Gitops Managed + ArgoCD Collector
Enforce Gitops Managed using data collected by ArgoCD Collector. Automatically check deployment and infrastructure standards on every PR.
How ArgoCD Collector Powers This Guardrail
The ArgoCD Collector gathers metadata from your ci cd, orchestration systems. This data flows into Lunar's Component JSON, where the Gitops Managed guardrail evaluates it against your standards.
When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.
Quick Start Configuration
Add both the collector and policy to your lunar-config.yml to enable this guardrail.
# Step 1: Enable the ArgoCD Collector
collectors:
- uses: github://earthly/lunar-lib/collectors/argocd@v1.0.5
# with: ...
# Step 2: Enable the GitOps Guardrails
policies:
- uses: github://earthly/lunar-lib/policies/gitops@v1.0.5
include: [gitops-managed]
# with: ...
What ArgoCD Collector Collects
This collector gathers the following data that the Gitops Managed guardrail evaluates.
parse
Scans the cloned repository for ArgoCD custom resources (argoproj.io/*), validates each against the argoproj CRD schemas, and writes a normalized, tool-agnostic view of the GitOps configuration, including:
- Applications and ApplicationSets (project, sync policy, destination, source)
- AppProjects (allowed source repos and destinations)
- Schema validity of each resource
- Whether Argo Rollouts (canary/blue-green) are referenced Raw, ArgoCD-specific resource shapes are preserved under .cd.gitops.native.argocd. Works for both a dedicated GitOps repo (many Applications) and a component repo that ships its own ArgoCD files.
Example Data Flow
Here's an example of the data that ArgoCD Collector writes to the Component JSON, which Gitops Managed then evaluates.
{
"cd": {
"gitops": {
"source": {
"tool": "argocd",
"integration": "code"
},
"applications": [
{
"name": "payment-api",
"path": "apps/payment-api.yaml",
"valid": true,
"kind": "Application",
"project": "platform",
"component_annotation": "github.com/org/payment-api",
"sync_policy": {
"automated": true,
"prune": true,
"self_heal": true
},
"destination": {
"server": "https://kubernetes.default.svc",
"namespace": "payments"
},
"source_ref": {
"repoURL": "https://github.com/org/gitops.git",
"path": "payment-api",
"targetRevision": "HEAD"
},
"images": ["myregistry.io/payment-api"],
"canary": {
"rollout": true
}
}
],
"projects": [
{
"name": "platform",
"path": "projects/platform.yaml",
"valid": true,
"is_default": false,
"source_repos": ["https://github.com/org/gitops.git"],
"destinations": [
{"namespace": "payments", "server": "https://kubernetes.default.svc"}
]
}
],
"native": {
"argocd": {
"applications": [
{"path": "apps/payment-api.yaml", "resource": {"apiVersion": "argoproj.io/v1alpha1", "kind": "Application", "spec": {}}}
],
"projects": [
{"path": "projects/platform.yaml", "resource": {"apiVersion": "argoproj.io/v1alpha1", "kind": "AppProject", "spec": {}}}
]
}
}
}
}
}
Configuration Options
ArgoCD Collector Inputs
| Input | Required | Default | Description |
|---|---|---|---|
find_command |
Optional |
find . -type f \( -name '*.yaml' -o -name '*.yml' \)
|
Command to find candidate YAML files (must output one file path per line). Used by the parse collector. |
GitOps Guardrails Inputs
| Input | Required | Default | Description |
|---|---|---|---|
allowed_source_repos |
Required | — | Comma-separated allow-list of permitted Application source repoURLs for source-repo-allowlist. Required when that check is enabled (errors if empty). |
allowed_destinations |
Required | — | Comma-separated allow-list of permitted destinations for destination-allowlist. Each entry is `namespace` (allowed on any cluster) or `cluster/namespace` (pinned to one cluster — the cluster segment matches the Application destination's registered name or its server URL). Required when that check is enabled (errors if empty). |
expected_tag |
Required | — | For gitops-managed — only enforce coverage on components whose catalog tags (.catalog.entity.tags, e.g. from a Backstage catalog-info.yaml) include this value. Empty enforces on every component the policy targets (via on:). |
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.