Executed + Snyk Collector

✓ Guardrail ↓ Collector Stable Security And Compliance

Enforce Executed using data collected by Snyk Collector. Automatically check security and compliance standards on every PR.

Guardrail: Verifies that container scanning was executed on the component. Fails if no scanner has written to .container_scan.

Data Source: Detects Snyk security scanning via GitHub App or CLI integration. Automatically categorizes results (SCA, SAST, Container, IaC) based on scan type and writes to normalized Component JSON paths.

Get Started View on GitHub

How Snyk Collector Powers This Guardrail

The Snyk Collector gathers metadata from your systems. This data flows into Lunar's Component JSON, where the Executed guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

↓ Snyk Collector Gathers Data Collector

Extracts metadata from code, configs, and tool outputs

{ } Component JSON

Data centralized in structured format for evaluation

✓ Executed Checks Guardrail

Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml

# Step 1: Enable the Snyk Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/snyk@v1.0.0
    # with: ...

# Step 2: Enable the Container Scan Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/container-scan@v1.0.0
    include: [executed]
    # with: ...

What Snyk Collector Collects

This collector gathers the following data that the Executed guardrail evaluates.

Collector code

`github-app`

Detects Snyk GitHub App scans on pull requests by querying GitHub commit status API. Waits for scan completion and captures results. Categorizes by scan type (Open Source, Code, Container, IaC).

Collector code

`running-in-prs`

Proves Snyk is running on PRs by querying Lunar Hub for Snyk data from recent PRs. Used on the default branch to provide compliance proof that PR scanning is happening (since Snyk GitHub App only posts checks on PRs, not directly on the default branch).

Collector ci-after-command

`cli`

Detects Snyk CLI executions in CI pipelines. Captures the command and exit code, then categorizes by subcommand (test, code, container, iac).

Example Data Flow

Here's an example of the data that Snyk Collector writes to the Component JSON, which Executed then evaluates.

{ } component.json From Snyk Collector

{
  "sca": {
    "running_in_prs": true,
    "source": {
      "tool": "snyk",
      "version": "1.1200.0",
      "integration": "github_app"
    },
    "native": {
      "snyk": {
        "github_app": {
          "state": "success",
          "context": "security/snyk",
          "target_url": "https://app.snyk.io/..."
        },
        "cicd": {
          "cmds": [
            {"cmd": "snyk test --all-projects", "version": "1.1200.0"}
          ]
        }
      }
    }
  }
}

Configuration Options

Container Scan Guardrails Inputs

Input	Required	Default	Description
`min_severity`	Optional	`high`	Minimum severity to fail on (critical, high, medium, low)
`max_total_threshold`	Required	—	Maximum total findings allowed (must be configured)

Learn More

Guardrail · Container Scan Guardrails Executed View all compatible integrations

→

Collector Snyk Collector View full documentation

→

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process

Infrastructure conventions

Post-mortem action items

Security & compliance policies

Testing & quality requirements

Automate Now

Turn any process doc into guardrails

Book a Demo