Hamburger Cross Icon
Snyk Collector - Lunar Collector

Snyk Collector

Collector Stable Security

Detects Snyk security scanning via GitHub App or CLI integration. Automatically categorizes results (SCA, SAST, Container, IaC) based on scan type and writes to normalized Component JSON paths.

Add snyk to your lunar-config.yml:
uses: github://earthly/lunar-lib/collectors/snyk@v1.0.0
Get Started View on GitHub

What This Integration Collects

This integration includes 3 collectors that gather metadata from your systems.

Collector code

github-app

Detects Snyk GitHub App scans on pull requests by querying GitHub commit status API. Waits for scan completion and captures results. Categorizes by scan type (Open Source, Code, Container, IaC).

snyk github app security scanning vulnerabilities
Book a demo
Collector code

running-in-prs

Proves Snyk is running on PRs by querying Lunar Hub for Snyk data from recent PRs. Used on the default branch to provide compliance proof that PR scanning is happening (since Snyk GitHub App only posts checks on PRs, not directly on the default branch).

snyk pr scanning compliance proof default branch
Book a demo
Collector ci-after-command

cli

Detects Snyk CLI executions in CI pipelines. Captures the command and exit code, then categorizes by subcommand (test, code, container, iac).

snyk cli ci integration security scanning
Book a demo

How Collectors Fit into Lunar

Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.

Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.

Learn How Lunar Works
1
Collectors Gather Data This Integration
Triggered by code changes or CI pipelines, collectors extract metadata from config files, tool outputs, test results, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
Guardrails Enforce Standards
Real-time feedback in PRs and AI workflows

Example Collected Data

This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:

{ } component.json Component JSON 
{
  "sca": {
    "running_in_prs": true,
    "source": {
      "tool": "snyk",
      "version": "1.1200.0",
      "integration": "github_app"
    },
    "native": {
      "snyk": {
        "github_app": {
          "state": "success",
          "context": "security/snyk",
          "target_url": "https://app.snyk.io/..."
        },
        "cicd": {
          "cmds": [
            {"cmd": "snyk test --all-projects", "version": "1.1200.0"}
          ]
        }
      }
    }
  }
}

Configuration

Configure this collector in your lunar-config.yml.

Secrets

This collector requires the following secrets to be configured in Lunar:

Secret Description
GH_TOKEN GitHub token for API access (required for github-app collector)

Related

Policy Security And Compliance
Dependency Guardrails

Enforces dependency version requirements using Snyk data

Documentation

View on GitHub

Snyk Collector

Detects Snyk security scans and collects vulnerability data from GitHub App or CLI integrations.

Overview

This collector detects Snyk security scanning across multiple integration methods (GitHub App, CLI) and automatically categorizes results based on scan type. It writes normalized data to the appropriate Component JSON category depending on which Snyk product was used:

  • Snyk Open Source.sca (default, or snyk test command)
  • Snyk Code.sast (context contains "code", or snyk code command)
  • Snyk Container.container_scan (context contains "container", or snyk container command)
  • Snyk IaC.iac_scan (context contains "iac" or "infrastructure", or snyk iac command)

Collected Data

This collector writes to the following Component JSON paths based on scan type:

Path Type Description
.sca.source object Source metadata when Snyk Open Source scan detected
.sca.native.snyk object Raw Snyk results for SCA scans
.sca.native.snyk.running_in_prs boolean Proves Snyk is scanning PRs (set on default branch)
.sast.source object Source metadata when Snyk Code scan detected
.sast.native.snyk object Raw Snyk results for SAST scans
.container_scan.source object Source metadata when Snyk Container scan detected
.container_scan.native.snyk object Raw Snyk results for container scans
.iac_scan.source object Source metadata when Snyk IaC scan detected
.iac_scan.native.snyk object Raw Snyk results for IaC scans

Collectors

This plugin provides the following collectors (use include to select a subset):

Collector Hook Type Description
github-app code (PRs only) Detects Snyk GitHub App scans on pull requests
running-in-prs code (default branch) Proves Snyk is running on PRs (compliance proof for default branch)
cli ci-after-command Detects Snyk CLI executions in CI pipelines

Installation

Add to your lunar-config.yml:

collectors:
  - uses: github://earthly/lunar-lib/collectors/snyk@v1.0.0
    on: ["domain:your-domain"]  # Or use tags like [backend, go]

Required secrets:

  • GH_TOKEN — GitHub token for API access (required for github-app collector)

Open Source

This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Turn any process doc into guardrails
Book a Demo