enforcement—from silent scoring to blocking PRs or deployments—letting you roll out standards at your own pace without disrupting existing workflows.
Learn How Lunar Works →Required Integrations
This policy evaluates data gathered by one or more of the following integration(s).
Make sure to enable them in your lunar-config.yml.
Configuration
Configure this policy in your lunar-config.yml.
Inputs
| Input | Required | Default | Description |
|---|---|---|---|
allowed_projects
|
Required | — | Comma-separated allow-list of AppProject names for non-default-project. Empty means only enforce that the project is not `default`. |
Documentation
View on GitHubArgoCD Guardrails
Enforces ArgoCD-specific GitOps hygiene: valid argoproj manifests and scoped AppProjects.
Overview
This policy holds the checks that only make sense for ArgoCD specifically — the ones tied to ArgoCD's CRD model rather than GitOps in general. It validates Applications, ApplicationSets, and AppProjects against the argoproj CRD schemas, and requires Applications to run under a scoped (non-default) AppProject. It reads data parsed by the argocd collector and pairs with the tool-agnostic gitops policy set, which covers the cross-tool checks (sync policy, source/destination allow-lists, adoption coverage). Apply both together for full ArgoCD coverage.
Policies
This plugin provides the following guardrails (use include to select a subset):
| Policy | Description | Failure Meaning |
|---|---|---|
valid |
Validates manifests against the argoproj CRD schemas | An Application/ApplicationSet/AppProject manifest is malformed or schema-invalid |
non-default-project |
Requires a named (non-default) AppProject, optionally allow-listed |
Application uses the default AppProject or one outside the allow-list |
Required Data
This policy reads from the following Component JSON paths:
| Path | Type | Provided By |
|---|---|---|
.cd.gitops.applications[].valid |
boolean | argocd collector |
.cd.gitops.applications[].project |
string | argocd collector |
.cd.gitops.projects[] |
array | argocd collector |
.cd.gitops.native.argocd |
object | argocd collector |
Note: Ensure the argocd collector is configured before enabling this policy.
Installation
Add to your lunar-config.yml:
collectors:
- uses: github://earthly/lunar-lib/collectors/argocd@v1.0.0
on: [gitops]
policies:
# ArgoCD-specific checks
- uses: github://earthly/lunar-lib/policies/argocd@v1.0.0
on: [gitops]
enforcement: report-pr
# with:
# allowed_projects: "platform,payments"
# Tool-agnostic GitOps checks (recommended alongside)
- uses: github://earthly/lunar-lib/policies/gitops@v1.0.0
on: [gitops]
enforcement: report-pr
Examples
Passing Example
A schema-valid Application on a scoped (non-default) AppProject:
{
"cd": {
"gitops": {
"applications": [
{
"name": "payment-api",
"path": "apps/payment-api.yaml",
"valid": true,
"project": "platform"
}
]
}
}
}
Failing Example
A schema-invalid Application on the default AppProject:
{
"cd": {
"gitops": {
"applications": [
{
"name": "my-app",
"path": "apps/my-app.yaml",
"valid": false,
"project": "default"
}
]
}
}
}
Failure messages:
apps/my-app.yaml: Application 'my-app' is not a valid argoproj resourceapps/my-app.yaml: Application 'my-app' uses the 'default' AppProject; use a scoped project
Remediation
When this policy fails, resolve it by:
- For
validfailures: Fix the malformed field flagged in the message so the resource conforms to the argoproj CRD schema (e.g. correct anapiVersion, a requiredspecfield, or a mistyped key). - For
non-default-projectfailures: Create or assign a scopedAppProjectfor the Application instead ofdefault(and add it toallowed_projectsif an allow-list is configured).
Consumers who want these surfaced without blocking can pin enforcement: report-pr at config time.
Open Source
This policy is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore how individual guardrails work with specific integrations.
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.