Disallowed Licenses + Syft SBOM Collector

✓ Guardrail ↓ Collector Stable Security And Compliance

Enforce Disallowed Licenses using data collected by Syft SBOM Collector. Automatically check security and compliance standards on every PR.

Guardrail: Checks for disallowed licenses in SBOM components. Matches component licenses against configurable regex patterns.

Data Source: Generate Software Bill of Materials automatically or detect existing Syft SBOM generation in CI pipelines. Supports CycloneDX and SPDX formats with license detection for Go, Java, Node.js, and Python.

Get Started View on GitHub

How Syft SBOM Collector Powers This Guardrail

The Syft SBOM Collector gathers metadata from your security systems. This data flows into Lunar's Component JSON, where the Disallowed Licenses guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

↓ Syft SBOM Collector Gathers Data Collector

Extracts metadata from code, configs, and tool outputs

{ } Component JSON

Data centralized in structured format for evaluation

✓ Disallowed Licenses Checks Guardrail

Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml

# Step 1: Enable the Syft SBOM Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/syft@v1.0.0
    # with: ...

# Step 2: Enable the SBOM Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/sbom@v1.0.0
    include: [disallowed-licenses]
    # with: ...

What Syft SBOM Collector Collects

This collector gathers the following data that the Disallowed Licenses guardrail evaluates.

Collector code

`generate`

Auto-generates a CycloneDX SBOM using Syft. Enables remote license lookups for Go, Java, Node.js, and Python. Writes full SBOM to .sbom.auto.cyclonedx with source metadata.

Collector ci-after-command

`ci`

Detects Syft execution in CI pipelines. Records source metadata to .sbom.cicd and optionally collects the generated SBOM file if the output path can be determined from command flags.

Example Data Flow

Here's an example of the data that Syft SBOM Collector writes to the Component JSON, which Disallowed Licenses then evaluates.

{ } component.json From Syft SBOM Collector

{
  "sbom": {
    "auto": {
      "source": { "tool": "syft", "integration": "code", "version": "1.41.2" },
      "cyclonedx": {
        "bomFormat": "CycloneDX",
        "specVersion": "1.5",
        "components": [
          {
            "name": "github.com/sirupsen/logrus",
            "version": "v1.9.3",
            "licenses": [{ "license": { "id": "MIT" } }]
          }
        ]
      }
    },
    "cicd": {
      "source": { "tool": "syft", "integration": "ci", "version": "1.41.2" },
      "cyclonedx": { "bomFormat": "CycloneDX", "specVersion": "1.5", "components": [] }
    }
  }
}

Configuration Options

SBOM Guardrails Inputs

Input	Required	Default	Description
`disallowed_licenses`	Required	—	Comma-separated regex patterns of disallowed licenses (e.g. "GPL.,AGPL.")
`min_license_coverage`	Optional	`50`	Minimum percentage of components that must have license info (0-100)
`min_components`	Optional	`1`	Minimum number of components the SBOM must contain
`allowed_formats`	Required	—	Comma-separated list of allowed SBOM formats (e.g. "cyclonedx,spdx"). Empty means any.

Learn More

Guardrail · SBOM Guardrails Disallowed Licenses View all compatible integrations

→

Collector Syft SBOM Collector View full documentation

→

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process

Infrastructure conventions

Post-mortem action items

Security & compliance policies

Testing & quality requirements

Automate Now

Turn any process doc into guardrails

Book a Demo