diff --git a/build.gradle.kts b/build.gradle.kts
index b8b86a1570559..3989a1972f155 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -28,6 +28,7 @@ plugins {
     `java-base`
     gradlebuild.`build-types`
     gradlebuild.`ci-reporting`
+    gradlebuild.security
     // TODO Apply this plugin in the BuildScanConfigurationPlugin once binary plugins can apply plugins via the new plugin DSL
     // We have to apply it here at the moment, so that when the build scan plugin is auto-applied via --scan can detect that
     // the plugin has been already applied. For that the plugin has to be applied with the new plugin DSL syntax.
diff --git a/buildSrc/subprojects/plugins/src/main/kotlin/gradlebuild/security.gradle.kts b/buildSrc/subprojects/plugins/src/main/kotlin/gradlebuild/security.gradle.kts
new file mode 100644
index 0000000000000..19f00403ae31b
--- /dev/null
+++ b/buildSrc/subprojects/plugins/src/main/kotlin/gradlebuild/security.gradle.kts
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package gradlebuild
+
+import java.net.URI
+
+val allowedSchemes = setOf("https")
+val insecureRepos = mutableSetOf<String>()
+
+allprojects {
+    configurations.all {
+        incoming.beforeResolve {
+            repositories.forEach {
+                if (it is MavenArtifactRepository) {
+                    checkURLs(it, setOf(it.url))
+                    checkURLs(it, it.artifactUrls)
+                } else if (it is IvyArtifactRepository) {
+                    checkURLs(it, setOf(it.url))
+                }
+            }
+        }
+    }
+}
+
+gradle.buildFinished {
+    if (!insecureRepos.isEmpty()) {
+        throw GradleException("This build used insecure repositories:\n" + insecureRepos.joinToString("\n") + "Make sure to use HTTPS")
+    }
+}
+
+fun checkURLs(repository: ArtifactRepository, uris: Collection<URI>) = uris.forEach {
+    if (it.scheme.toLowerCase() !in allowedSchemes) {
+        insecureRepos.add("   Insecure repository '${repository.name}': $it")
+    }
+}