Hamburger Cross Icon
No Latest
+
Dockerfile Collector

No Latest + Dockerfile Collector

Guardrail Collector Stable Devex Build And Ci

Enforce No Latest using data collected by Dockerfile Collector. Automatically check devex build and ci standards on every PR.

Guardrail: Prevents use of the :latest tag (explicit or implicit) in base images. Using :latest creates non-reproducible builds and makes debugging difficult.
Data Source: Parse Dockerfiles to extract base images, final stage configuration, healthchecks, users, and labels. Enforce container security and best practices.
Get Started View on GitHub

How Dockerfile Collector Powers This Guardrail

The Dockerfile Collector gathers metadata from your containers, build systems. This data flows into Lunar's Component JSON, where the No Latest guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Dockerfile Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
No Latest Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Dockerfile Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/dockerfile@v1.0.0
    # with: ...

# Step 2: Enable the Container Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/container@v1.0.0
    include: [no-latest]
    # with: ...

What Dockerfile Collector Collects

This collector gathers the following data that the No Latest guardrail evaluates.

Collector code

dockerfile

Parses all Dockerfiles in the repository using dockerfile-json and collects:

  • Container definitions with base images and metadata
  • Final stage information (user, healthcheck)
  • Labels from each stage

Example Data Flow

Here's an example of the data that Dockerfile Collector writes to the Component JSON, which No Latest then evaluates.

{ } component.json From Dockerfile Collector 
{
  "containers": {
    "source": {
      "tool": "dockerfile-json",
      "version": "1.2.2"
    },
    "definitions": [
      {
        "path": "Dockerfile",
        "valid": true,
        "base_images": [
          {
            "reference": "golang:1.21-alpine",
            "image": "golang",
            "tag": "1.21-alpine"
          },
          {
            "reference": "gcr.io/distroless/static-debian12:nonroot-amd64",
            "image": "gcr.io/distroless/static-debian12",
            "tag": "nonroot-amd64"
          }
        ],
        "final_stage": {
          "base_name": "runtime",
          "base_image": "gcr.io/distroless/static-debian12:nonroot-amd64",
          "user": "nonroot",
          "has_healthcheck": false
        },
        "labels": {
          "org.opencontainers.image.source": "https://github.com/acme/api"
        },
        "native": {
          "ast": { "Stages": ["..."] }
        }
      }
    ]
  }
}

Configuration Options

Dockerfile Collector Inputs

Input Required Default Description
find_command Optional find . -type f \( -name Dockerfile -o -name '*.Dockerfile' -o -name 'Dockerfile.*' \) Command to find Dockerfiles (must output one file path per line)

Container Guardrails Inputs

Input Required Default Description
allowed_registries Optional docker.io Comma-separated list of allowed registries
required_labels Required Comma-separated list of required labels (empty = no requirement)

Other Guardrails Using Dockerfile Collector

Other guardrails in Container Guardrails that use data from Dockerfile Collector.

Guardrail + Dockerfile
Stable Tags

Requires base images to use stable tags: digests (sha256:...) or full semver (1.2.3). Partial...
Guardrail + Dockerfile
Allowed Registries

Restricts base images to approved container registries only. Prevents supply chain attacks from...
Guardrail + Dockerfile
Required Labels

Ensures Dockerfiles include required OCI labels for traceability. Common labels:...
Guardrail + Dockerfile
Healthcheck

Requires a HEALTHCHECK instruction in the final stage of multi-stage builds. Enables container...
View all 6 guardrails in Container Guardrails

Learn More

Guardrail · Container Guardrails No Latest View all compatible integrations
Collector Dockerfile Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Book a Demo
See it work with your own use cases
See How It Works