SBOM Guardrails
Enforce Software Bill of Materials standards across your organization. Verify SBOMs are generated, contain license data, use approved formats, do not include disallowed licenses, and flag dependencies with blocked geographic origins or disallowed package patterns.
sbom to your lunar-config.yml:uses: github://earthly/lunar-lib/policies/sbom@v1.0.0
Included Guardrails
This policy includes 7 guardrails that enforce standards for your security and compliance.
sbom-exists
Ensures an SBOM was generated, either automatically or detected in CI.
has-licenses
Verifies that SBOM components have license information populated. Fails if license coverage is below the configured threshold.
disallowed-licenses
Checks for disallowed licenses in SBOM components. Matches component licenses against configurable regex patterns.
min-components
Verifies the SBOM contains a minimum number of components. Catches trivially empty SBOMs that may indicate detection failures.
standard-format
Validates the SBOM uses an approved format (CycloneDX, SPDX). Auto-passes if no format restriction is configured.
blocked-origins
Checks for dependencies with license origin mentions from blocked countries. Supports blocklist or allowlist mode. Requires the license-origins collector.
disallowed-packages
Checks for disallowed packages by matching PURL, name, or group against configurable regex patterns (e.g. "ru\.yandex\..", "com\.alibaba\..").
How Guardrails Fit into Lunar
Lunar guardrails define your engineering standards as code. They evaluate data collected by integrations and produce pass/fail checks with actionable feedback.
Policies support gradual enforcement—from silent scoring to blocking PRs or deployments—letting you roll out standards at your own pace without disrupting existing workflows.
Learn How Lunar Works →Required Integrations
This policy evaluates data gathered by one or more of the following integration(s).
Make sure to enable them in your lunar-config.yml.
Configuration
Configure this policy in your lunar-config.yml.
Inputs
| Input | Required | Default | Description |
|---|---|---|---|
disallowed_licenses
|
Required | — | Regex patterns of disallowed licenses. Accepts a comma-separated string (e.g. "GPL.*,AGPL.*") or a JSON array (e.g. '["GPL.*", "AGPL.*"]'). |
min_license_coverage
|
Optional |
50
|
Minimum percentage of components that must have license info (0-100) |
min_components
|
Optional |
1
|
Minimum number of components the SBOM must contain |
allowed_formats
|
Required | — | Comma-separated list of allowed SBOM formats (e.g. "cyclonedx,spdx"). Empty means any. |
blocked_countries
|
Required | — | Comma-separated list of blocked countries for license origin checks (e.g. "Russia,China,Iran,North Korea") |
disallowed_packages
|
Required | — | Regex patterns for disallowed packages, matched against PURL, name, and group. Accepts a comma-separated string or a JSON array (e.g. '["ru\\.yandex\\..*", "com\\.alibaba\\..*"]'). |
Documentation
View on GitHubSBOM Guardrails
Enforces SBOM existence, license compliance, completeness, and format standards.
Overview
This policy enforces Software Bill of Materials standards across your organization. It verifies that SBOMs are generated, contain license data, use approved formats, and do not include disallowed licenses. It works with data from both auto-generated SBOMs (via the syft collector) and CI-detected SBOMs, enabling vendor-agnostic SBOM governance.
Policies
This policy provides the following guardrails (use include to select a subset):
| Policy | Description | Failure Meaning |
|---|---|---|
sbom-exists |
Checks that an SBOM was generated | No SBOM found from any source |
has-licenses |
Verifies components have license info | License coverage below threshold |
disallowed-licenses |
Checks for disallowed license patterns | Component uses a disallowed license |
min-components |
Verifies minimum component count | SBOM has too few components |
standard-format |
Validates SBOM format | SBOM uses a non-approved format |
blocked-origins |
Checks for license origin mentions from blocked countries | Dependency has country mention from blocklist |
disallowed-packages |
Checks for disallowed packages by PURL/name/group pattern | Package matches a disallowed pattern |
Required Data
This policy reads from the following Component JSON paths:
| Path | Type | Provided By |
|---|---|---|
.sbom.auto |
object | syft collector (generate sub-collector) |
.sbom.cicd |
object | syft collector (ci sub-collector) |
.sbom.auto.cyclonedx.components |
array | syft collector |
.sbom.cicd.cyclonedx.components |
array | syft collector |
.sbom.license_origins.packages |
array | license-origins collector (for blocked-origins check) |
Note: Ensure the syft collector is configured before enabling this policy. The blocked-origins check additionally requires the license-origins collector.
Installation
Add to your lunar-config.yml:
policies:
- uses: github://earthly/lunar-lib/policies/sbom@main
on: ["domain:engineering"]
enforcement: block-pr
# include: [sbom-exists, disallowed-licenses]
with:
disallowed_licenses: "GPL.*,BSL.*,AGPL.*"
min_license_coverage: "90"
min_components: "1"
# allowed_formats: "cyclonedx"
# disallowed_packages: '["alibabacloud", "aliyun-.*", ".*\\.ru$"]'
Tip:
disallowed_licensesanddisallowed_packagesaccept either a comma-separated string ("GPL.*,AGPL.*") or a JSON array string ('["GPL.*", "AGPL.*"]'). JSON arrays are recommended when patterns contain commas or complex regex.
Examples
Passing Example
All components have approved licenses and license coverage meets the threshold:
{
"sbom": {
"auto": {
"source": { "tool": "syft", "integration": "code", "version": "1.19.0" },
"cyclonedx": {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"components": [
{
"name": "github.com/sirupsen/logrus",
"version": "v1.9.3",
"licenses": [{ "license": { "id": "MIT" } }]
}
]
}
}
}
}
Failing Example
A component uses a disallowed GPL license:
{
"sbom": {
"auto": {
"cyclonedx": {
"components": [
{
"name": "copyleft-lib",
"licenses": [{ "license": { "id": "GPL-3.0" } }]
}
]
}
}
}
}
Failure message: "Component 'copyleft-lib' uses disallowed license 'GPL-3.0' (matches pattern 'GPL.*')"
Remediation
When this policy fails, you can resolve it by:
sbom-existsfailure: Enable thesyftcollector or run Syft in your CI pipeline to generate an SBOMhas-licensesfailure: Ensure Syft has network access for remote license lookups, or add license metadata to your project dependenciesdisallowed-licensesfailure: Replace the disallowed dependency with an alternative that uses an approved license, or update thedisallowed_licensesinputmin-componentsfailure: Verify Syft can detect your project's package manager and dependencies are declared correctlystandard-formatfailure: Configure Syft to output in an approved format (e.g.,cyclonedx-json) or update theallowed_formatsinputblocked-originsfailure: Review the flagged package's license file to confirm the country mention is genuine (not a false positive), then either replace the dependency or update theblocked_countries/allowed_countriesinputsdisallowed-packagesfailure: Replace the disallowed dependency or update thedisallowed_packagesregex patterns
Open Source
This policy is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore how individual guardrails work with specific integrations.
Ready to Automate Your Standards?
See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Infrastructure conventions
Post-mortem action items
Security & compliance policies
Testing & quality requirements