SBOM Guardrails
Enforce Software Bill of Materials standards across your organization. Verify SBOMs are generated, contain license data, use approved formats, and do not include disallowed licenses.
sbom to your lunar-config.yml:uses: github://earthly/lunar-lib/policies/sbom@v1.0.0
Included Guardrails
This policy includes 5 guardrails that enforce standards for your security and compliance.
sbom-exists
Ensures an SBOM was generated, either automatically or detected in CI.
has-licenses
Verifies that SBOM components have license information populated. Fails if license coverage is below the configured threshold.
disallowed-licenses
Checks for disallowed licenses in SBOM components. Matches component licenses against configurable regex patterns.
min-components
Verifies the SBOM contains a minimum number of components. Catches trivially empty SBOMs that may indicate detection failures.
standard-format
Validates the SBOM uses an approved format (CycloneDX, SPDX). Auto-passes if no format restriction is configured.
How Guardrails Fit into Lunar
Lunar guardrails define your engineering standards as code. They evaluate data collected by integrations and produce pass/fail checks with actionable feedback.
Policies support gradual enforcement—from silent scoring to blocking PRs or deployments—letting you roll out standards at your own pace without disrupting existing workflows.
Learn How Lunar Works →Required Integrations
This policy evaluates data gathered by one or more of the following integration(s).
Make sure to enable them in your lunar-config.yml.
Configuration
Configure this policy in your lunar-config.yml.
Inputs
| Input | Required | Default | Description |
|---|---|---|---|
disallowed_licenses
|
Required | — | Comma-separated regex patterns of disallowed licenses (e.g. "GPL.*,AGPL.*") |
min_license_coverage
|
Optional |
50
|
Minimum percentage of components that must have license info (0-100) |
min_components
|
Optional |
1
|
Minimum number of components the SBOM must contain |
allowed_formats
|
Required | — | Comma-separated list of allowed SBOM formats (e.g. "cyclonedx,spdx"). Empty means any. |
Documentation
View on GitHubSBOM Guardrails
Enforces SBOM existence, license compliance, completeness, and format standards.
Overview
This policy enforces Software Bill of Materials standards across your organization. It verifies that SBOMs are generated, contain license data, use approved formats, and do not include disallowed licenses. It works with data from both auto-generated SBOMs (via the syft collector) and CI-detected SBOMs, enabling vendor-agnostic SBOM governance.
Policies
This policy provides the following guardrails (use include to select a subset):
| Policy | Description | Failure Meaning |
|---|---|---|
sbom-exists |
Checks that an SBOM was generated | No SBOM found from any source |
has-licenses |
Verifies components have license info | License coverage below threshold |
disallowed-licenses |
Checks for disallowed license patterns | Component uses a disallowed license |
min-components |
Verifies minimum component count | SBOM has too few components |
standard-format |
Validates SBOM format | SBOM uses a non-approved format |
Required Data
This policy reads from the following Component JSON paths:
| Path | Type | Provided By |
|---|---|---|
.sbom.auto |
object | syft collector (generate sub-collector) |
.sbom.cicd |
object | syft collector (ci sub-collector) |
.sbom.auto.cyclonedx.components |
array | syft collector |
.sbom.cicd.cyclonedx.components |
array | syft collector |
Note: Ensure the syft collector is configured before enabling this policy.
Installation
Add to your lunar-config.yml:
policies:
- uses: github://earthly/lunar-lib/policies/sbom@main
on: ["domain:engineering"]
enforcement: block-pr
# include: [sbom-exists, disallowed-licenses]
with:
disallowed_licenses: "GPL.*,BSL.*,AGPL.*"
min_license_coverage: "90"
min_components: "1"
# allowed_formats: "cyclonedx"
Examples
Passing Example
All components have approved licenses and license coverage meets the threshold:
{
"sbom": {
"auto": {
"source": { "tool": "syft", "integration": "code", "version": "1.19.0" },
"cyclonedx": {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"components": [
{
"name": "github.com/sirupsen/logrus",
"version": "v1.9.3",
"licenses": [{ "license": { "id": "MIT" } }]
}
]
}
}
}
}
Failing Example
A component uses a disallowed GPL license:
{
"sbom": {
"auto": {
"cyclonedx": {
"components": [
{
"name": "copyleft-lib",
"licenses": [{ "license": { "id": "GPL-3.0" } }]
}
]
}
}
}
}
Failure message: "Component 'copyleft-lib' uses disallowed license 'GPL-3.0' (matches pattern 'GPL.*')"
Remediation
When this policy fails, you can resolve it by:
sbom-existsfailure: Enable thesyftcollector or run Syft in your CI pipeline to generate an SBOMhas-licensesfailure: Ensure Syft has network access for remote license lookups, or add license metadata to your project dependenciesdisallowed-licensesfailure: Replace the disallowed dependency with an alternative that uses an approved license, or update thedisallowed_licensesinputmin-componentsfailure: Verify Syft can detect your project's package manager and dependencies are declared correctlystandard-formatfailure: Configure Syft to output in an approved format (e.g.,cyclonedx-json) or update theallowed_formatsinput
Open Source
This policy is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore how individual guardrails work with specific integrations.
Ready to Automate Your Standards?
See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Infrastructure conventions
Post-mortem action items
Security & compliance policies
Testing & quality requirements