Executed + Semgrep Collector

✓ Guardrail ↓ Collector Stable Security And Compliance

Enforce Executed using data collected by Semgrep Collector. Automatically check security and compliance standards on every PR.

Guardrail: Verifies that SAST scanning was executed on the component. Fails if no scanner has written to .sast.

Data Source: Detects Semgrep security scanning via GitHub App or CLI integration. Automatically categorizes results (SAST for code analysis, SCA for Supply Chain) and writes to normalized Component JSON paths.

Get Started View on GitHub

How Semgrep Collector Powers This Guardrail

The Semgrep Collector gathers metadata from your systems. This data flows into Lunar's Component JSON, where the Executed guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

↓ Semgrep Collector Gathers Data Collector

Extracts metadata from code, configs, and tool outputs

{ } Component JSON

Data centralized in structured format for evaluation

✓ Executed Checks Guardrail

Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml

# Step 1: Enable the Semgrep Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/semgrep@v1.0.0
    # with: ...

# Step 2: Enable the SAST Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/sast@v1.0.0
    include: [executed]
    # with: ...

What Semgrep Collector Collects

This collector gathers the following data that the Executed guardrail evaluates.

Collector code

`github-app`

Detects Semgrep GitHub App scans on pull requests by querying GitHub check-runs API. Waits for scan completion and captures results. Categorizes as SAST (Code) or SCA (Supply Chain) based on check name.

Collector code

`running-in-prs`

Proves Semgrep is running on PRs by querying Lunar Hub for Semgrep data from recent PRs. Used on the default branch to provide compliance proof that PR scanning is happening (since Semgrep GitHub App only posts checks on PRs, not directly on the default branch).

Collector ci-after-command

`cli`

Detects Semgrep CLI executions in CI pipelines. Captures the command and version. Categorizes based on flags (--supply-chain for SCA, default SAST).

Example Data Flow

Here's an example of the data that Semgrep Collector writes to the Component JSON, which Executed then evaluates.

{ } component.json From Semgrep Collector

{
  "sast": {
    "running_in_prs": true,
    "source": {
      "tool": "semgrep",
      "version": "1.50.0",
      "integration": "github_app"
    },
    "native": {
      "semgrep": {
        "github_app": {
          "id": 12345,
          "name": "Semgrep",
          "status": "completed",
          "conclusion": "success"
        },
        "cicd": {
          "cmds": [
            {"cmd": "semgrep scan --config auto", "version": "1.50.0"}
          ]
        }
      }
    }
  }
}

Configuration Options

SAST Guardrails Inputs

Input	Required	Default	Description
`min_severity`	Optional	`high`	Minimum severity to fail on (critical, high, medium, low)
`max_total_threshold`	Required	—	Maximum total findings allowed (must be configured)

Learn More

Guardrail · SAST Guardrails Executed View all compatible integrations

→

Collector Semgrep Collector View full documentation

→

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process

Infrastructure conventions

Post-mortem action items

Security & compliance policies

Testing & quality requirements

Automate Now

Turn any process doc into guardrails

Book a Demo