You should not let all your developers add Maven repositories as they wish. The repositories can be easily introduced by anyone via application POM files. This has to be restricted, and it's highly recommended that you define all your Maven repositories (including plugin repositories) in the parent POM file. In this way, you know where to look to make any changes.

It's even better that you completely avoid adding any repositories via application POM files, and whenever needed, introduce them via a repository manager. As in the case of the Apache Axis2 project, you can use the enforcer Maven plugin to ban anyone from introducing repositories. The following code shows the configuration:

<plugin> <artifactId>maven-enforcer-plugin</artifactId> ...