Hamburger Cross Icon
No Hardcoded Secrets
+
Gitleaks Collector

No Hardcoded Secrets + Gitleaks Collector

Guardrail Collector Beta Security And Compliance

Enforce No Hardcoded Secrets using data collected by Gitleaks Collector. Automatically check security and compliance standards on every PR.

Guardrail: Ensures no hardcoded secrets are detected in the codebase. Fails if .secrets.issues is non-empty.
Data Source: Detects hardcoded secrets using Gitleaks in two modes: auto-runs scans on every repo, and detects existing Gitleaks executions in CI pipelines to collect their report files. Results are written to the normalized .secrets Component JSON category.
Get Started View on GitHub

How Gitleaks Collector Powers This Guardrail

The Gitleaks Collector gathers metadata from your security systems. This data flows into Lunar's Component JSON, where the No Hardcoded Secrets guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Gitleaks Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
No Hardcoded Secrets Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Gitleaks Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/gitleaks@v1.0.5
    # with: ...

# Step 2: Enable the Secrets Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/secrets@v1.0.5
    include: [no-hardcoded-secrets]
    # with: ...

What Gitleaks Collector Collects

This collector gathers the following data that the No Hardcoded Secrets guardrail evaluates.

Collector code

scan

Auto-runs Gitleaks against the repository source code. Parses the JSON report and writes normalized findings to .secrets with source metadata.

Collector ci-after-command

cicd

Detects Gitleaks execution in CI pipelines. Records command metadata to .native.gitleaks.cicd.cmds and collects the JSON report file if --report-path / -r can be parsed from the command. Collected reports are written to .secrets.cicd (normalized) and .native.gitleaks.cicd.report (raw).

Example Data Flow

Here's an example of the data that Gitleaks Collector writes to the Component JSON, which No Hardcoded Secrets then evaluates.

{ } component.json From Gitleaks Collector 
{
  "secrets": {
    "source": {
      "tool": "gitleaks",
      "version": "8.21.2",
      "integration": "code"
    },
    "issues": [
      {
        "rule": "generic-api-key",
        "file": "config/settings.py",
        "line": 42,
        "secret_type": "Generic API Key"
      }
    ],
    "cicd": [
      {
        "rule": "aws-access-key-id",
        "file": "deploy.sh",
        "line": 10,
        "secret_type": "AWS Access Key ID"
      }
    ],
    "native": {
      "gitleaks": {
        "auto": {
          "report": [
            {
              "RuleID": "generic-api-key",
              "File": "config/settings.py",
              "StartLine": 42,
              "Commit": "abc1234",
              "Description": "Generic API Key"
            }
          ]
        },
        "cicd": {
          "cmds": [
            {"cmd": "gitleaks detect --report-path results.json --source .", "version": "8.21.2"}
          ],
          "report": [
            {
              "RuleID": "aws-access-key-id",
              "File": "deploy.sh",
              "StartLine": 10,
              "Commit": "def5678",
              "Description": "AWS Access Key ID"
            }
          ]
        }
      }
    }
  }
}

Configuration Options

Secrets Guardrails Inputs

Input Required Default Description
max_issues_threshold Required Maximum number of secret issues allowed (must be configured)

Other Guardrails Using Gitleaks Collector

Other guardrails in Secrets Guardrails that use data from Gitleaks Collector.

Guardrail + Gitleaks
Executed

Verifies that secret scanning was executed on the component. Fails if no scanner has written to...
Guardrail + Gitleaks
Max Issues

Ensures the number of secret findings is under a configurable threshold. Use this for gradual...

Learn More

Guardrail · Secrets Guardrails No Hardcoded Secrets View all compatible integrations
Collector Gitleaks Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo