Banned Plugins

This rule checks the set of plugins used during the build and enforces that specific excluded plugins are not used.

The following parameters are supported by this rule:

  • excludes - a list of plugin artifacts to ban. The format is groupId[:artifactId][:version] where artifactId and version are optional. Wildcards may be used to replace an entire section. Examples:
    • org.apache.maven
    • org.apache.maven:bad-plugin
    • org.apache.maven:my-plugin:badVersion
    • org.apache.maven:*:1.2
  • includes - a list of plugin artifacts to include. These are exceptions to the excludes. It is meant to allow wide exclusion rules with wildcards and fine tune using includes. If nothing has been excluded, then the includes have no effect. In other words, includes only subtract from artifacts that matched an exclude rule.

Sample Plugin Configuration:

<project>
  [...]
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
        <version>3.5.0</version>
        <executions>
          <execution>
            <id>enforce-banned-dependencies</id>
            <goals>
              <goal>enforce</goal>
            </goals>
            <configuration>
              <rules>
                <bannedPlugins>
                  <excludes>
                    <exclude>org.codehaus.mojo:build-helper-maven-plugin</exclude>
                  </excludes>
                </bannedPlugins>
              </rules>
              <fail>true</fail>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
  [...]
</project>