Hamburger Cross Icon
Executed
+
Docker Collector

Executed + Docker Collector

Guardrail Collector Stable Security And Compliance

Enforce Executed using data collected by Docker Collector. Automatically check security and compliance standards on every PR.

Guardrail: Verifies that container scanning was executed on the component. Fails if no scanner has written to .container_scan.
Data Source: Parse Dockerfiles to extract base images, labels, and security configuration. Capture Docker build commands in CI for traceability and compliance enforcement.
Get Started View on GitHub

How Docker Collector Powers This Guardrail

The Docker Collector gathers metadata from your containers, ci cd systems. This data flows into Lunar's Component JSON, where the Executed guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Docker Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Executed Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Docker Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/docker@v1.0.0
    # with: ...

# Step 2: Enable the Container Scan Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/container-scan@v1.0.0
    include: [executed]
    # with: ...

What Docker Collector Collects

This collector gathers the following data that the Executed guardrail evaluates.

Collector code

dockerfile

Parses all Dockerfiles in the repository using dockerfile-json and collects:

  • Container definitions with base images and metadata
  • Final stage information (user, healthcheck)
  • Labels from each stage
Collector ci-after-command

cicd

Tracks all docker commands executed in CI pipelines. Records every invocation for audit trails. For build commands, also parses image tags, labels, platform, and Dockerfile paths into normalized build metadata.

Example Data Flow

Here's an example of the data that Docker Collector writes to the Component JSON, which Executed then evaluates.

{ } component.json From Docker Collector 
{
  "containers": {
    "source": {
      "tool": "dockerfile-json",
      "version": "1.2.2"
    },
    "definitions": [
      {
        "path": "Dockerfile",
        "valid": true,
        "base_images": [
          {
            "reference": "golang:1.21-alpine",
            "image": "golang",
            "tag": "1.21-alpine"
          }
        ],
        "final_stage": {
          "base_name": "runtime",
          "base_image": "gcr.io/distroless/static-debian12:nonroot-amd64",
          "user": "nonroot",
          "has_healthcheck": false
        },
        "labels": {
          "org.opencontainers.image.source": "https://github.com/acme/api"
        }
      }
    ],
    "builds": [
      {
        "cmd": "docker build -t myregistry.io/app:v1.2.3 --label git_sha=abc123 -f Dockerfile.prod .",
        "has_tag": true,
        "image": "myregistry.io/app",
        "tag": "v1.2.3",
        "labels": {"git_sha": "abc123"},
        "expected_git_sha": "abc123def456...",
        "platform": null,
        "dockerfile": "Dockerfile.prod"
      }
    ],
    "native": {
      "docker": {
        "cicd": {
          "cmds": [
            {"cmd": "docker build -t myregistry.io/app:v1.2.3 --label git_sha=abc123 -f Dockerfile.prod .", "version": "24.0.7"},
            {"cmd": "docker push myregistry.io/app:v1.2.3", "version": "24.0.7"}
          ],
          "source": {"tool": "docker", "integration": "ci"}
        }
      }
    }
  }
}

Configuration Options

Docker Collector Inputs

Input Required Default Description
find_command Optional find . -type f \( -name Dockerfile -o -name '*.Dockerfile' -o -name 'Dockerfile.*' \) Command to find Dockerfiles (must output one file path per line)

Container Scan Guardrails Inputs

Input Required Default Description
min_severity Optional high Minimum severity to fail on (critical, high, medium, low)
max_total_threshold Required Maximum total findings allowed (must be configured)

Other Guardrails Using Docker Collector

Other guardrails in Container Scan Guardrails that use data from Docker Collector.

Guardrail + Docker
Max Severity

Ensures no findings at or above the configured severity threshold. Configure min_severity to set the...
Guardrail + Docker
Max Total

Ensures total container vulnerabilities are under a configurable threshold.

Learn More

Guardrail · Container Scan Guardrails Executed View all compatible integrations
Collector Docker Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Turn any process doc into guardrails
Book a Demo