Secrets Guardrails

✓ Policy Beta Security And Compliance

Enforces secret scanning standards. Ensures secret scanners run and validates that no hardcoded secrets, API keys, or credentials are present in the codebase.

Add secrets to your lunar-config.yml:

uses: github://earthly/lunar-lib/policies/secrets@v1.0.5

Get Started View on GitHub

Included Guardrails

This policy includes 3 guardrails that enforce standards for your security and compliance.

Guardrail

`executed`

Verifies that secret scanning was executed on the component. Fails if no scanner has written to .secrets.

secrets security scanning compliance gitleaks

View Guardrail

Guardrail

`no-hardcoded-secrets`

Ensures no hardcoded secrets are detected in the codebase. Fails if .secrets.issues is non-empty.

secrets credentials api keys hardcoded security

View Guardrail

Guardrail

`max-issues`

Ensures the number of secret findings is under a configurable threshold. Use this for gradual remediation of existing codebases.

secrets threshold findings remediation

View Guardrail

How Guardrails Fit into Lunar

Lunar guardrails define your engineering standards as code. They evaluate data collected by integrations and produce pass/fail checks with actionable feedback.

Policies support gradual enforcement—from silent scoring to blocking PRs or deployments—letting you roll out standards at your own pace without disrupting existing workflows.

Learn How Lunar Works →

↓ Integrations Gather Data

Collectors extract metadata from code, CI pipelines, tool outputs, and scans

{ } Centralized as JSON

All data merged into each component's unified metadata document

✓ Guardrails Enforce Standards This Policy

Real-time feedback in PRs and AI workflows

Required Integrations

This policy evaluates data gathered by one or more of the following integration(s). Make sure to enable them in your lunar-config.yml.

Collector Security Required

Gitleaks Collector

Provides secret scanning results via Gitleaks

Configuration

Configure this policy in your lunar-config.yml.

Inputs

Input	Required	Default	Description
`max_issues_threshold`	Required	—	Maximum number of secret issues allowed (must be configured)

Documentation

View on GitHub

Secrets Guardrails

Enforces secret scanning standards and validates that no hardcoded secrets are present in code.

Overview

This policy validates that secret scanning is configured and enforces that no hardcoded secrets, API keys, or credentials are detected in the codebase. It works with any secret scanner that writes to the normalized .secrets path in the Component JSON (Gitleaks, TruffleHog, detect-secrets, etc.).

Policies

This plugin provides the following policies (use include to select a subset):

Policy	Description	Failure Meaning
`executed`	Verifies secret scanning ran	No scanner has written to `.secrets`
`no-hardcoded-secrets`	No hardcoded secrets detected	Secrets found in codebase
`max-issues`	Issue count under threshold	Issue count exceeds configured limit

Required Data

This policy reads from the following Component JSON paths:

Path	Type	Provided By
`.secrets`	object	Any secret scanner collector (Gitleaks, TruffleHog, etc.)
`.secrets.issues[]`	array	Secret scanner collector (empty = clean)

Installation

Add to your lunar-config.yml:

policies:
  - uses: github://earthly/lunar-lib/policies/secrets@main
    on: ["domain:your-domain"]
    enforcement: report-pr
    # include: [executed, no-hardcoded-secrets]  # Only run specific checks
    with:
      max_issues_threshold: "5"   # Fail if more than 5 issues

Examples

Passing Example

{
  "secrets": {
    "source": { "tool": "gitleaks", "integration": "code" },
    "issues": []
  }
}

Failing Example

{
  "secrets": {
    "source": { "tool": "gitleaks", "integration": "code" },
    "issues": [
      { "rule": "generic-api-key", "file": "config.py", "line": 10 }
    ]
  }
}

Failure messages:

executed: "No secret scanning data found. Ensure a scanner (Gitleaks, TruffleHog, etc.) is configured."
no-hardcoded-secrets: "Hardcoded secrets detected in code. Review .secrets.issues for details."
max-issues: "Secret issues (3) exceeds threshold (5)"

Remediation

When this policy fails, you can resolve it by:

executed failure: Configure a secret scanner (Gitleaks, TruffleHog) in your CI pipeline or use the Gitleaks auto-scan collector.
no-hardcoded-secrets failure: Remove hardcoded secrets from your codebase. Use environment variables, secret managers, or vault systems instead.
max-issues failure: Reduce issue count by remediating detected secrets. Increase the threshold temporarily for gradual remediation.

Open Source

This policy is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Common Use Cases

Explore how individual guardrails work with specific integrations.

Executed + Gitleaks Collector Verifies that secret scanning was executed on the component. Fails if no scanner...

→

No Hardcoded Secrets + Gitleaks Collector Ensures no hardcoded secrets are detected in the codebase. Fails if...

→

Max Issues + Gitleaks Collector Ensures the number of secret findings is under a configurable threshold. Use...

→

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process

AI agent rules & prompt files

Post-mortem action items

Security & compliance policies

Testing & quality requirements

Automate Now

Paste your AGENTS.md or manual process doc and get guardrails in minutes

Book a Demo