Hamburger Cross Icon
Sync Policy
+
ArgoCD Collector

Sync Policy + ArgoCD Collector

Guardrail Collector Beta Deployment And Infrastructure

Enforce Sync Policy using data collected by ArgoCD Collector. Automatically check deployment and infrastructure standards on every PR.

Guardrail: Requires Applications to use an automated sync policy with prune and self-heal enabled. Drift between Git and the cluster is corrected automatically instead of accumulating silently.
Data Source: Parses and validates ArgoCD Application, ApplicationSet, and AppProject manifests against the argoproj CRD schemas and writes a normalized .cd.gitops view for the gitops and argocd policies. Works for a central GitOps repo or a service that ships its own ArgoCD files.

How ArgoCD Collector Powers This Guardrail

The ArgoCD Collector gathers metadata from your ci cd, orchestration systems. This data flows into Lunar's Component JSON, where the Sync Policy guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
ArgoCD Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Sync Policy Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml
# Step 1: Enable the ArgoCD Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/argocd@v1.0.5
    # with: ...

# Step 2: Enable the GitOps Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/gitops@v1.0.5
    include: [sync-policy]
    # with: ...

What ArgoCD Collector Collects

This collector gathers the following data that the Sync Policy guardrail evaluates.

Collector code

parse

Scans the cloned repository for ArgoCD custom resources (argoproj.io/*), validates each against the argoproj CRD schemas, and writes a normalized, tool-agnostic view of the GitOps configuration, including:

  • Applications and ApplicationSets (project, sync policy, destination, source)
  • AppProjects (allowed source repos and destinations)
  • Schema validity of each resource
  • Whether Argo Rollouts (canary/blue-green) are referenced Raw, ArgoCD-specific resource shapes are preserved under .cd.gitops.native.argocd. Works for both a dedicated GitOps repo (many Applications) and a component repo that ships its own ArgoCD files.

Example Data Flow

Here's an example of the data that ArgoCD Collector writes to the Component JSON, which Sync Policy then evaluates.

{ } component.json From ArgoCD Collector
{
  "cd": {
    "gitops": {
      "source": {
        "tool": "argocd",
        "integration": "code"
      },
      "applications": [
        {
          "name": "payment-api",
          "path": "apps/payment-api.yaml",
          "valid": true,
          "kind": "Application",
          "project": "platform",
          "component_annotation": "github.com/org/payment-api",
          "sync_policy": {
            "automated": true,
            "prune": true,
            "self_heal": true
          },
          "destination": {
            "server": "https://kubernetes.default.svc",
            "namespace": "payments"
          },
          "source_ref": {
            "repoURL": "https://github.com/org/gitops.git",
            "path": "payment-api",
            "targetRevision": "HEAD"
          },
          "images": ["myregistry.io/payment-api"],
          "canary": {
            "rollout": true
          }
        }
      ],
      "projects": [
        {
          "name": "platform",
          "path": "projects/platform.yaml",
          "valid": true,
          "is_default": false,
          "source_repos": ["https://github.com/org/gitops.git"],
          "destinations": [
            {"namespace": "payments", "server": "https://kubernetes.default.svc"}
          ]
        }
      ],
      "native": {
        "argocd": {
          "applications": [
            {"path": "apps/payment-api.yaml", "resource": {"apiVersion": "argoproj.io/v1alpha1", "kind": "Application", "spec": {}}}
          ],
          "projects": [
            {"path": "projects/platform.yaml", "resource": {"apiVersion": "argoproj.io/v1alpha1", "kind": "AppProject", "spec": {}}}
          ]
        }
      }
    }
  }
}

Configuration Options

ArgoCD Collector Inputs

Input Required Default Description
find_command Optional find . -type f \( -name '*.yaml' -o -name '*.yml' \) Command to find candidate YAML files (must output one file path per line). Used by the parse collector.

GitOps Guardrails Inputs

Input Required Default Description
allowed_source_repos Required Comma-separated allow-list of permitted Application source repoURLs for source-repo-allowlist. Required when that check is enabled (errors if empty).
allowed_destinations Required Comma-separated allow-list of permitted destinations for destination-allowlist. Each entry is `namespace` (allowed on any cluster) or `cluster/namespace` (pinned to one cluster — the cluster segment matches the Application destination's registered name or its server URL). Required when that check is enabled (errors if empty).
expected_tag Required For gitops-managed — only enforce coverage on components whose catalog tags (.catalog.entity.tags, e.g. from a Backstage catalog-info.yaml) include this value. Empty enforces on every component the policy targets (via on:).

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo