Dependency Automation Guardrails
Enforce that repositories have automated dependency updates configured via Dependabot or Renovate. Checks that at least one tool is present and that all detected package ecosystems have update rules defined.
dep-automation to your lunar-config.yml:uses: github://earthly/lunar-lib/policies/dep-automation@v1.0.5
Included Guardrails
This policy includes 2 guardrails that enforce standards for your security and compliance.
dep-update-tool-configured
Requires at least one dependency update tool (Dependabot or Renovate) to be configured in the repository. Fails if neither tool's config file is found.
all-ecosystems-covered
Checks that all detected package ecosystems in the component have corresponding update rules in the dependency automation config. For example, if the component uses npm and Docker, both should have update entries in Dependabot or be covered by Renovate's enabled managers. Skips if no dependency automation tool is configured.
How Guardrails Fit into Lunar
Lunar guardrails define your engineering standards as code. They evaluate data collected by integrations and produce pass/fail checks with actionable feedback.
Policies support gradual enforcement—from silent scoring to blocking PRs or deployments—letting you roll out standards at your own pace without disrupting existing workflows.
Learn How Lunar Works →Required Integrations
This policy evaluates data gathered by one or more of the following integration(s).
Make sure to enable them in your lunar-config.yml.
Configuration
Configure this policy in your lunar-config.yml.
Inputs
| Input | Required | Default | Description |
|---|
Documentation
View on GitHubDependency Automation Guardrails
Enforces that repositories have automated dependency updates configured via Dependabot or Renovate.
Overview
Keeping dependencies up to date is a core supply-chain hygiene practice. This policy ensures that every component has at least one dependency update tool configured and that all detected package ecosystems are covered by update rules. It works with both Dependabot and Renovate, and checks pass if either tool covers the requirement.
Policies
| Policy | Description |
|---|---|
dep-update-tool-configured |
At least one of Dependabot or Renovate must be configured |
all-ecosystems-covered |
All detected package ecosystems must have update rules |
Required Data
The dependabot and renovate collectors write nothing when their respective config files aren't present — object presence at .dep_automation.dependabot or .dep_automation.renovate is itself the detection signal (per collector-reference.md § Write Nothing When Technology Not Detected). This policy uses get_value_or_default(".", None) to detect absent collector data.
| Path | Type | Provided By |
|---|---|---|
.dep_automation.dependabot |
object | dependabot collector (absent when no config file) |
.dep_automation.dependabot.ecosystems |
array | dependabot collector |
.dep_automation.renovate |
object | renovate collector (absent when no config file) |
.dep_automation.renovate.all_managers_enabled |
boolean | renovate collector |
.dep_automation.renovate.enabled_managers |
array | renovate collector |
.dep_automation.native.renovate |
object | renovate collector (raw config for reference) |
.lang.* |
object | Language collectors (go, nodejs, python, etc.) |
.containers.definitions |
array | Container collector |
.ci.native.github_actions |
object | GitHub Actions collector |
.iac |
object | IaC collector |
Note: Both the dependabot and renovate collectors should be configured for full coverage detection.
Installation
Add to your lunar-config.yml:
policies:
- uses: github://earthly/lunar-lib/policies/dep-automation@v1.0.0
on: ["domain:your-domain"]
enforcement: report-pr
# include: [dep-update-tool-configured] # Only run specific checks
Examples
Passing Example — Dependabot covers all ecosystems
.dep_automation.renovate is absent (no Renovate config file present).
{
"dep_automation": {
"dependabot": {
"valid": true,
"ecosystems": ["docker", "github-actions", "npm"]
}
},
"lang": {
"nodejs": {}
},
"containers": {
"definitions": [{"path": "Dockerfile"}]
},
"ci": {
"native": {
"github_actions": {}
}
}
}
Passing Example — Renovate with all managers enabled
.dep_automation.dependabot is absent (no Dependabot config file present).
{
"dep_automation": {
"renovate": {
"valid": true,
"all_managers_enabled": true,
"enabled_managers": []
}
},
"lang": {
"go": {},
"python": {}
}
}
Failing Example — No tool configured
Both .dep_automation.dependabot and .dep_automation.renovate are absent — neither collector wrote anything because neither config file exists.
{}
Failure message: "No dependency update tool configured. Add a .github/dependabot.yml or renovate.json to automate dependency updates."
Failing Example — Missing ecosystem coverage
{
"dep_automation": {
"dependabot": {
"valid": true,
"ecosystems": ["npm"]
}
},
"lang": {
"nodejs": {},
"python": {}
}
}
Failure message: "Missing dependency update coverage for: pip. Add update entries to Dependabot or configure Renovate."
Remediation
When this policy fails, you can resolve it by:
- No tool configured: Add a
.github/dependabot.ymlorrenovate.jsonto the repository root. - Missing ecosystem coverage: Add update entries for the missing ecosystems to your Dependabot config, or switch to Renovate which covers all detected ecosystems by default.
Ecosystem mapping
The all-ecosystems-covered check is scoped to ecosystems that map to an existing lunar-lib collector. If a language has no collector in this repo, the policy has no signal to cross-reference against and won't flag missing coverage for it. Dependabot ecosystems like pub (Dart), mix (Elixir), swift, elm, and gitsubmodule are intentionally out of scope until the corresponding language collectors exist.
| Component Signal | Ecosystem Name | Provided By |
|---|---|---|
.lang.nodejs |
npm |
nodejs collector |
.lang.python |
pip |
python collector |
.lang.go |
gomod |
golang collector |
.lang.java (maven) |
maven |
java collector |
.lang.java (gradle) |
gradle |
java collector |
.lang.ruby |
bundler |
ruby collector |
.lang.rust |
cargo |
rust collector |
.lang.dotnet |
nuget |
dotnet collector |
.lang.php |
composer |
php collector |
.containers.definitions |
docker |
docker collector |
.ci.native.github_actions |
github-actions |
github-actions collector |
.iac (terraform) |
terraform |
terraform collector |
Open Source
This policy is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore how individual guardrails work with specific integrations.
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
AI agent rules & prompt files
Post-mortem action items
Security & compliance policies
Testing & quality requirements