{"id":15290795,"url":"https://github.com/verygoodsecurity/aws-maven","last_synced_at":"2026-01-14T03:07:25.620Z","repository":{"id":19349362,"uuid":"86745421","full_name":"verygoodsecurity/aws-maven","owner":"verygoodsecurity","description":"Fork to add support for assumed roles","archived":false,"fork":true,"pushed_at":"2025-02-05T23:34:33.000Z","size":320,"stargazers_count":2,"open_issues_count":8,"forks_count":6,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-07-29T01:04:42.637Z","etag":null,"topics":["aws","maven","pom","s3","team-vault"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"Yleisradio/aws-maven","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/verygoodsecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-03-30T20:25:29.000Z","updated_at":"2025-02-05T23:34:37.000Z","dependencies_parsed_at":"2023-09-28T01:36:13.738Z","dependency_job_id":null,"html_url":"https://github.com/verygoodsecurity/aws-maven","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/verygoodsecurity/aws-maven","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/verygoodsecurity%2Faws-maven","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/verygoodsecurity%2Faws-maven/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/verygoodsecurity%2Faws-maven/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/verygoodsecurity%2Faws-maven/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/verygoodsecurity","download_url":"https://codeload.github.com/verygoodsecurity/aws-maven/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/verygoodsecurity%2Faws-maven/sbom","scorecard":{"id":919174,"data":{"date":"2025-08-11","repo":{"name":"github.com/verygoodsecurity/aws-maven","commit":"9d2f7b6fccda7ba315346f920b9370958ee38dbc"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.5,"checks":[{"name":"Code-Review","score":3,"reason":"Found 10/29 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/security-scan-sast.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/security-scan-sast.yaml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/verygoodsecurity/aws-maven/security-scan-sast.yaml/master?enable=pin","Info:   0 out of   1 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-6v67-2wr5-gvf4","Warn: Project is vulnerable to: GHSA-pr98-23f8-jwxv"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 20 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-24T23:51:17.597Z","repository_id":19349362,"created_at":"2025-08-24T23:51:17.597Z","updated_at":"2025-08-24T23:51:17.597Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28408800,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T01:52:23.358Z","status":"online","status_checked_at":"2026-01-14T02:00:06.678Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","maven","pom","s3","team-vault"],"created_at":"2024-09-30T16:09:32.174Z","updated_at":"2026-01-14T03:07:25.603Z","avatar_url":"https://github.com/verygoodsecurity.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Maven Wagon\n\n[![CircleCI](https://dl.circleci.com/status-badge/img/gh/verygoodsecurity/aws-maven/tree/master.svg?style=svg\u0026circle-token=CCIPRJ_58VzfmroQGUTjfi2EWXPzX_ec80f0faa9c03a53752af0bf9c1e1777cdde9ca6)](https://dl.circleci.com/status-badge/redirect/gh/verygoodsecurity/aws-maven/tree/master)\n\nThis project is a fork from [https://github.com/spring-projects/aws-maven](https://github.com/spring-projects/aws-maven) to \nsupport development and operations at Very Good Security ( VGS ). No guarantees are made for support or updating\nthe component, but as long as we are using it actively we will update it as we need it.\n\nAll operational details are available in [Compass](https://verygoodsecurity.atlassian.net/compass/component/adf2b946-e19c-4f93-b96b-2e6aa8bb322f).\n\n## Building and deploying this wagon\n\nmvn install\n\nmvn deploy\n\n## Usage\nTo publish Maven artifacts to S3 a build extension must be defined in a project's `pom.xml`.  The latest version of the wagon can \nbe found on Maven Central public repository https://search.maven.org/\n\nTo get the dependency add to your pom:\n\n```xml\n\u003cproject\u003e\n  ...\n  \u003cbuild\u003e\n    ...\n    \u003cextensions\u003e\n      ...\n      \u003cextension\u003e\n      \u003cgroupId\u003eio.vgs.tools\u003c/groupId\u003e\n      \u003cartifactId\u003eaws-maven\u003c/artifactId\u003e\n      \u003cversion\u003e1.4.5\u003c/version\u003e\n      \u003c/extension\u003e\n      ...\n    \u003c/extensions\u003e\n    ...\n  \u003c/build\u003e\n  ...\n\u003c/project\u003e\n```\n\nThis allows then using dependencies from s3 repositories as well as publish to s3 repositories.\n\nOnce the build extension is configured distribution management repositories can be defined in the `pom.xml` with an `s3://` scheme.\n\n```xml\n\u003cproject\u003e\n  ...\n  \u003cdistributionManagement\u003e\n    \u003crepository\u003e\n      \u003cid\u003eaws-release\u003c/id\u003e\n      \u003cname\u003eAWS Release Repository\u003c/name\u003e\n      \u003curl\u003es3://\u003cBUCKET\u003e/release\u003c/url\u003e\n    \u003c/repository\u003e\n    \u003csnapshotRepository\u003e\n      \u003cid\u003eaws-snapshot\u003c/id\u003e\n      \u003cname\u003eAWS Snapshot Repository\u003c/name\u003e\n      \u003curl\u003es3://\u003cBUCKET\u003e/snapshot\u003c/url\u003e\n    \u003c/snapshotRepository\u003e\n  \u003c/distributionManagement\u003e\n  ...