Integrating Lineaje GOS Artifactory Proxy Into Your Build Pipeline

When a build tool (Maven, pip, npm) resolves a dependency, it issues an HTTP GET request to the configured registry URL. With the Lineaje GOS Artifactory Proxy enabled, that URL resolves to the Proxy endpoint instead of the upstream public registry. The following sequence describes what happens for every artifact request:

1. Build tool issues HTTP GET

   The build tool requests an artifact using the standard package-manager protocol (Maven repository layout, PyPI simple API, or npm registry API). The only difference from a vanilla build is that the registry hostname points to the Proxy.

2. Authentication check

   The proxy validates the provided credentials (Basic Auth over HTTPS). Requests without valid credentials receive HTTP 401 immediately.

3. Package coordinate extraction

   The Proxy parses the request path to extract the package's PURL (Package URL) coordinates — ecosystem, name, and version.

4. GOS & policy evaluation

   The extracted PURL is evaluated against the Gold Open Source index and your organization's custom policies. Results are cached to ensure build performance is not impacted.

5. Allow or Block decision

   In enforce mode, non-gold packages receive an error response. To learn more, see HTTP Response Codes. In observe mode, all packages are forwarded regardless of status.

6. Telemetry & audit: The outcome (allowed / blocked / policy-violated) is recorded on the Lineaje platform with full provenance detail. Policy violation messages are also injected into the HTTP response and appear in build logs.