You can network-jail your builds to prevent pulling from external repos and force the build environment to define/capture its inputs.