Hamburger Cross Icon
Healthcheck
+
Dockerfile Collector

Healthcheck + Dockerfile Collector

Guardrail Collector Stable Devex Build And Ci

Enforce Healthcheck using data collected by Dockerfile Collector. Automatically check devex build and ci standards on every PR.

Guardrail: Requires a HEALTHCHECK instruction in the final stage of multi-stage builds. Enables container orchestrators to detect and restart unhealthy containers.
Data Source: Parse Dockerfiles to extract base images, final stage configuration, healthchecks, users, and labels. Enforce container security and best practices.
Get Started View on GitHub

How Dockerfile Collector Powers This Guardrail

The Dockerfile Collector gathers metadata from your containers, build systems. This data flows into Lunar's Component JSON, where the Healthcheck guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Dockerfile Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Healthcheck Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Dockerfile Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/dockerfile@v1.0.0
    # with: ...

# Step 2: Enable the Container Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/container@v1.0.0
    include: [healthcheck]
    # with: ...

What Dockerfile Collector Collects

This collector gathers the following data that the Healthcheck guardrail evaluates.

Collector code

dockerfile

Parses all Dockerfiles in the repository using dockerfile-json and collects:

  • Container definitions with base images and metadata
  • Final stage information (user, healthcheck)
  • Labels from each stage

Example Data Flow

Here's an example of the data that Dockerfile Collector writes to the Component JSON, which Healthcheck then evaluates.

{ } component.json From Dockerfile Collector 
{
  "containers": {
    "source": {
      "tool": "dockerfile-json",
      "version": "1.2.2"
    },
    "definitions": [
      {
        "path": "Dockerfile",
        "valid": true,
        "base_images": [
          {
            "reference": "golang:1.21-alpine",
            "image": "golang",
            "tag": "1.21-alpine"
          },
          {
            "reference": "gcr.io/distroless/static-debian12:nonroot-amd64",
            "image": "gcr.io/distroless/static-debian12",
            "tag": "nonroot-amd64"
          }
        ],
        "final_stage": {
          "base_name": "runtime",
          "base_image": "gcr.io/distroless/static-debian12:nonroot-amd64",
          "user": "nonroot",
          "has_healthcheck": false
        },
        "labels": {
          "org.opencontainers.image.source": "https://github.com/acme/api"
        },
        "native": {
          "ast": { "Stages": ["..."] }
        }
      }
    ]
  }
}

Configuration Options

Dockerfile Collector Inputs

Input Required Default Description
find_command Optional find . -type f \( -name Dockerfile -o -name '*.Dockerfile' -o -name 'Dockerfile.*' \) Command to find Dockerfiles (must output one file path per line)

Container Guardrails Inputs

Input Required Default Description
allowed_registries Optional docker.io Comma-separated list of allowed registries
required_labels Required Comma-separated list of required labels (empty = no requirement)

Other Guardrails Using Dockerfile Collector

Other guardrails in Container Guardrails that use data from Dockerfile Collector.

Guardrail + Dockerfile
No Latest

Prevents use of the :latest tag (explicit or implicit) in base images. Using :latest creates...
Guardrail + Dockerfile
Stable Tags

Requires base images to use stable tags: digests (sha256:...) or full semver (1.2.3). Partial...
Guardrail + Dockerfile
Allowed Registries

Restricts base images to approved container registries only. Prevents supply chain attacks from...
Guardrail + Dockerfile
Required Labels

Ensures Dockerfiles include required OCI labels for traceability. Common labels:...
View all 6 guardrails in Container Guardrails

Learn More

Guardrail · Container Guardrails Healthcheck View all compatible integrations
Collector Dockerfile Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Book a Demo
See it work with your own use cases
See How It Works