Hamburger Cross Icon
All Ecosystems Covered
+
Renovate Collector

All Ecosystems Covered + Renovate Collector

Guardrail Collector Beta Security And Compliance

Enforce All Ecosystems Covered using data collected by Renovate Collector. Automatically check security and compliance standards on every PR.

Guardrail: Checks that all detected package ecosystems in the component have corresponding update rules in the dependency automation config. For example, if the component uses npm and Docker, both should have update entries in Dependabot or be covered by Renovate's enabled managers. Skips if no dependency automation tool is configured.
Data Source: Parses Renovate config (renovate.json, .renovaterc, .renovaterc.json, or the renovate key in package.json). Slurps the full parsed config to .dep_automation.native.renovate and exposes normalized fields (extends, enabled managers) at .dep_automation.renovate for policy use.
Get Started View on GitHub

How Renovate Collector Powers This Guardrail

The Renovate Collector gathers metadata from your security systems. This data flows into Lunar's Component JSON, where the All Ecosystems Covered guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Renovate Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
All Ecosystems Covered Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Renovate Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/renovate@v1.0.5
    # with: ...

# Step 2: Enable the Dependency Automation Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/dep-automation@v1.0.5
    include: [all-ecosystems-covered]
    # with: ...

What Renovate Collector Collects

This collector gathers the following data that the All Ecosystems Covered guardrail evaluates.

Collector code

config

Scans the repository for Renovate configuration in standard locations: renovate.json, .renovaterc, .renovaterc.json, or the "renovate" key in package.json. Writes the full parsed config verbatim to .dep_automation.native.renovate and extracts a normalized summary (extends, enabled managers) to .dep_automation.renovate for policies.

Example Data Flow

Here's an example of the data that Renovate Collector writes to the Component JSON, which All Ecosystems Covered then evaluates.

{ } component.json From Renovate Collector 
{
  "dep_automation": {
    "renovate": {
      "valid": true,
      "path": "renovate.json",
      "extends": ["config:base", "group:recommended"],
      "all_managers_enabled": true,
      "enabled_managers": []
    },
    "native": {
      "renovate": {
        "extends": ["config:base", "group:recommended"],
        "packageRules": [
          {"matchUpdateTypes": ["minor", "patch"], "automerge": true},
          {"matchPackagePatterns": ["^@types/"], "groupName": "type definitions"},
          {"matchDepTypes": ["devDependencies"], "rangeStrategy": "pin"}
        ],
        "schedule": ["before 9am on monday"],
        "labels": ["dependencies"]
      }
    }
  }
}

Configuration Options

Renovate Collector Inputs

Input Required Default Description
paths Optional renovate.json,renovate.json5,.github/renovate.json,.github/renovate.json5,.gitlab/renovate.json,.gitlab/renovate.json5,.renovaterc,.renovaterc.json,.renovaterc.json5,package.json Comma-separated list of Renovate config file paths to check (first match wins). Default covers every location Renovate itself reads, across GitHub/GitLab/Bitbucket/ Azure DevOps and self-hosted installs — config location depends on SCM host, not CI environment. When the path is package.json, the collector extracts the top-level "renovate" key (and treats its absence as "not a renovate config" before moving on).

Dependency Automation Guardrails Inputs

Input Required Default Description

Other Guardrails Using Renovate Collector

Other guardrails in Dependency Automation Guardrails that use data from Renovate Collector.

Guardrail + Renovate
Dep Update Tool Configured

Requires at least one dependency update tool (Dependabot or Renovate) to be configured in the...

Learn More

Guardrail · Dependency Automation Guardrails All Ecosystems Covered View all compatible integrations
Collector Renovate Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo