Hamburger Cross Icon
Valid
+
ArgoCD Collector

Valid + ArgoCD Collector

Guardrail Collector Beta Deployment And Infrastructure

Enforce Valid using data collected by ArgoCD Collector. Automatically check deployment and infrastructure standards on every PR.

Guardrail: Validates that all ArgoCD manifests (Applications, ApplicationSets, and AppProjects) conform to the argoproj CRD schemas. Invalid manifests can silently fail to sync or behave unexpectedly once applied to the cluster.
Data Source: Parses and validates ArgoCD Application, ApplicationSet, and AppProject manifests against the argoproj CRD schemas and writes a normalized .cd.gitops view for the gitops and argocd policies. Works for a central GitOps repo or a service that ships its own ArgoCD files.

How ArgoCD Collector Powers This Guardrail

The ArgoCD Collector gathers metadata from your ci cd, orchestration systems. This data flows into Lunar's Component JSON, where the Valid guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
ArgoCD Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Valid Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml
# Step 1: Enable the ArgoCD Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/argocd@v1.0.5
    # with: ...

# Step 2: Enable the ArgoCD Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/argocd@v1.0.5
    include: [valid]
    # with: ...

What ArgoCD Collector Collects

This collector gathers the following data that the Valid guardrail evaluates.

Collector code

parse

Scans the cloned repository for ArgoCD custom resources (argoproj.io/*), validates each against the argoproj CRD schemas, and writes a normalized, tool-agnostic view of the GitOps configuration, including:

  • Applications and ApplicationSets (project, sync policy, destination, source)
  • AppProjects (allowed source repos and destinations)
  • Schema validity of each resource
  • Whether Argo Rollouts (canary/blue-green) are referenced Raw, ArgoCD-specific resource shapes are preserved under .cd.gitops.native.argocd. Works for both a dedicated GitOps repo (many Applications) and a component repo that ships its own ArgoCD files.

Example Data Flow

Here's an example of the data that ArgoCD Collector writes to the Component JSON, which Valid then evaluates.

{ } component.json From ArgoCD Collector
{
  "cd": {
    "gitops": {
      "source": {
        "tool": "argocd",
        "integration": "code"
      },
      "applications": [
        {
          "name": "payment-api",
          "path": "apps/payment-api.yaml",
          "valid": true,
          "kind": "Application",
          "project": "platform",
          "component_annotation": "github.com/org/payment-api",
          "sync_policy": {
            "automated": true,
            "prune": true,
            "self_heal": true
          },
          "destination": {
            "server": "https://kubernetes.default.svc",
            "namespace": "payments"
          },
          "source_ref": {
            "repoURL": "https://github.com/org/gitops.git",
            "path": "payment-api",
            "targetRevision": "HEAD"
          },
          "images": ["myregistry.io/payment-api"],
          "canary": {
            "rollout": true
          }
        }
      ],
      "projects": [
        {
          "name": "platform",
          "path": "projects/platform.yaml",
          "valid": true,
          "is_default": false,
          "source_repos": ["https://github.com/org/gitops.git"],
          "destinations": [
            {"namespace": "payments", "server": "https://kubernetes.default.svc"}
          ]
        }
      ],
      "native": {
        "argocd": {
          "applications": [
            {"path": "apps/payment-api.yaml", "resource": {"apiVersion": "argoproj.io/v1alpha1", "kind": "Application", "spec": {}}}
          ],
          "projects": [
            {"path": "projects/platform.yaml", "resource": {"apiVersion": "argoproj.io/v1alpha1", "kind": "AppProject", "spec": {}}}
          ]
        }
      }
    }
  }
}

Configuration Options

ArgoCD Collector Inputs

Input Required Default Description
find_command Optional find . -type f \( -name '*.yaml' -o -name '*.yml' \) Command to find candidate YAML files (must output one file path per line). Used by the parse collector.

ArgoCD Guardrails Inputs

Input Required Default Description
allowed_projects Required Comma-separated allow-list of AppProject names for non-default-project. Empty means only enforce that the project is not `default`.

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo