Manifest Cyber Collector
Integrates with Manifest Cyber's SBOM management platform to collect vulnerability enrichment, license compliance, and SBOM lifecycle data. Supports API and CI CLI integration methods.
manifest-cyber to your lunar-config.yml:uses: github://earthly/lunar-lib/collectors/manifest-cyber@v1.0.0
What This Integration Collects
This integration includes 2 collectors that gather metadata from your systems.
api
Queries the Manifest Cyber REST API on each commit to verify the SBOM has been uploaded and enriched. Retries with configurable attempts to allow for processing delay. Verifies SBOM upload and pulls enrichment data (vulnerabilities, licenses, exploitability) to .sbom.native.manifest_cyber.
cicd
Detects Manifest CLI (manifest-cli) executions in CI pipelines. Records the command and version to .sbom.native.manifest_cyber.cicd.cmds. Note: manifest-cli calls an external generator (syft by default) as a subprocess, so the underlying generator's collector will capture the actual SBOM content separately.
How Collectors Fit into Lunar
Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.
Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.
Learn How Lunar Works →Example Collected Data
This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:
{
"sbom": {
"native": {
"manifest_cyber": {
"asset_id": "abc123",
"asset_name": "acme/api",
"packages": 156,
"last_updated": "2026-02-19T10:30:00Z",
"sbom_format": "cyclonedx",
"vulnerabilities": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 12,
"total": 19
},
"exploitability": {
"kev_count": 0,
"epss_high_count": 1
},
"licenses": [
{"id": "MIT", "package_count": 80},
{"id": "Apache-2.0", "package_count": 45}
],
"cicd": {
"cmds": [
{"cmd": "manifest-cli sbom --name acme-api", "version": "2.1.0"}
]
}
}
}
}
}Configuration
Configure this collector in your lunar-config.yml.
Inputs
| Input | Required | Default | Description |
|---|---|---|---|
retry_attempts
|
Optional |
10
|
Number of retry attempts when polling the Manifest API for SBOM data |
Secrets
This collector requires the following secrets to be configured in Lunar:
| Secret | Description |
|---|---|
MANIFEST_API_KEY
|
Manifest Cyber API key for REST API access (required for api collector) |
Documentation
View on GitHubManifest Cyber Collector
Collects SBOM management, vulnerability enrichment, and license compliance data from Manifest Cyber.
Overview
This collector integrates with Manifest Cyber's SBOM management platform to provide visibility into SBOM lifecycle, vulnerability enrichment, and license compliance. It supports REST API verification on each commit (with configurable retry) and CLI detection in CI pipelines.
Unlike raw SBOM generators, Manifest Cyber acts as the SBOM management layer — it ingests, enriches, and tracks SBOMs over time. Note that manifest-cli sbom delegates to an external generator (syft by default), so the underlying generator's collector captures the raw SBOM independently.
Collected Data
This collector writes to the following Component JSON paths:
| Path | Type | Description |
|---|---|---|
.sbom.native.manifest_cyber |
object | Asset info (id, name, packages, format, freshness) |
.sbom.native.manifest_cyber.vulnerabilities |
object | Vulnerability counts from SBOM enrichment (critical/high/medium/low) |
.sbom.native.manifest_cyber.exploitability |
object | CISA KEV and EPSS exploitability data |
.sbom.native.manifest_cyber.licenses |
array | License breakdown with package counts |
.sbom.native.manifest_cyber.cicd.cmds |
array | CI CLI detection (command + version) |
Collectors
This integration provides the following collectors (use include to select a subset):
| Collector | Hook Type | Description |
|---|---|---|
api |
code | Verifies SBOM upload to Manifest Cyber and pulls enrichment data (vulns, licenses, exploitability). Retries with configurable attempts. |
cicd |
ci-after-command | Detects manifest-cli executions in CI pipelines |
Installation
Add to your lunar-config.yml:
collectors:
- uses: github://earthly/lunar-lib/collectors/manifest-cyber@main
on: ["domain:your-domain"]
Required Secrets
| Secret | Required By | Description |
|---|---|---|
MANIFEST_API_KEY |
api |
Manifest Cyber API key (generate in org settings) |
Configuration Examples
API collector only (most common — verifies SBOM upload on each commit):
collectors:
- uses: github://earthly/lunar-lib/collectors/manifest-cyber@main
on: ["domain:your-domain"]
include: [api]
Custom retry attempts (default: 10 attempts × 30s = ~5 min):
collectors:
- uses: github://earthly/lunar-lib/collectors/manifest-cyber@main
on: ["domain:your-domain"]
with:
retry_attempts: "20"
All integration methods:
collectors:
- uses: github://earthly/lunar-lib/collectors/manifest-cyber@main
on: ["domain:your-domain"]
Open Source
This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Ready to Automate Your Standards?
See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
Infrastructure conventions
Post-mortem action items
Security & compliance policies
Testing & quality requirements