Hamburger Cross Icon
ArgoCD Guardrails - Lunar Policy for Deployment And Infrastructure

ArgoCD Guardrails

ArgoCD-specific guardrails over the argocd collector's data: validate Application, ApplicationSet, and AppProject manifests against the argoproj CRD schemas, and require scoped (non-default) AppProjects. Pairs with the tool-agnostic gitops policy set for the cross-tool checks.

Add argocd to your lunar-config.yml:
uses: github://earthly/lunar-lib/policies/argocd@v1.0.5

Included Guardrails

This policy includes 2 guardrails that enforce standards for your deployment and infrastructure.

Guardrail

valid

Validates that all ArgoCD manifests (Applications, ApplicationSets, and AppProjects) conform to the argoproj CRD schemas. Invalid manifests can silently fail to sync or behave unexpectedly once applied to the cluster.

argocd manifest validation argoproj crd schema
View Guardrail
Guardrail

non-default-project

Requires Applications to belong to a named AppProject rather than the permissive built-in default project, and (optionally) to a project on an allow-list. Scoped AppProjects bound what an Application may deploy and where — an ArgoCD-specific tenancy boundary.

argocd appproject default project least privilege tenancy
View Guardrail

How Guardrails Fit into Lunar

Lunar guardrails define your engineering standards as code. They evaluate data collected by integrations and produce pass/fail checks with actionable feedback.

Policies support gradual enforcement—from silent scoring to blocking PRs or deployments—letting you roll out standards at your own pace without disrupting existing workflows.

Learn How Lunar Works
1
Integrations Gather Data
Collectors extract metadata from code, CI pipelines, tool outputs, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
Guardrails Enforce Standards This Policy
Real-time feedback in PRs and AI workflows

Required Integrations

This policy evaluates data gathered by one or more of the following integration(s). Make sure to enable them in your lunar-config.yml.

Configuration

Configure this policy in your lunar-config.yml.

Inputs

Input Required Default Description
allowed_projects Required Comma-separated allow-list of AppProject names for non-default-project. Empty means only enforce that the project is not `default`.

Documentation

View on GitHub

ArgoCD Guardrails

Enforces ArgoCD-specific GitOps hygiene: valid argoproj manifests and scoped AppProjects.

Overview

This policy holds the checks that only make sense for ArgoCD specifically — the ones tied to ArgoCD's CRD model rather than GitOps in general. It validates Applications, ApplicationSets, and AppProjects against the argoproj CRD schemas, and requires Applications to run under a scoped (non-default) AppProject. It reads data parsed by the argocd collector and pairs with the tool-agnostic gitops policy set, which covers the cross-tool checks (sync policy, source/destination allow-lists, adoption coverage). Apply both together for full ArgoCD coverage.

Policies

This plugin provides the following guardrails (use include to select a subset):

Policy Description Failure Meaning
valid Validates manifests against the argoproj CRD schemas An Application/ApplicationSet/AppProject manifest is malformed or schema-invalid
non-default-project Requires a named (non-default) AppProject, optionally allow-listed Application uses the default AppProject or one outside the allow-list

Required Data

This policy reads from the following Component JSON paths:

Path Type Provided By
.cd.gitops.applications[].valid boolean argocd collector
.cd.gitops.applications[].project string argocd collector
.cd.gitops.projects[] array argocd collector
.cd.gitops.native.argocd object argocd collector

Note: Ensure the argocd collector is configured before enabling this policy.

Installation

Add to your lunar-config.yml:

collectors:
  - uses: github://earthly/lunar-lib/collectors/argocd@v1.0.0
    on: [gitops]

policies:
  # ArgoCD-specific checks
  - uses: github://earthly/lunar-lib/policies/argocd@v1.0.0
    on: [gitops]
    enforcement: report-pr
    # with:
    #   allowed_projects: "platform,payments"

  # Tool-agnostic GitOps checks (recommended alongside)
  - uses: github://earthly/lunar-lib/policies/gitops@v1.0.0
    on: [gitops]
    enforcement: report-pr

Examples

Passing Example

A schema-valid Application on a scoped (non-default) AppProject:

{
  "cd": {
    "gitops": {
      "applications": [
        {
          "name": "payment-api",
          "path": "apps/payment-api.yaml",
          "valid": true,
          "project": "platform"
        }
      ]
    }
  }
}

Failing Example

A schema-invalid Application on the default AppProject:

{
  "cd": {
    "gitops": {
      "applications": [
        {
          "name": "my-app",
          "path": "apps/my-app.yaml",
          "valid": false,
          "project": "default"
        }
      ]
    }
  }
}

Failure messages:

  • apps/my-app.yaml: Application 'my-app' is not a valid argoproj resource
  • apps/my-app.yaml: Application 'my-app' uses the 'default' AppProject; use a scoped project

Remediation

When this policy fails, resolve it by:

  1. For valid failures: Fix the malformed field flagged in the message so the resource conforms to the argoproj CRD schema (e.g. correct an apiVersion, a required spec field, or a mistyped key).
  2. For non-default-project failures: Create or assign a scoped AppProject for the Application instead of default (and add it to allowed_projects if an allow-list is configured).

Consumers who want these surfaced without blocking can pin enforcement: report-pr at config time.

Open Source

This policy is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo