Hi Christine - What will be the criteria for determining the ‘right’ libraries? Most customers I talk they focus on known vulnerabilities and licenses. What they quickly realize is that a ‘clean’ library today, could be a vulnerable library tomorrow. So a library’s status (clean, vulnerable, etc…) only applies to a certain point in time.
I also see many customers with a process where a person is the one that vets out what a ‘good’ library is for download, but this quickly becomes a bottleneck. This person must not only make sure the requested library is OK for use, but also all of its dependencies, which can go many levels deep.
Having said all of that, you can create a hosted repo where the repo manager person can upload the ‘right’ libraries. That person can use thinks like our OSS Index (https://ossindex.sonatype.org/) to check for vulnerabilities. Build tools/developers would need to point to this hosted tool. For example, for those using something like Maven, they would set their ‘mirror of’ setting to this hosted repo.
If you want to make this more automated, I encourage you to check out our Firewall and Lifecycle products.