Hamburger Cross Icon
Disallowed Licenses
+
Syft SBOM Collector

Disallowed Licenses + Syft SBOM Collector

Guardrail Collector Stable Security And Compliance

Enforce Disallowed Licenses using data collected by Syft SBOM Collector. Automatically check security and compliance standards on every PR.

Guardrail: Checks for disallowed licenses in SBOM components. Matches component licenses against configurable regex patterns.
Data Source: Generate Software Bill of Materials automatically or detect existing Syft SBOM generation in CI pipelines. Supports CycloneDX and SPDX formats with license detection for Go, Java, Node.js, Python, and Rust.
Get Started View on GitHub

How Syft SBOM Collector Powers This Guardrail

The Syft SBOM Collector gathers metadata from your security systems. This data flows into Lunar's Component JSON, where the Disallowed Licenses guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Syft SBOM Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Disallowed Licenses Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Syft SBOM Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/syft@v1.0.0
    # with: ...

# Step 2: Enable the SBOM Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/sbom@v1.0.0
    include: [disallowed-licenses]
    # with: ...

What Syft SBOM Collector Collects

This collector gathers the following data that the Disallowed Licenses guardrail evaluates.

Collector code

generate

Auto-generates a CycloneDX SBOM using Syft. Enables remote license lookups for Go, Java, Node.js, Python, and Rust. Writes full SBOM to .sbom.auto.cyclonedx with source metadata.

Collector ci-after-command

ci

Detects Syft execution in CI pipelines. Records command metadata to .sbom.native.syft.cicd and collects the generated SBOM to normalized .sbom.cicd.cyclonedx/.spdx if the output path can be determined.

Example Data Flow

Here's an example of the data that Syft SBOM Collector writes to the Component JSON, which Disallowed Licenses then evaluates.

{ } component.json From Syft SBOM Collector 
{
  "sbom": {
    "auto": {
      "source": { "tool": "syft", "integration": "code", "version": "1.41.2" },
      "cyclonedx": {
        "bomFormat": "CycloneDX",
        "specVersion": "1.5",
        "components": [
          {
            "name": "github.com/sirupsen/logrus",
            "version": "v1.9.3",
            "licenses": [{ "license": { "id": "MIT" } }]
          }
        ]
      }
    },
    "cicd": {
      "cyclonedx": { "bomFormat": "CycloneDX", "specVersion": "1.5", "components": [] }
    },
    "native": {
      "syft": {
        "cicd": {
          "cmds": [{ "cmd": "syft . -o cyclonedx-json=sbom.json", "version": "1.41.2" }]
        }
      }
    }
  }
}

Configuration Options

SBOM Guardrails Inputs

Input Required Default Description
disallowed_licenses Required Regex patterns of disallowed licenses. Accepts a comma-separated string (e.g. "GPL.*,AGPL.*") or a JSON array (e.g. '["GPL.*", "AGPL.*"]').
min_license_coverage Optional 50 Minimum percentage of components that must have license info (0-100)
min_components Optional 1 Minimum number of components the SBOM must contain
allowed_formats Required Comma-separated list of allowed SBOM formats (e.g. "cyclonedx,spdx"). Empty means any.
blocked_countries Required Comma-separated list of blocked countries for license origin checks (e.g. "Russia,China,Iran,North Korea")
disallowed_packages Required Regex patterns for disallowed packages, matched against PURL, name, and group. Accepts a comma-separated string or a JSON array (e.g. '["ru\\.yandex\\..*", "com\\.alibaba\\..*"]').

Other Guardrails Using Syft SBOM Collector

Other guardrails in SBOM Guardrails that use data from Syft SBOM Collector.

Guardrail + Syft SBOM
Sbom Exists

Ensures an SBOM was generated, either automatically or detected in CI.
Guardrail + Syft SBOM
Has Licenses

Verifies that SBOM components have license information populated. Fails if license coverage is below...
Guardrail + Syft SBOM
Min Components

Verifies the SBOM contains a minimum number of components. Catches trivially empty SBOMs that may...
Guardrail + Syft SBOM
Standard Format

Validates the SBOM uses an approved format (CycloneDX, SPDX). Auto-passes if no format restriction...
View all 7 guardrails in SBOM Guardrails

Learn More

Guardrail · SBOM Guardrails Disallowed Licenses View all compatible integrations
Collector Syft SBOM Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Turn any process doc into guardrails
Book a Demo