Hamburger Cross Icon
Container Guardrails - Stable Tags

Stable Tags

Guardrail Container Guardrails Stable Devex Build And Ci
container.stable-tags

Requires base images to use stable tags: digests (sha256:...) or full semver (1.2.3). Partial versions like "node:20" can change unexpectedly and break builds.

semver image digest version pinning tag policy
Get Started View All Container Guardrails

Compatible Integrations

This guardrail works with the following integrations. Click to see how to use Stable Tags with each collector.

+
Stable Tags + Dockerfile Collector Provides Dockerfile data that these policies evaluate

Enable This Guardrail

Add the parent policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
policies:
  - uses: github://earthly/lunar-lib/policies/container@v1.0.0
    include: [stable-tags]
    # with: ...

How This Guardrail Works

This guardrail is part of the Container Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.

Learn How Lunar Works
1
Integrations Gather Data
Collectors extract metadata from code, CI pipelines, tool outputs, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
This Guardrail Checks Current
Stable Tags runs and provides pass/fail feedback

Configuration Options

These inputs can be configured in your lunar-config.yml to customize how the parent policy (and this guardrail) behaves.

Input Required Default Description
allowed_registries Optional docker.io Comma-separated list of allowed registries
required_labels Required Comma-separated list of required labels (empty = no requirement)

Related Guardrails

Other guardrails in the Container Guardrails policy.

Guardrail Devex Build And Ci
No Latest

Prevents use of the :latest tag (explicit or implicit) in base images. Using :latest creates non-reproducible builds and...
Guardrail Devex Build And Ci
Allowed Registries

Restricts base images to approved container registries only. Prevents supply chain attacks from untrusted image sources.
Guardrail Devex Build And Ci
Required Labels

Ensures Dockerfiles include required OCI labels for traceability. Common labels: org.opencontainers.image.source,...
Guardrail Devex Build And Ci
Healthcheck

Requires a HEALTHCHECK instruction in the final stage of multi-stage builds. Enables container orchestrators to detect...
Guardrail Devex Build And Ci
User

Requires a USER instruction to run the container as a non-root user. Running as root inside containers is a security...
Container Guardrails

Container Guardrails

This guardrail is part of the Container Guardrails policy, which includes 6 guardrails for devex build and ci.

View Policy

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Book a Demo
See it work with your own use cases
See How It Works