ResolvedDependenciesRepositories Policy

The ResolvedDependenciesRepositories policy enforces constraints on the repositories used for dependency resolution. It evaluates against Resolved Dependencies Repositories attestations (predicate type https://gradle.com/attestation/resolved-dependencies-repositories/v1).

Spec Fields

uris: A list of repository URIs that dependencies are allowed (or disallowed) to be resolved from.
matchingStrategy: must-match requires that all dependency resolution repositories match one of the specified URIs. none-match requires that no repository matches any specified URI.

Example

Allow only approved dependency resolution repositories

apiVersion: policy.gradle.com/v1
kind: ResolvedDependenciesRepositories
metadata:
  name: must-match-repositories
  labels:
    policy.my-corp.com/gate: build
spec:
  resultsLabels:
    policy.my-corp.com/gate: build
  description: Allow resolved dependencies repositories
  remediation: Remove offending repository from build configuration
  matchingStrategy: must-match
  uris:
    - https://artifacts.example.com/maven2
    - https://repo.example.com/artifactory/libs-release-candidates-local/
    - https://plugins.gradle.org/m2/
    - https://repo.example.com/artifactory/public