\n\u003c/project\u003e\n```\n\nFinally the `~/.m2/settings.xml` should be updated to include access and secret keys for the account. The access key should \nbe used to populate the `username` element, and the secret access key should be used to populate the `password` element.\n\n```xml\n\u003csettings\u003e\n  ...\n  \u003cservers\u003e\n    ...\n    \u003cserver\u003e\n      \u003cid\u003eaws-release\u003c/id\u003e\n      \u003cusername\u003e0123456789ABCDEFGHIJ\u003c/username\u003e\n      \u003cpassword\u003e0123456789abcdefghijklmnopqrstuvwxyzABCD\u003c/password\u003e\n    \u003c/server\u003e\n    \u003cserver\u003e\n      \u003cid\u003eaws-snapshot\u003c/id\u003e\n      \u003cusername\u003e0123456789ABCDEFGHIJ\u003c/username\u003e\n      \u003cpassword\u003e0123456789abcdefghijklmnopqrstuvwxyzABCD\u003c/password\u003e\n    \u003c/server\u003e\n    ...\n  \u003c/servers\u003e\n  ...\n\u003c/settings\u003e\n```\n\nAlternatively, the access and secret keys for the account can be provided using\n\n* `AWS_ACCESS_KEY_ID` (or `AWS_ACCESS_KEY`) and `AWS_SECRET_KEY` (or `AWS_SECRET_ACCESS_KEY`) [environment variables][env-var]\n* `aws.accessKeyId` and `aws.secretKey` [system properties][sys-prop]\n* The Amazon EC2 [Instance Metadata Service][instance-metadata]\n* AWS-Profile ( Can be overridden with `AWS_PROFILE` variable )\n\nFor IAM Impersonation make sure your `~/.aws/credentials` looks like this\n  \n```config\n[root]\naws_access_key_id = AKIAxxxx\naws_secret_access_key = asdfcvbn1234\n[impersonated-profile]\nrole_arn = arn:aws:iam::1234567890:role/CrossAccountSignIn\nsource_profile = root\n``` \n\nYou can now install via `AWS_PROFILE=impersonated-profile AWS_REGION=us-west-2 mvn clean install`\n\n#### Config precedence\n\n1. Use environment variables if they exist\n2. If environment variables don't exist, try to use config file\n\n\n## Making Artifacts Public\nThis wagon doesn't set an explict ACL for each artfact that is uploaded.  Instead you should create an AWS Bucket Policy to set \npermissions on objects.  A bucket policy can be set in the [AWS Console][console] and can be generated using the \n[AWS Policy Generator][policy-generator].\n\nIn order to make the contents of a bucket public you need to add statements with the following details to your policy:\n\n| Effect  | Principal | Action       | Amazon Resource Name (ARN)\n| ------- | --------- | ------------ | --------------------------\n| `Allow` | `*`       | `ListBucket` | `arn:aws:s3:::\u003cBUCKET\u003e`\n| `Allow` | `*`       | `GetObject`  | `arn:aws:s3:::\u003cBUCKET\u003e/*`\n\nIf your policy is setup properly it should look something like:\n\n```json\n{\n  \"Id\": \"Policy1397027253868\",\n  \"Statement\": [\n    {\n      \"Sid\": \"Stmt1397027243665\",\n      \"Action\": [\n        \"s3:ListBucket\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"arn:aws:s3:::\u003cBUCKET\u003e\",\n      \"Principal\": {\n        \"AWS\": [\n          \"*\"\n        ]\n      }\n    },\n    {\n      \"Sid\": \"Stmt1397027177153\",\n      \"Action\": [\n        \"s3:GetObject\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"arn:aws:s3:::\u003cBUCKET\u003e/*\",\n      \"Principal\": {\n        \"AWS\": [\n          \"*\"\n        ]\n      }\n    }\n  ]\n}\n```\n\nIf you prefer to use the [command line][cli], you can use the following script to make the contents of a bucket public:\n\n```bash\nBUCKET=\u003cBUCKET\u003e\nTIMESTAMP=$(date +%Y%m%d%H%M)\nPOLICY=$(cat\u003c\u003cEOF\n{\n  \"Id\": \"public-read-policy-$TIMESTAMP\",\n  \"Statement\": [\n    {\n      \"Sid\": \"list-bucket-$TIMESTAMP\",\n      \"Action\": [\n        \"s3:ListBucket\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"arn:aws:s3:::$BUCKET\",\n      \"Principal\": {\n        \"AWS\": [\n          \"*\"\n        ]\n      }\n    },\n    {\n      \"Sid\": \"get-object-$TIMESTAMP\",\n      \"Action\": [\n        \"s3:GetObject\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"arn:aws:s3:::$BUCKET/*\",\n      \"Principal\": {\n        \"AWS\": [\n          \"*\"\n        ]\n      }\n    }\n  ]\n}\nEOF\n)\n\naws s3api put-bucket-policy --bucket $BUCKET --policy \"$POLICY\"\n```\n\n[cli]: http://aws.amazon.com/documentation/cli/\n[console]: https://console.aws.amazon.com/s3\n[env-var]: http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/EnvironmentVariableCredentialsProvider.html\n[instance-metadata]: http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/InstanceProfileCredentialsProvider.html\n[policy-generator]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[s3]: http://aws.amazon.com/s3/\n[sys-prop]: http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/SystemPropertiesCredentialsProvider.html\n[wagon]: http://maven.apache.org/wagon/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fverygoodsecurity%2Faws-maven","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fverygoodsecurity%2Faws-maven","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fverygoodsecurity%2Faws-maven/lists"}