Hamburger Cross Icon
Stable Tags
+
Docker Collector

Stable Tags + Docker Collector

Guardrail Collector Stable Devex Build And Ci

Enforce Stable Tags using data collected by Docker Collector. Automatically check devex build and ci standards on every PR.

Guardrail: Requires base images to use stable tags: digests (sha256:...) or full semver (1.2.3). Partial versions like "node:20" can change unexpectedly and break builds.
Data Source: Parse Dockerfiles to extract base images, labels, and security configuration. Capture Docker build commands in CI for traceability and compliance enforcement.
Get Started View on GitHub

How Docker Collector Powers This Guardrail

The Docker Collector gathers metadata from your containers, ci cd systems. This data flows into Lunar's Component JSON, where the Stable Tags guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Docker Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Stable Tags Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Docker Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/docker@v1.0.0
    # with: ...

# Step 2: Enable the Container Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/container@v1.0.0
    include: [stable-tags]
    # with: ...

What Docker Collector Collects

This collector gathers the following data that the Stable Tags guardrail evaluates.

Collector code

dockerfile

Parses all Dockerfiles in the repository using dockerfile-json and collects:

  • Container definitions with base images and metadata
  • Final stage information (user, healthcheck)
  • Labels from each stage
Collector ci-after-command

cicd

Tracks all docker commands executed in CI pipelines. Records every invocation for audit trails. For build commands, also parses image tags, labels, platform, and Dockerfile paths into normalized build metadata.

Example Data Flow

Here's an example of the data that Docker Collector writes to the Component JSON, which Stable Tags then evaluates.

{ } component.json From Docker Collector 
{
  "containers": {
    "source": {
      "tool": "dockerfile-json",
      "version": "1.2.2"
    },
    "definitions": [
      {
        "path": "Dockerfile",
        "valid": true,
        "base_images": [
          {
            "reference": "golang:1.21-alpine",
            "image": "golang",
            "tag": "1.21-alpine"
          }
        ],
        "final_stage": {
          "base_name": "runtime",
          "base_image": "gcr.io/distroless/static-debian12:nonroot-amd64",
          "user": "nonroot",
          "has_healthcheck": false
        },
        "labels": {
          "org.opencontainers.image.source": "https://github.com/acme/api"
        }
      }
    ],
    "builds": [
      {
        "cmd": "docker build -t myregistry.io/app:v1.2.3 --label git_sha=abc123 -f Dockerfile.prod .",
        "has_tag": true,
        "image": "myregistry.io/app",
        "tag": "v1.2.3",
        "labels": {"git_sha": "abc123"},
        "expected_git_sha": "abc123def456...",
        "platform": null,
        "dockerfile": "Dockerfile.prod"
      }
    ],
    "native": {
      "docker": {
        "cicd": {
          "cmds": [
            {"cmd": "docker build -t myregistry.io/app:v1.2.3 --label git_sha=abc123 -f Dockerfile.prod .", "version": "24.0.7"},
            {"cmd": "docker push myregistry.io/app:v1.2.3", "version": "24.0.7"}
          ],
          "source": {"tool": "docker", "integration": "ci"}
        }
      }
    }
  }
}

Configuration Options

Docker Collector Inputs

Input Required Default Description
find_command Optional find . -type f \( -name Dockerfile -o -name '*.Dockerfile' -o -name 'Dockerfile.*' \) Command to find Dockerfiles (must output one file path per line)

Container Guardrails Inputs

Input Required Default Description
allowed_registries Optional docker.io Comma-separated list of allowed registries
required_labels Required Comma-separated list of required labels checked across Dockerfile and build commands (empty = no requirement)

Other Guardrails Using Docker Collector

Other guardrails in Container Guardrails that use data from Docker Collector.

Guardrail + Docker
No Latest

Prevents use of the :latest tag (explicit or implicit) in base images. Using :latest creates...
Guardrail + Docker
Allowed Registries

Restricts base images to approved container registries only. Prevents supply chain attacks from...
Guardrail + Docker
Required Labels

Ensures containers have required labels, checking both Dockerfile LABEL instructions and docker...
Guardrail + Docker
Healthcheck

Requires a HEALTHCHECK instruction in the final stage of multi-stage builds. Enables container...
View all 7 guardrails in Container Guardrails

Learn More

Guardrail · Container Guardrails Stable Tags View all compatible integrations
Collector Docker Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Turn any process doc into guardrails
Book a Demo