Hamburger Cross Icon
Container Guardrails - Required Labels

Required Labels

Guardrail Container Guardrails Stable Devex Build And Ci
container.required-labels

Ensures containers have required labels, checking both Dockerfile LABEL instructions and docker build --label flags. A label present in either source satisfies the requirement.

container labels oci labels build labels image metadata git sha
Get Started View All Container Guardrails

Compatible Integrations

This guardrail works with the following integrations. Click to see how to use Required Labels with each collector.

+
Required Labels + Docker Collector Provides Dockerfile and build data that these policies evaluate

Enable This Guardrail

Add the parent policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
policies:
  - uses: github://earthly/lunar-lib/policies/container@v1.0.0
    include: [required-labels]
    # with: ...

How This Guardrail Works

This guardrail is part of the Container Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.

Learn How Lunar Works
1
Integrations Gather Data
Collectors extract metadata from code, CI pipelines, tool outputs, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
This Guardrail Checks Current
Required Labels runs and provides pass/fail feedback

Configuration Options

These inputs can be configured in your lunar-config.yml to customize how the parent policy (and this guardrail) behaves.

Input Required Default Description
allowed_registries Optional docker.io Comma-separated list of allowed registries
required_labels Required Comma-separated list of required labels checked across Dockerfile and build commands (empty = no requirement)

Related Guardrails

Other guardrails in the Container Guardrails policy.

Guardrail Devex Build And Ci
No Latest

Prevents use of the :latest tag (explicit or implicit) in base images. Using :latest creates non-reproducible builds and...
Guardrail Devex Build And Ci
Stable Tags

Requires base images to use stable tags: digests (sha256:...) or full semver (1.2.3). Partial versions like "node:20"...
Guardrail Devex Build And Ci
Allowed Registries

Restricts base images to approved container registries only. Prevents supply chain attacks from untrusted image sources.
Guardrail Devex Build And Ci
Healthcheck

Requires a HEALTHCHECK instruction in the final stage of multi-stage builds. Enables container orchestrators to detect...
Guardrail Devex Build And Ci
User

Requires a USER instruction to run the container as a non-root user. Running as root inside containers is a security...
Guardrail Devex Build And Ci
Build Tagged

Requires container builds to use an explicit image tag via -t/--tag. Untagged builds produce anonymous images that...
Container Guardrails

Container Guardrails

This guardrail is part of the Container Guardrails policy, which includes 7 guardrails for devex build and ci.

View Policy

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Turn any process doc into guardrails
Book a Demo