Docker vs. Sonatype Platform

You are going to be able to find the most resources and examples using Docker whenever you are working with a container orchestration software like Kubernetes. There will always some entropy when you run in a container, a containerized application will never be as purely performant as an app running directly on the OS. However, in most scenarios this loss will be negligible to the time saved in deployment, monitoring, etc.

Incentivized

- Guidance on remediation is very good - Vulnerability detection is very good - Support is very good - Ability to ask PMs/POs open questions at Office Hours every month is very good - Support for languages is lacking (TIOBE Index Top20) - Some features are un-neededly hidden and make the usage more complex then it needs to be

• Packaging of application to limit the space occupied
• Ease of running the application
• Provide multiple ways to handle the application issues and integration of different components like pipeline, ansible, terraform etc

• Nexus firewall is a great feature enabled for all our proxy repositories which are used to download the third-party opensource packages.
• Nexus IQ is integrated with build stage to analyze the component against evaluation policy. This helps to figure out the application security standards.
• Nexus IQ is also having a feature to scan container images before it uploads to our private repository. This is great feature for container platforms.

• Docker hub image retention policy can be relaxed
• Docker hub policies can be more developer friendly
• Docker CLI help section can be improved
• Image and container storage (local) management can be optimized

Incentivized

• Support on the end of life lifecycle of known open source components that are going end of life, or already went end of life
• Support for emerging infrastructure as code frameworks
• Support for native/ default retention, archiving and clean up policies for hosted repositories

Sonatype supports more than 200 dev(s). It proves with the repository to store the artifacts. Allows for governance of open source software used by the different teams. It is used by security teams to scan for vulnerabilities in software(s) and in the deployed containers. It helps ensure code quality.

Incentivized

I have been using Docker for more than 3 years and it really simplifies the modern application development and deployment. I like the ability of Docker to improve efficiency, portability and scalability for developers and operations teams. Another reason for giving this rating is because Docker integrates CI/CD pipelines very well

Incentivized

Overall experience is great with the Platform; however, I see some opportunity with upgrading the platform as it is missing with data of historical scans to allow reviewer to get view of trend how the application/product development team is considering fixing the issues.

Incentivized

Haven't seen any outages, fatal/unrecoverable errors in my usage so far. Enough said.

Incentivized

Extremely good

Docker Desktop. The CPU high usage is a known issue. Needs fixing. Otherwise, it is great overall. Would not use anything else still.

Incentivized

Sonatype products are great value as I said but a few areas like how products use underlying resources in order to make it further lightweight, is something I would like them to consider.

Monthly touchpoints with Sinisa has been very valuable.

Incentivized

easy to implement and performing the scans via automations as well

Incentivized

The reason why we are still using Docker right now is due to that is the best among its peers and suits our needs the best. However, the trend we foresee for the future might indicate Amazon lambda could potentially fit our needs to code enviornmentless in the near future.

Incentivized

Out of other products we evaluated before choosing Sonatype, the later looked far more user friendly, easy to understand and work with. This was key for us, as the tool needs to be used by many engineers that don't have security as their main focus. Having a tool that is easy to understand and work with, makes the process of evaluating open source dependencies much easier and appealing for developers.

Incentivized

Great value for money

It is the only tool in our toolset that has not [had] any issues so far. That is really a mark of reliability, and it's a testimony to how well the product is made, and a tool that does its job well is a tool well worth having. It is the base tool that I would say any organisation must have if they do scalable deployment.

Incentivized

Everything is very good except a little concern regarding large scale docker usage.

Very good

• Reduces the number of virtual machine which impacted our quarterly billing
• Using docker with proxy we run multiple application on same port on same host.
• impact on billing is we have to provide docker training to the people who are working on it.

• Sonatype's centralized management of artifacts have made it very easy for developers to share code in an efficient manner.
• Sonatype's low false positive rate has made it easier to convince developers to remediate vulnerabilities
• Sonatype's archaic architecture has made it more expensive to manage than it could be.