Hamburger Cross Icon
CI Guardrails - Dependencies Pinned

Dependencies Pinned

Guardrail CI Guardrails Beta Devex Build And Ci
ci.dependencies-pinned

Verifies all third-party CI dependencies use SHA or tag pins, not branch refs. Reads from the normalized .ci.dependencies path — works with GHA actions, GitLab templates, CircleCI orbs, etc.

pinning supply-chain dependencies sha tag
Get Started View All CI Guardrails

Compatible Integrations

This guardrail works with the following integrations. Click to see how to use Dependencies Pinned with each collector.

+
Dependencies Pinned + GitHub Actions Collector Provides CI lint results and dependency pinning data via normalized paths

Enable This Guardrail

Add the parent policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
policies:
  - uses: github://earthly/lunar-lib/policies/ci@v1.0.5
    include: [dependencies-pinned]
    # with: ...

How This Guardrail Works

This guardrail is part of the CI Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.

Learn How Lunar Works
1
Integrations Gather Data
Collectors extract metadata from code, CI pipelines, tool outputs, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
This Guardrail Checks Current
Dependencies Pinned runs and provides pass/fail feedback

Related Guardrails

Other guardrails in the CI Guardrails policy.

Guardrail Devex Build And Ci
Lint Clean

Ensures no lint errors across CI configuration files. Reads from the normalized .ci.lint path — works with any CI...
Guardrail Devex Build And Ci
No Mutable Refs

Ensures no third-party CI dependencies reference mutable refs like @main, @master, or @latest. Reads from normalized...
CI Guardrails

CI Guardrails

This guardrail is part of the CI Guardrails policy, which includes 3 guardrails for devex build and ci.

View Policy

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo