Hamburger Cross Icon
Required Labels
+
Dockerfile Collector

Required Labels + Dockerfile Collector

Guardrail Collector Stable Devex Build And Ci

Enforce Required Labels using data collected by Dockerfile Collector. Automatically check devex build and ci standards on every PR.

Guardrail: Ensures Dockerfiles include required OCI labels for traceability. Common labels: org.opencontainers.image.source, version, maintainer.
Data Source: Parse Dockerfiles to extract base images, final stage configuration, healthchecks, users, and labels. Enforce container security and best practices.
Get Started View on GitHub

How Dockerfile Collector Powers This Guardrail

The Dockerfile Collector gathers metadata from your containers, build systems. This data flows into Lunar's Component JSON, where the Required Labels guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Dockerfile Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Required Labels Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Dockerfile Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/dockerfile@v1.0.0
    # with: ...

# Step 2: Enable the Container Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/container@v1.0.0
    include: [required-labels]
    # with: ...

What Dockerfile Collector Collects

This collector gathers the following data that the Required Labels guardrail evaluates.

Collector code

dockerfile

Parses all Dockerfiles in the repository using dockerfile-json and collects:

  • Container definitions with base images and metadata
  • Final stage information (user, healthcheck)
  • Labels from each stage

Example Data Flow

Here's an example of the data that Dockerfile Collector writes to the Component JSON, which Required Labels then evaluates.

{ } component.json From Dockerfile Collector 
{
  "containers": {
    "source": {
      "tool": "dockerfile-json",
      "version": "1.2.2"
    },
    "definitions": [
      {
        "path": "Dockerfile",
        "valid": true,
        "base_images": [
          {
            "reference": "golang:1.21-alpine",
            "image": "golang",
            "tag": "1.21-alpine"
          },
          {
            "reference": "gcr.io/distroless/static-debian12:nonroot-amd64",
            "image": "gcr.io/distroless/static-debian12",
            "tag": "nonroot-amd64"
          }
        ],
        "final_stage": {
          "base_name": "runtime",
          "base_image": "gcr.io/distroless/static-debian12:nonroot-amd64",
          "user": "nonroot",
          "has_healthcheck": false
        },
        "labels": {
          "org.opencontainers.image.source": "https://github.com/acme/api"
        },
        "native": {
          "ast": { "Stages": ["..."] }
        }
      }
    ]
  }
}

Configuration Options

Dockerfile Collector Inputs

Input Required Default Description
find_command Optional find . -type f \( -name Dockerfile -o -name '*.Dockerfile' -o -name 'Dockerfile.*' \) Command to find Dockerfiles (must output one file path per line)

Container Guardrails Inputs

Input Required Default Description
allowed_registries Optional docker.io Comma-separated list of allowed registries
required_labels Required Comma-separated list of required labels (empty = no requirement)

Other Guardrails Using Dockerfile Collector

Other guardrails in Container Guardrails that use data from Dockerfile Collector.

Guardrail + Dockerfile
No Latest

Prevents use of the :latest tag (explicit or implicit) in base images. Using :latest creates...
Guardrail + Dockerfile
Stable Tags

Requires base images to use stable tags: digests (sha256:...) or full semver (1.2.3). Partial...
Guardrail + Dockerfile
Allowed Registries

Restricts base images to approved container registries only. Prevents supply chain attacks from...
Guardrail + Dockerfile
Healthcheck

Requires a HEALTHCHECK instruction in the final stage of multi-stage builds. Enables container...
View all 6 guardrails in Container Guardrails

Learn More

Guardrail · Container Guardrails Required Labels View all compatible integrations
Collector Dockerfile Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Book a Demo
See it work with your own use cases
See How It Works