Hamburger Cross Icon
Dependabot Collector - Lunar Collector

Dependabot Collector

Collector Beta Security

Parses .github/dependabot.yml to collect dependency update configuration including covered ecosystems, update schedules, and directory targets. Enables enforcement of dependency automation standards.

Add dependabot to your lunar-config.yml:
uses: github://earthly/lunar-lib/collectors/dependabot@v1.0.5
Get Started View on GitHub

What This Integration Collects

This integration includes 1 collector that gather metadata from your systems.

Collector code

config

Scans the repository for a Dependabot configuration file at .github/dependabot.yml (or .yaml variant). Parses the YAML to extract the schema version, update entries (ecosystem, directory, schedule), and a normalized list of covered ecosystems. Writes structured data to .dep_automation.dependabot.

dependabot dependency updates automated PRs supply chain dependency automation
Book a demo

How Collectors Fit into Lunar

Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.

Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.

Learn How Lunar Works
1
Collectors Gather Data This Integration
Triggered by code changes or CI pipelines, collectors extract metadata from config files, tool outputs, test results, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
Guardrails Enforce Standards
Real-time feedback in PRs and AI workflows

Example Collected Data

This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:

{ } component.json Component JSON 
{
  "dep_automation": {
    "dependabot": {
      "valid": true,
      "path": ".github/dependabot.yml",
      "version": 2,
      "updates": [
        {
          "package_ecosystem": "npm",
          "directory": "/",
          "schedule": "weekly",
          "open_pull_requests_limit": 5
        },
        {
          "package_ecosystem": "docker",
          "directory": "/",
          "schedule": "weekly",
          "open_pull_requests_limit": 5
        },
        {
          "package_ecosystem": "github-actions",
          "directory": "/",
          "schedule": "weekly",
          "open_pull_requests_limit": 5
        }
      ],
      "ecosystems": ["docker", "github-actions", "npm"],
      "update_count": 3
    }
  }
}

Configuration

Configure this collector in your lunar-config.yml.

Inputs

Input Required Default Description
paths Optional .github/dependabot.yml,.github/dependabot.yaml Comma-separated list of Dependabot config file paths to check (first match wins)

Related

Policy Security And Compliance
Dependency Automation Guardrails

Enforces dependency automation standards using collected Dependabot data

Documentation

View on GitHub

Dependabot Collector

Parses Dependabot configuration to collect dependency update settings and covered ecosystems.

Overview

This collector scans the repository for a .github/dependabot.yml configuration file and parses its contents. It extracts the schema version, update entries (package ecosystem, directory, schedule), and produces a normalized list of covered ecosystems. This data feeds into the dep-automation policy to enforce dependency automation standards.

Collected Data

When no Dependabot config file is found, this collector writes nothing — object presence at .dep_automation.dependabot is itself the signal that Dependabot is configured. See collector-reference.md § Write Nothing When Technology Not Detected.

When a config file is found, this collector writes to the following Component JSON paths:

Path Type Description
.dep_automation.dependabot.valid boolean Whether the YAML config has valid syntax
.dep_automation.dependabot.path string Path to the config file
.dep_automation.dependabot.version number Dependabot schema version (typically 2) — present when valid: true and the config declares it
.dep_automation.dependabot.updates[] array Update entries with ecosystem, directory, and schedule — present when valid: true
.dep_automation.dependabot.ecosystems array Sorted, deduplicated list of covered ecosystem names — present when valid: true
.dep_automation.dependabot.update_count number Total number of update entries — present when valid: true

Collectors

Collector Description
config Parses .github/dependabot.yml for update configuration

Installation

Add to your lunar-config.yml:

collectors:
  - uses: github://earthly/lunar-lib/collectors/dependabot@v1.0.0
    on: ["domain:your-domain"]

Open Source

This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Common Use Cases

Explore guardrails that use data from Dependabot Collector.

+
Dep Update Tool Configured + Dependabot Collector Requires at least one dependency update tool (Dependabot or Renovate) to be...
+
All Ecosystems Covered + Dependabot Collector Checks that all detected package ecosystems in the component have corresponding...

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo