Create method to verify Packages are coming from Secure Repositories

[camclay]

Problem statement: we don’t want teams/apps pulling libraries from the default sources on the public internet (npm.org, maven.org, etc.); we want them to go through our own package repo (artifactory).

[JeffreyMFarley]

#!/bin/bash

DIR="${1:-.}"

FAILS=0

EXT_RUBY="https://rubygems.org/"
EXT_NODE="https://registry.npmjs.org/"

## Ruby Check
while read -r file
do
    if grep -q "$EXT_RUBY" "$file"; then
      echo "$EXT_RUBY in $file";
      FAILS=1;
    fi
done < <(find $DIR -name "Gemfile.lock")

## npm Check
while read -r file
do
    if grep -q "$EXT_NODE" "$file"; then
      echo "$EXT_NODE in $file";
      FAILS=1;
    fi
done < <(find $DIR -name "package-lock.json")

if [ $FAILS -eq 1 ]; then
  echo -e "\nThis repo has files that are not in compliance";
  exit 1;
else
  echo "This repo is in compliance"
fi

$ ./artifactory_compliance.sh ./hoop
This repo is in compliance

$ ./artifactory_compliance.sh ./uscis-didit
https://rubygems.org/ in ./uscis-didit/services/ruby-api/Gemfile.lock
https://registry.npmjs.org/ in ./uscis-didit/services/ui/package-lock.json

This repo has files that are not in compliance

[JeffreyMFarley]

h/t to @camclay

How to turn shell script into an action

[analavade]

Using A Single Repository (Maven) https://maven.apache.org/guides/mini/guide-mirror-settings.html#using-a-single-repository Github Action to create maven settings https://github.com/whelk-io/maven-settings-xml-action