Enforce Max Severity using data collected by GitHub Collector. Automatically check security and compliance standards on every PR.
How GitHub Collector Powers This Guardrail
The GitHub Collector gathers metadata from your vcs systems. This data flows into Lunar's Component JSON, where the Max Severity guardrail evaluates it against your standards.
When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.
Quick Start Configuration
Add both the collector and policy to your lunar-config.yml to enable this guardrail.
# Step 1: Enable the GitHub Collector
collectors:
- uses: github://earthly/lunar-lib/collectors/github@v1.0.0
# with: ...
# Step 2: Enable the SCA Guardrails
policies:
- uses: github://earthly/lunar-lib/policies/sca@v1.0.0
include: [max-severity]
# with: ...What GitHub Collector Collects
This collector gathers the following data that the Max Severity guardrail evaluates.
repository
Fetches basic repository settings from the GitHub API including visibility (public/private/internal), default branch name, topics, and allowed merge strategies (merge commit, squash, rebase). Writes to .vcs.provider, .vcs.visibility, .vcs.default_branch, .vcs.topics, and .vcs.merge_strategies.
branch-protection
Fetches branch protection rules for the default branch from the GitHub API. Collects required approvals, code owner review, dismiss stale reviews, required status checks, force push/deletion restrictions, linear history requirements, signed commit requirements, and push restrictions (users, teams, apps). Writes comprehensive settings to .vcs.branch_protection.
access-permissions
Fetches repository access permissions from the GitHub API with pagination support. Collects direct collaborators (login, permission level, type) and teams with access (slug, name, permission). Does not expand team memberships for performance. Writes to .vcs.access.collaborators and .vcs.access.teams.
Example Data Flow
Here's an example of the data that GitHub Collector writes to the Component JSON, which Max Severity then evaluates.
{
"vcs": {
"provider": "github",
"default_branch": "main",
"visibility": "private",
"topics": ["backend", "api", "microservice"],
"merge_strategies": {
"allow_merge_commit": true,
"allow_squash_merge": true,
"allow_rebase_merge": false
},
"branch_protection": {
"enabled": true,
"branch": "main",
"require_pr": true,
"required_approvals": 2,
"require_codeowner_review": true,
"dismiss_stale_reviews": true,
"require_status_checks": true,
"required_checks": ["ci/build", "ci/test", "security/scan"],
"require_branches_up_to_date": true,
"allow_force_push": false,
"allow_deletions": false,
"require_linear_history": false,
"require_signed_commits": true,
"restrictions": {
"users": ["deployment-bot"],
"teams": ["platform-team"],
"apps": ["github-actions"]
}
},
"access": {
"collaborators": [
{
"login": "alice",
"permission": "admin",
"type": "User"
},
{
"login": "deployment-bot",
"permission": "write",
"type": "Bot"
}
],
"teams": [
{"slug": "backend-team", "name": "Backend Team", "permission": "write"},
{"slug": "platform-team", "name": "Platform Team", "permission": "admin"}
]
}
}
}Configuration Options
SCA Guardrails Inputs
| Input | Required | Default | Description |
|---|---|---|---|
min_severity |
Optional |
high
|
Minimum severity to fail on (critical, high, medium, low) |
max_total_threshold |
Required | — | Maximum total findings allowed (must be configured) |
Ready to Automate Your Standards?
See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Infrastructure conventions
Post-mortem action items
Security & compliance policies
Testing & quality requirements