Fix incorrect requires in scanner policy manifests

[brandonSc]

All four scanner policies (container-scan, sca, sast, iac-scan) incorrectly listed the github collector as a dependency in their landing_page.requires field. None of these policies actually depend on the github collector.

Changes

Updated requires to reference the actual collectors that write to each policy's Component JSON paths:

Policy	Before	After
container-scan	github	dockerfile + snyk
sca	github	snyk + semgrep
sast	github	semgrep + snyk
iac-scan	github	snyk

Why

• .container_scan is written by the snyk collector (snyk container), not github
• .sca is written by snyk and semgrep collectors
• .sast is written by semgrep and snyk collectors
• .iac_scan is written by the snyk collector (snyk iac), not github
• .containers (applicability gate for container-scan) is written by the dockerfile collector

This fix was generated by AI.

Summary by CodeRabbit

• Updates
  • Container scanning now uses Dockerfile as the applicability gate and adds Snyk as a collector.
  • IaC policies now reference Snyk as a collector for IaC scan results.
  • SAST policies replace GitHub with Semgrep and add Snyk as an additional SAST collector.
  • SCA policies replace GitHub with Snyk and introduce Semgrep as an additional SCA collector.

[github-actions]

Claude Auto-Approve Review

Summary: This PR corrects the requires fields in four scanner policy manifests (container-scan, iac-scan, sast, sca). Previously, all four policies incorrectly listed github as their required collector. The fix replaces these with the actual collectors each policy depends on: dockerfile and snyk for container-scan, snyk for iac-scan, semgrep and snyk for sast, and snyk and semgrep for sca. All referenced collector slugs (dockerfile, snyk, semgrep) exist in the collectors/ directory. The reason descriptions are also updated to accurately reflect what each collector provides. This is a straightforward metadata correction with no logic changes.

Scope: ISOLATED

This PR modifies only the requires metadata in 4 policy manifest YAML files. The changes are limited to correcting collector slug references in the landing_page.requires section. No code logic, no Python policy scripts, and no collector implementations are changed. The blast radius is low — these are declarative metadata fields describing which collectors a policy depends on.

---

Conclusion: ✅ Auto-approved (isolated changes, no issues)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

Updated landing_page.requires in four policy files to replace github collector references with specific collectors (dockerfile, semgrep, snyk) and to adjust the associated reason text; snyk was also added as a new collector entry in multiple policies. (49 words)

Changes

Cohort / File(s)	Summary
Policy files updated policies/container-scan/lunar-policy.yml, policies/iac-scan/lunar-policy.yml, policies/sast/lunar-policy.yml, policies/sca/lunar-policy.yml	Replaced github landing_page.requires entries with more specific collector slugs: dockerfile (container-scan), swapped github→snyk (iac-scan), replaced github→semgrep (sast and sca). Added snyk collector entries where applicable and updated each landing_page.requires[].reason to describe the new applicability/data source.

Possibly related PRs

• Add snyk collector #22: Implements and registers the snyk collector referenced by these policy changes.
• Add semgrep collector #21: Implements and registers the semgrep collector referenced by the SAST/SCA policy changes.

Suggested reviewers

• vladaionescu

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: correcting incorrect collector references in scanner policy manifests from github to the actual collectors (snyk, semgrep, dockerfile).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch brandon/fix-policy-requires

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[brandonSc]

I feel like keeping these up to date is going to be a difficult chore