Hamburger Cross Icon
Docker Collector - Lunar Collector

Docker Collector

Collector Stable ContainersCi Cd

Parse Dockerfiles to extract base images, labels, and security configuration. Capture Docker build commands in CI for traceability and compliance enforcement.

Add docker to your lunar-config.yml:
uses: github://earthly/lunar-lib/collectors/docker@v1.0.0
Get Started View on GitHub

What This Integration Collects

This integration includes 2 collectors that gather metadata from your systems.

Collector code

dockerfile

Parses all Dockerfiles in the repository using dockerfile-json and collects:

  • Container definitions with base images and metadata
  • Final stage information (user, healthcheck)
  • Labels from each stage
dockerfile docker container images base images multi-stage builds
Book a demo
Collector ci-after-command

cicd

Tracks all docker commands executed in CI pipelines. Records every invocation for audit trails. For build commands, also parses image tags, labels, platform, and Dockerfile paths into normalized build metadata.

docker build docker push container build image tags build labels ci builds
Book a demo

How Collectors Fit into Lunar

Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.

Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.

Learn How Lunar Works
1
Collectors Gather Data This Integration
Triggered by code changes or CI pipelines, collectors extract metadata from config files, tool outputs, test results, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
Guardrails Enforce Standards
Real-time feedback in PRs and AI workflows

Example Collected Data

This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:

{ } component.json Component JSON 
{
  "containers": {
    "source": {
      "tool": "dockerfile-json",
      "version": "1.2.2"
    },
    "definitions": [
      {
        "path": "Dockerfile",
        "valid": true,
        "base_images": [
          {
            "reference": "golang:1.21-alpine",
            "image": "golang",
            "tag": "1.21-alpine"
          }
        ],
        "final_stage": {
          "base_name": "runtime",
          "base_image": "gcr.io/distroless/static-debian12:nonroot-amd64",
          "user": "nonroot",
          "has_healthcheck": false
        },
        "labels": {
          "org.opencontainers.image.source": "https://github.com/acme/api"
        }
      }
    ],
    "builds": [
      {
        "cmd": "docker build -t myregistry.io/app:v1.2.3 --label git_sha=abc123 -f Dockerfile.prod .",
        "has_tag": true,
        "image": "myregistry.io/app",
        "tag": "v1.2.3",
        "labels": {"git_sha": "abc123"},
        "expected_git_sha": "abc123def456...",
        "platform": null,
        "dockerfile": "Dockerfile.prod"
      }
    ],
    "native": {
      "docker": {
        "cicd": {
          "cmds": [
            {"cmd": "docker build -t myregistry.io/app:v1.2.3 --label git_sha=abc123 -f Dockerfile.prod .", "version": "24.0.7"},
            {"cmd": "docker push myregistry.io/app:v1.2.3", "version": "24.0.7"}
          ],
          "source": {"tool": "docker", "integration": "ci"}
        }
      }
    }
  }
}

Configuration

Configure this collector in your lunar-config.yml.

Inputs

Input Required Default Description
find_command Optional find . -type f \( -name Dockerfile -o -name '*.Dockerfile' -o -name 'Dockerfile.*' \) Command to find Dockerfiles (must output one file path per line)

Related

Policy Devex Build And Ci
Container Guardrails

Enforces container best practices on collected Docker data

Documentation

View on GitHub

Docker Collector

Collects Docker container metadata from Dockerfiles and CI build commands.

Overview

This collector analyzes Dockerfiles in the repository and intercepts docker build commands in CI. It extracts base images, labels, security configuration, build tags, and platform targeting. The collector outputs normalized data under .containers for container-related policies.

Collected Data

This collector writes to the following Component JSON paths:

Path Type Description
.containers.source object Tool metadata (tool name and version)
.containers.definitions[] array Parsed Dockerfile definitions with base images, labels, and native AST
.containers.builds[] array CI build metadata (image, tag, labels, platform)
.containers.native.docker.cicd object Docker CI command tracking (commands + version)

Collectors

This integration provides the following collectors (use include to select a subset):

Collector Description
dockerfile Parses Dockerfiles to extract base images, users, healthchecks, and labels
cicd Tracks all docker commands in CI; parses build metadata for docker build

Installation

Add to your lunar-config.yml:

collectors:
  - uses: github://earthly/lunar-lib/collectors/docker@v1.0.0
    on: ["domain:your-domain"]
    # with:
    #   find_command: "find ./docker -name Dockerfile"  # Custom Dockerfile search

Open Source

This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Common Use Cases

Explore guardrails that use data from Docker Collector.

+
No Latest + Docker Collector Prevents use of the :latest tag (explicit or implicit) in base images. Using...
+
Stable Tags + Docker Collector Requires base images to use stable tags: digests (sha256:...) or full semver...
+
Allowed Registries + Docker Collector Restricts base images to approved container registries only. Prevents supply...
+
Required Labels + Docker Collector Ensures containers have required labels, checking both Dockerfile...
+
Healthcheck + Docker Collector Requires a HEALTHCHECK instruction in the final stage of multi-stage...
+
User + Docker Collector Requires a USER instruction to run the container as a non-root user. Running as...
+
Build Tagged + Docker Collector Requires container builds to use an explicit image tag via -t/--tag. Untagged...

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Turn any process doc into guardrails
Book a Demo