AWS CodeArtifact vs. Sonatype Platform

We have a small team with limited resources and it worked well for us. Hence I can conclude that AWS Code Artifact are well suited for organizations which have limited resources in terms of hardware and access to administrators for setting up artifact repository in-house. AWS Code Artifact is also suited particularly well for organization(s) which are already using AWS Services/Infrastructure (eg. EC2) . It works quite well with existing AWS services and completes the gap which existed in AWS offering for quite some time. Organizations can move their entire DevOps toolchain and infrastructure to Amazon. It is less appropriate for organization(s) which rely on artifacts like Debian, C/C++, Go etc as AWS does not support those fully.

Incentivized

- Guidance on remediation is very good - Vulnerability detection is very good - Support is very good - Ability to ask PMs/POs open questions at Office Hours every month is very good - Support for languages is lacking (TIOBE Index Top20) - Some features are un-neededly hidden and make the usage more complex then it needs to be

• Code Artifact is a cloud based artifact repository so there is no installation required.
• Code Artifact comes with out of the box security. Using RBAC and encryption
• Total cost of usage is less than setting up in-house servers
• It is accessible from any where.. so no additional network setup is required.

Incentivized

• Nexus firewall is a great feature enabled for all our proxy repositories which are used to download the third-party opensource packages.
• Nexus IQ is integrated with build stage to analyze the component against evaluation policy. This helps to figure out the application security standards.
• Nexus IQ is also having a feature to scan container images before it uploads to our private repository. This is great feature for container platforms.

• CodeArtifact does not support packages like debian. It will be nice to see them support that.
• Does not provide security scanning of the packages
• Lacks support for third party CI/CD toolchain like Jenkins

Incentivized

• Support on the end of life lifecycle of known open source components that are going end of life, or already went end of life
• Support for emerging infrastructure as code frameworks
• Support for native/ default retention, archiving and clean up policies for hosted repositories

Sonatype supports more than 200 dev(s). It proves with the repository to store the artifacts. Allows for governance of open source software used by the different teams. It is used by security teams to scan for vulnerabilities in software(s) and in the deployed containers. It helps ensure code quality.

Incentivized

Overall experience is great with the Platform; however, I see some opportunity with upgrading the platform as it is missing with data of historical scans to allow reviewer to get view of trend how the application/product development team is considering fixing the issues.

Incentivized

Extremely good

Sonatype products are great value as I said but a few areas like how products use underlying resources in order to make it further lightweight, is something I would like them to consider.

Monthly touchpoints with Sinisa has been very valuable.

Incentivized

easy to implement and performing the scans via automations as well

Incentivized

AWS CodeArtifact is an excellent choice for organization(s) which are looking to move their infrastructure and devops toolchain to Amazon. It is very useful for teams/organizations on limited budget or do not want to take on infrastructure and maintenance costs associated with the artifact repository. Other software solutions require resources for setting up and need ongoing maintenance.

Incentivized

Out of other products we evaluated before choosing Sonatype, the later looked far more user friendly, easy to understand and work with. This was key for us, as the tool needs to be used by many engineers that don't have security as their main focus. Having a tool that is easy to understand and work with, makes the process of evaluating open source dependencies much easier and appealing for developers.

Incentivized

Great value for money

Everything is very good except a little concern regarding large scale docker usage.

Very good

• Overall CodeArtifact has positive ROI on the our team. We had limited budget for procurement of server/administrators. With CodeArtifact we were able to get some savings.
• We were able to deliver faster hence customers were quite happy. That led to customer satisfaction
• We didnt have to invest on maintaining network infrastructure/uptime and security. That saved us quite a bit of hassle and funds.

Incentivized

• Sonatype's centralized management of artifacts have made it very easy for developers to share code in an efficient manner.
• Sonatype's low false positive rate has made it easier to convince developers to remediate vulnerabilities
• Sonatype's archaic architecture has made it more expensive to manage than it could be.