Hamburger Cross Icon
Max Severity
+
CodeQL Collector

Max Severity + CodeQL Collector

Guardrail Collector Stable Security And Compliance

Enforce Max Severity using data collected by CodeQL Collector. Automatically check security and compliance standards on every PR.

Guardrail: Ensures no findings at or above the configured severity threshold. Configure min_severity to set the threshold (critical, high, medium, low).
Data Source: Detects GitHub CodeQL security scanning via GitHub Code Scanning check-runs or CLI integration in CI pipelines. Writes to normalized SAST Component JSON paths, enabling tool-agnostic SAST policies.
Get Started View on GitHub

How CodeQL Collector Powers This Guardrail

The CodeQL Collector gathers metadata from your systems. This data flows into Lunar's Component JSON, where the Max Severity guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
CodeQL Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Max Severity Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the CodeQL Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/codeql@v1.0.0
    # with: ...

# Step 2: Enable the SAST Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/sast@v1.0.0
    include: [max-severity]
    # with: ...

What CodeQL Collector Collects

This collector gathers the following data that the Max Severity guardrail evaluates.

Collector code

github-app

Detects CodeQL scans on pull requests by querying GitHub check-runs API for the github-advanced-security app. Waits for scan completion and captures check status, conclusion, and URLs.

Collector code

running-in-prs

Proves CodeQL is running on PRs by querying Lunar Hub for CodeQL data from recent PRs. Used on the default branch to provide compliance proof that PR scanning is happening.

Collector

cicd

Detects CodeQL CLI or legacy codeql-runner executions in CI pipelines. Captures command metadata and, when the SARIF output file is available on disk (from codeql database analyze/interpret-results), collects the raw SARIF and normalizes findings into .sast.findings and .sast.issues.

Example Data Flow

Here's an example of the data that CodeQL Collector writes to the Component JSON, which Max Severity then evaluates.

{ } component.json From CodeQL Collector 
{
  "sast": {
    "running_in_prs": true,
    "source": {
      "tool": "codeql",
      "version": "2.16.0",
      "integration": "ci"
    },
    "findings": {
      "critical": 0,
      "high": 1,
      "medium": 3,
      "low": 0,
      "total": 4
    },
    "issues": [
      {
        "severity": "high",
        "rule": "go/sql-injection",
        "file": "db/query.go",
        "line": 42,
        "message": "Unsanitized input used in SQL query"
      }
    ],
    "summary": {
      "has_critical": false,
      "has_high": true
    },
    "native": {
      "codeql": {
        "github_app": {
          "id": 12345,
          "name": "CodeQL",
          "status": "completed",
          "conclusion": "success"
        },
        "cicd": {
          "cmds": [
            {"cmd": "codeql database interpret-results --format=sarif-latest --output=../results/go.sarif", "version": "2.16.0"}
          ]
        },
        "sarif": {}
      }
    }
  }
}

Configuration Options

SAST Guardrails Inputs

Input Required Default Description
min_severity Optional high Minimum severity to fail on (critical, high, medium, low)
max_total_threshold Required Maximum total findings allowed (must be configured)

Other Guardrails Using CodeQL Collector

Other guardrails in SAST Guardrails that use data from CodeQL Collector.

Guardrail + CodeQL
Executed

Verifies that SAST scanning was executed on the component. Fails if no scanner has written to .sast.
Guardrail + CodeQL
Max Total

Ensures total code findings are under a configurable threshold.

Learn More

Guardrail · SAST Guardrails Max Severity View all compatible integrations
Collector CodeQL Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Turn any process doc into guardrails
Book a Demo