Docker Collector
Parse Dockerfiles to extract base images, labels, and security configuration. Capture Docker build commands in CI for traceability and compliance enforcement.
docker to your lunar-config.yml:uses: github://earthly/lunar-lib/collectors/docker@v1.0.5
What This Integration Collects
This integration includes 3 collectors that gather metadata from your systems.
dockerfile
Parses all Dockerfiles in the repository using dockerfile-json and collects:
- Container definitions with base images and metadata
- Final stage information (user, healthcheck)
- Labels from each stage
cicd
Tracks all docker commands executed in CI pipelines. Records every invocation for audit trails. For build commands, also parses image tags, labels, platform, and Dockerfile paths into normalized build metadata.
hadolint
Lints all Dockerfiles using hadolint and collects the results. Writes raw hadolint output to .containers.native.hadolint and normalized lint results to .containers.lint_results for policy evaluation.
How Collectors Fit into Lunar
Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.
Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.
Learn How Lunar Works →Example Collected Data
This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:
{
"containers": {
"source": {
"tool": "dockerfile-json",
"version": "1.2.2"
},
"definitions": [
{
"path": "Dockerfile",
"valid": true,
"base_images": [
{
"reference": "golang:1.21-alpine",
"image": "golang",
"tag": "1.21-alpine"
}
],
"final_stage": {
"base_name": "runtime",
"base_image": "gcr.io/distroless/static-debian12:nonroot-amd64",
"user": "nonroot",
"has_healthcheck": false
},
"labels": {
"org.opencontainers.image.source": "https://github.com/acme/api"
}
}
],
"lint_results": [
{
"path": "Dockerfile",
"issues": [
{
"line": 5,
"rule": "DL3008",
"severity": "warning",
"message": "Pin versions in apt get install."
}
]
}
],
"builds": [
{
"cmd": "docker build -t myregistry.io/app:v1.2.3 --label git_sha=abc123 -f Dockerfile.prod .",
"has_tag": true,
"image": "myregistry.io/app",
"tag": "v1.2.3",
"labels": {"git_sha": "abc123"},
"expected_git_sha": "abc123def456...",
"platform": null,
"dockerfile": "Dockerfile.prod"
}
],
"native": {
"docker": {
"cicd": {
"cmds": [
{"cmd": "docker build -t myregistry.io/app:v1.2.3 --label git_sha=abc123 -f Dockerfile.prod .", "version": "24.0.7"},
{"cmd": "docker push myregistry.io/app:v1.2.3", "version": "24.0.7"}
],
"source": {"tool": "docker", "integration": "ci"}
}
},
"hadolint": {
"source": {
"tool": "hadolint",
"version": "2.12.0",
"integration": "auto"
},
"report": [
{
"line": 5,
"code": "DL3008",
"level": "warning",
"message": "Pin versions in apt get install.",
"file": "Dockerfile",
"column": 1
}
]
}
}
}
}Configuration
Configure this collector in your lunar-config.yml.
Inputs
| Input | Required | Default | Description |
|---|---|---|---|
find_command
|
Optional |
find . -type f \( -name Dockerfile -o -name '*.Dockerfile' -o -name 'Dockerfile.*' \)
|
Command to find Dockerfiles (must output one file path per line) |
Documentation
View on GitHubDocker Collector
Collects Docker container metadata from Dockerfiles, CI build commands, and Dockerfile lint results.
Overview
This collector analyzes Dockerfiles in the repository, intercepts docker build commands in CI, and auto-runs hadolint to lint Dockerfiles. It extracts base images, labels, security configuration, build tags, platform targeting, and lint violations. The collector outputs normalized data under .containers for container-related policies.
Collected Data
This collector writes to the following Component JSON paths:
| Path | Type | Description |
|---|---|---|
.containers.source |
object | Tool metadata (tool name and version) |
.containers.definitions[] |
array | Parsed Dockerfile definitions with base images, labels, and native AST |
.containers.lint_results[] |
array | Normalized lint results per Dockerfile (rule, severity, message, line) |
.containers.builds[] |
array | CI build metadata (image, tag, labels, platform) |
.containers.native.docker.cicd |
object | Docker CI command tracking (commands + version) |
.containers.native.hadolint |
object | Raw hadolint JSON output with source metadata |
Collectors
This integration provides the following collectors (use include to select a subset):
| Collector | Description |
|---|---|
dockerfile |
Parses Dockerfiles to extract base images, users, healthchecks, and labels |
cicd |
Tracks all docker commands in CI; parses build metadata for docker build |
hadolint |
Lints Dockerfiles using hadolint and collects violations |
Installation
Add to your lunar-config.yml:
collectors:
- uses: github://earthly/lunar-lib/collectors/docker@v1.0.0
on: ["domain:your-domain"]
# with:
# find_command: "find ./docker -name Dockerfile" # Custom Dockerfile search
Open Source
This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore guardrails that use data from Docker Collector.
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
AI agent rules & prompt files
Post-mortem action items
Security & compliance policies
Testing & quality requirements