Enforce Sbom Exists using data collected by Syft SBOM Collector. Automatically check security and compliance standards on every PR.
How Syft SBOM Collector Powers This Guardrail
The Syft SBOM Collector gathers metadata from your security systems. This data flows into Lunar's Component JSON, where the Sbom Exists guardrail evaluates it against your standards.
When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.
Quick Start Configuration
Add both the collector and policy to your lunar-config.yml to enable this guardrail.
# Step 1: Enable the Syft SBOM Collector
collectors:
- uses: github://earthly/lunar-lib/collectors/syft@v1.0.0
# with: ...
# Step 2: Enable the SBOM Guardrails
policies:
- uses: github://earthly/lunar-lib/policies/sbom@v1.0.0
include: [sbom-exists]
# with: ...What Syft SBOM Collector Collects
This collector gathers the following data that the Sbom Exists guardrail evaluates.
generate
Auto-generates a CycloneDX SBOM using Syft. Enables remote license lookups for Go, Java, Node.js, Python, and Rust. Writes full SBOM to .sbom.auto.cyclonedx with source metadata.
ci
Detects Syft execution in CI pipelines. Records command metadata to .sbom.native.syft.cicd and collects the generated SBOM to normalized .sbom.cicd.cyclonedx/.spdx if the output path can be determined.
Example Data Flow
Here's an example of the data that Syft SBOM Collector writes to the Component JSON, which Sbom Exists then evaluates.
{
"sbom": {
"auto": {
"source": { "tool": "syft", "integration": "code", "version": "1.41.2" },
"cyclonedx": {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"components": [
{
"name": "github.com/sirupsen/logrus",
"version": "v1.9.3",
"licenses": [{ "license": { "id": "MIT" } }]
}
]
}
},
"cicd": {
"cyclonedx": { "bomFormat": "CycloneDX", "specVersion": "1.5", "components": [] }
},
"native": {
"syft": {
"cicd": {
"cmds": [{ "cmd": "syft . -o cyclonedx-json=sbom.json", "version": "1.41.2" }]
}
}
}
}
}Configuration Options
SBOM Guardrails Inputs
| Input | Required | Default | Description |
|---|---|---|---|
disallowed_licenses |
Required | — | Regex patterns of disallowed licenses. Accepts a comma-separated string (e.g. "GPL.*,AGPL.*") or a JSON array (e.g. '["GPL.*", "AGPL.*"]'). |
min_license_coverage |
Optional |
50
|
Minimum percentage of components that must have license info (0-100) |
min_components |
Optional |
1
|
Minimum number of components the SBOM must contain |
allowed_formats |
Required | — | Comma-separated list of allowed SBOM formats (e.g. "cyclonedx,spdx"). Empty means any. |
blocked_countries |
Required | — | Comma-separated list of blocked countries for license origin checks (e.g. "Russia,China,Iran,North Korea") |
disallowed_packages |
Required | — | Regex patterns for disallowed packages, matched against PURL, name, and group. Accepts a comma-separated string or a JSON array (e.g. '["ru\\.yandex\\..*", "com\\.alibaba\\..*"]'). |
Ready to Automate Your Standards?
See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Infrastructure conventions
Post-mortem action items
Security & compliance policies
Testing & quality requirements