Hamburger Cross Icon
All Ecosystems Covered
+
Dependabot Collector

All Ecosystems Covered + Dependabot Collector

Guardrail Collector Beta Security And Compliance

Enforce All Ecosystems Covered using data collected by Dependabot Collector. Automatically check security and compliance standards on every PR.

Guardrail: Checks that all detected package ecosystems in the component have corresponding update rules in the dependency automation config. For example, if the component uses npm and Docker, both should have update entries in Dependabot or be covered by Renovate's enabled managers. Skips if no dependency automation tool is configured.
Data Source: Parses .github/dependabot.yml to collect dependency update configuration including covered ecosystems, update schedules, and directory targets. Enables enforcement of dependency automation standards.
Get Started View on GitHub

How Dependabot Collector Powers This Guardrail

The Dependabot Collector gathers metadata from your security systems. This data flows into Lunar's Component JSON, where the All Ecosystems Covered guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Dependabot Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
All Ecosystems Covered Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Dependabot Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/dependabot@v1.0.5
    # with: ...

# Step 2: Enable the Dependency Automation Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/dep-automation@v1.0.5
    include: [all-ecosystems-covered]
    # with: ...

What Dependabot Collector Collects

This collector gathers the following data that the All Ecosystems Covered guardrail evaluates.

Collector code

config

Scans the repository for a Dependabot configuration file at .github/dependabot.yml (or .yaml variant). Parses the YAML to extract the schema version, update entries (ecosystem, directory, schedule), and a normalized list of covered ecosystems. Writes structured data to .dep_automation.dependabot.

Example Data Flow

Here's an example of the data that Dependabot Collector writes to the Component JSON, which All Ecosystems Covered then evaluates.

{ } component.json From Dependabot Collector 
{
  "dep_automation": {
    "dependabot": {
      "valid": true,
      "path": ".github/dependabot.yml",
      "version": 2,
      "updates": [
        {
          "package_ecosystem": "npm",
          "directory": "/",
          "schedule": "weekly",
          "open_pull_requests_limit": 5
        },
        {
          "package_ecosystem": "docker",
          "directory": "/",
          "schedule": "weekly",
          "open_pull_requests_limit": 5
        },
        {
          "package_ecosystem": "github-actions",
          "directory": "/",
          "schedule": "weekly",
          "open_pull_requests_limit": 5
        }
      ],
      "ecosystems": ["docker", "github-actions", "npm"],
      "update_count": 3
    }
  }
}

Configuration Options

Dependabot Collector Inputs

Input Required Default Description
paths Optional .github/dependabot.yml,.github/dependabot.yaml Comma-separated list of Dependabot config file paths to check (first match wins)

Dependency Automation Guardrails Inputs

Input Required Default Description

Other Guardrails Using Dependabot Collector

Other guardrails in Dependency Automation Guardrails that use data from Dependabot Collector.

Guardrail + Dependabot
Dep Update Tool Configured

Requires at least one dependency update tool (Dependabot or Renovate) to be configured in the...

Learn More

Guardrail · Dependency Automation Guardrails All Ecosystems Covered View all compatible integrations
Collector Dependabot Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo