Executed + Grype Vulnerability Scanner Collector

✓ Guardrail ↓ Collector Stable Security And Compliance

Enforce Executed using data collected by Grype Vulnerability Scanner Collector. Automatically check security and compliance standards on every PR.

Guardrail: Verifies that SCA scanning was executed on the component. Fails if no scanner has written to .sca.

Data Source: Scans repository dependencies for known CVEs using Grype, Anchore's open-source vulnerability scanner. Writes normalized findings to .sca for use with the SCA policy. No secrets or vendor accounts required.

Get Started View on GitHub

How Grype Vulnerability Scanner Collector Powers This Guardrail

The Grype Vulnerability Scanner Collector gathers metadata from your security systems. This data flows into Lunar's Component JSON, where the Executed guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

↓ Grype Vulnerability Scanner Collector Gathers Data Collector

Extracts metadata from code, configs, and tool outputs

{ } Component JSON

Data centralized in structured format for evaluation

✓ Executed Checks Guardrail

Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml

# Step 1: Enable the Grype Vulnerability Scanner Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/grype@v1.0.5
    # with: ...

# Step 2: Enable the SCA Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/sca@v1.0.5
    include: [executed]
    # with: ...

What Grype Vulnerability Scanner Collector Collects

This collector gathers the following data that the Executed guardrail evaluates.

Collector code

`auto`

Auto-scans the repository filesystem for dependency vulnerabilities using Grype. Writes normalized findings to .sca with severity counts, CVE IDs, affected packages, and fix versions.

Collector cron

`rescan`

Re-runs the dependency (SCA) scan on a schedule and overwrites .sca so the SCA policy re-evaluates against CVEs published since the commit was first scanned — closing the gap where a branch passes at scan time but a dependency picks up a new CVE later. Runs the same scan as the auto collector (the sibling auto.sh) in the Grype collector image, and stamps .sca.source.integration="cron" (vs "code" for the on-push scan) so it's clear the data came from a scheduled re-scan.

Collector ci-after-command

`cicd`

Detects Grype executions in CI pipelines. Captures the command, version, and input arguments for audit and compliance tracking.

Example Data Flow

Here's an example of the data that Grype Vulnerability Scanner Collector writes to the Component JSON, which Executed then evaluates.

{ } component.json From Grype Vulnerability Scanner Collector

{
  "sca": {
    "source": {
      "tool": "grype",
      "version": "0.74.0",
      "integration": "code"
    },
    "vulnerabilities": {
      "critical": 0,
      "high": 2,
      "medium": 5,
      "low": 3,
      "total": 10
    },
    "findings": [
      {
        "severity": "high",
        "package": "golang.org/x/net",
        "version": "0.7.0",
        "ecosystem": "go-module",
        "cve": "CVE-2023-44487",
        "title": "HTTP/2 Rapid Reset Attack",
        "fix_version": "0.17.0",
        "fixable": true
      }
    ],
    "summary": {
      "has_critical": false,
      "has_high": true,
      "all_fixable": true
    },
    "native": {
      "grype": {
        "cicd": {
          "cmds": [
            {"cmd": "grype dir:. -o json", "version": "0.74.0"}
          ]
        },
        "matches": [
          {
            "vulnerability": {
              "id": "CVE-2023-44487",
              "severity": "High",
              "fix": {"versions": ["0.17.0"], "state": "fixed"},
              "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
              "cvss": [{"metrics": {"baseScore": 7.5}}]
            },
            "artifact": {
              "name": "golang.org/x/net",
              "version": "0.7.0",
              "type": "go-module",
              "language": "go",
              "purl": "pkg:golang/golang.org/x/net@0.7.0"
            }
          }
        ]
      }
    }
  }
}

Configuration Options

Grype Vulnerability Scanner Collector Inputs

Input	Required	Default	Description
`db_auto_update`	Optional	`false`	EXPERIMENTAL. Download the latest Grype vulnerability database at scan time instead of using the one baked into the image. May cause OOM issues on some deployments if memory limits per collector container are not configured.

SCA Guardrails Inputs

Input	Required	Default	Description
`min_severity`	Optional	`high`	Minimum severity to fail on (critical, high, medium, low)
`max_total_threshold`	Required	—	Maximum total findings allowed (must be configured)
`alert_url`	Required	—	Optional webhook URL. When set, a failing max-severity check also POSTs a JSON payload describing the findings at or above min_severity. Leave empty to disable alerting (default).
`alert_timeout_sec`	Optional	`2`	Webhook POST timeout in seconds. Best-effort — a slow or dead endpoint never changes the check result.

Learn More

Guardrail · SCA Guardrails Executed View all compatible integrations

→

Collector Grype Vulnerability Scanner Collector View full documentation

→

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.

Works with any process

AI agent rules & prompt files

Post-mortem action items

Security & compliance policies

Testing & quality requirements

Automate Now

Paste your AGENTS.md or manual process doc and get guardrails in minutes

Book a Demo