Disallowed Packages

✓ Guardrail SBOM Guardrails Stable Security And Compliance

sbom.disallowed-packages

Checks for disallowed packages by matching PURL, name, or group against configurable regex patterns (e.g. "ru\.yandex\..", "com\.alibaba\..").

sbom disallowed packages package blocklist supply chain compliance

Get Started View All SBOM Guardrails

Compatible Integrations

This guardrail works with the following integrations. Click to see how to use Disallowed Packages with each collector.

Disallowed Packages + Syft SBOM Collector Provides SBOM data for policy evaluation

→

Disallowed Packages + License Origins Collector Provides license origin data for blocked-origins check

→

Enable This Guardrail

Add the parent policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml

policies:
  - uses: github://earthly/lunar-lib/policies/sbom@v1.0.0
    include: [disallowed-packages]
    # with: ...

How This Guardrail Works

This guardrail is part of the SBOM Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.

Learn How Lunar Works →

↓ Integrations Gather Data

Collectors extract metadata from code, CI pipelines, tool outputs, and scans

{ } Centralized as JSON

All data merged into each component's unified metadata document

✓ This Guardrail Checks Current

Disallowed Packages runs and provides pass/fail feedback

Configuration Options

These inputs can be configured in your lunar-config.yml to customize how the parent policy (and this guardrail) behaves.

Input	Required	Default	Description
`disallowed_licenses`	Required	—	Regex patterns of disallowed licenses. Accepts a comma-separated string (e.g. "GPL.,AGPL.") or a JSON array (e.g. '["GPL.", "AGPL."]').
`min_license_coverage`	Optional	`50`	Minimum percentage of components that must have license info (0-100)
`min_components`	Optional	`1`	Minimum number of components the SBOM must contain
`allowed_formats`	Required	—	Comma-separated list of allowed SBOM formats (e.g. "cyclonedx,spdx"). Empty means any.
`blocked_countries`	Required	—	Comma-separated list of blocked countries for license origin checks (e.g. "Russia,China,Iran,North Korea")
`disallowed_packages`	Required	—	Regex patterns for disallowed packages, matched against PURL, name, and group. Accepts a comma-separated string or a JSON array (e.g. '["ru\\.yandex\\..", "com\\.alibaba\\.."]').

SBOM Guardrails

This guardrail is part of the SBOM Guardrails policy, which includes 7 guardrails for security and compliance.

View Policy

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process

Infrastructure conventions

Post-mortem action items

Security & compliance policies

Testing & quality requirements

Automate Now

Turn any process doc into guardrails

Book a Demo