Sonatype Platform Reviews and Ratings

Rating: 8.6 out of 10

Score

8.6 out of 10

Community insights

TrustRadius Insights for Sonatype Platform are summaries of user sentiment data from TrustRadius reviews and, when necessary, third party data sources.

Pros

Efficient Integration and Automation: Users have praised the platform for its seamless integration with CI/CD pipelines, making tasks more efficient and straightforward. Some users appreciate the automation capabilities that streamline processes.

Valuable Vulnerability Detection: The vulnerability detection feature provided has been found helpful by users in identifying vulnerabilities and malicious code within builds. Users value the developer-friendly vulnerability reports that aid in understanding and addressing security issues effectively.

Real-Time Monitoring Capabilities: Many users appreciate the real-time monitoring of components throughout the software development lifecycle offered by the platform. This key feature is seen as valuable for maintaining security standards and ensuring a proactive approach to security management.

Reviews

14 Reviews

Enables Development Teams to make informed decisions

Rating: 8 out of 10

Incentivized

January 3, 2025

Use Cases and Deployment Scope

We use the Sonatype Platform in the Software-Development-Process to make sure we a) are better informed on what goes live and what not and b) research what problems can be fixed how and when. Theese 2 tools help to make sure we also can add Quality-Gates to our CI/CD pipelines.

Pros

Inform about vulnerabilities and how to fix them
Make sure we load safe packages via a secure proxy
Create an inventory of apps with SBOMs to understand our products and the risks better
Host our own private packages
Integrations in IDE and Browsers
Awesome support
Fresh information every month at the "Office Hours"

Cons

Not all of the programming languages on the Top20 of TIOBE Index are covered - PHP is third party and breaks Upgrade-Paths to an external database currently
JetBrains IDE support is "only on Java", but shows for "all products" as enabled, which it isnt, this creates confusion on a daily/weekly basis
New feature Sonatype Developer is hidden behind "Tile Designs", you have to constantly switch between setups/environments/apps??? You always have to look for how to get back to the other apps. Very confusing on the developer side. Devs commonly want to use tools that are easy and help the workflow, not complicate it by beeing sort of hidden
Nexus Repos Log viewer is missing a "Date" selector, viewing the "last 25/50/100kb" in an active environment isnt that helpful
Nexus IQ is missing a system where i can setup footer-links for Legal-Purposes and also a tool that shows me my users, like Nexus Repo has built in

Likelihood to Recommend

- Guidance on remediation is very good

- Vulnerability detection is very good

- Support is very good

- Ability to ask PMs/POs open questions at Office Hours every month is very good

- Support for languages is lacking (TIOBE Index Top20)

- Some features are un-neededly hidden and make the usage more complex then it needs to be

Sebastian Schmidt

Senior Application Manager in Information Technology at WERTGARANTIE SE (501-1000 employees)

Vetted Review

2 years of experience

Sonatype Platform at scale

Rating: 9 out of 10

Incentivized

September 30, 2024

Use Cases and Deployment Scope

We at HTI use Sonatype products extensively. Specially Nexus repository manager, IQ & Firewall. We have a massive scale of our users almost 40k who are using our platform (Artefcats Management). We have many complex use cases, one of them being hosting docker on Nexus. We have millions of public, private & hosted images on our platform & lot of tier0 services depend on us for their build & deployments. Any outage or slowness on docker nexus instance impacts them heavily & its huge impact on our reputation as well as business. Sonatype team is regularly helping us tune our Nexus repository manager in such a way that our service is not only highly available but optimized enough to ensure our business continues as usual. Nexus repository manager as a tool has come long way & Sonatype team ensures we as a customer get the required features & service.

Pros

Improved repo manager
High Availability
Great Support
Continuously improving Lifecycle

Cons

Reporting in repository manager
Easy remediation process in IQ
Optimize resource utilization for Nexus & IQ

Likelihood to Recommend

With our experience, Nexus Repo Manager can support large volumes & complex use cases across technologies. I see a bit of a challenge when it comes to very large volumes of docker though but the Sonatype team does everything to support our use cases.

Navneet Mittal

Senior Manager in Product Management at HSBC (10,001+ employees)

Vetted Review

6 years of experience

Lives up to the hype

Rating: 10 out of 10

Incentivized

December 5, 2023

Use Cases and Deployment Scope

We have been utilizing Repository Manager and Lifecyle for approximately five years now. The entire software development team interacts with the Sonatype Platform on a daily basis. Repository Manager is used as a proxy to external repositories, store internally developed artifacts, and Docker images. Since all packages that developers retrieve flow through Repository Manager, we are able to enforce our open source best practices. Allowing us to prevent unauthorized packages from being implemented into projects. Repository Manager and Lifecycle are both integrated into our CI/CD pipeline. While Repository Manager is used to pull and deploy packages, Lifecycle is searching for vulnerabilities. With each build, we are receiving a report for all of the components. Based on the valuable data Sonatype provides us, we are able to make decisions on whether to allow the build to continue. This prevents any vulnerable component from being introduced to our environments. Lifecycle also allows us to view newly discovered vulnerabilities within applications that have already been deployed, so they can be resolved as well.

Overall, Sonatype Platform greatly reduces the risk we assume each day.

Pros

Easy integration and automation with CI/CD pipeline
Block unsupported packages
Developer friendly vulnerability reports
Vulnerability reporting
easily manage custom artifacts

Cons

Better abilities to share vulnerability reports
VS 2022 plugin is here, but it would be nice to use the plugin without having to specify an app within Lifecyle

Likelihood to Recommend

The different features Sonatype Platform offers checks all the boxes for us. From the artifact management with Repository Manager, to the vulnerability data from Lifecycle. Over the years it has proven itself, and I'm glad we went with the product.

Verified User

Manager in Information Technology (10,001+ employees)

Vetted Review

5 years of experience

Sonatype Platform (Nexus Lifecycle) - Proactive SCA & SBOM Management Tool

Rating: 8 out of 10

Incentivized

December 4, 2023

Use Cases and Deployment Scope

We use Sonatype Platform Nexus Lifecycle to manage and remediate source code vulnerabilities and also using it for real-time monitoring of components throughout the SDLC, alerting teams about security vulnerabilities and other policy violations. Also, we use it to enforce software license compliance by identifying components with specific licensing terms and managing issues related to it.

Pros

Security scanning and vulnerabilities management
Policy enforcements on components usage
Real-time monitoring of components throughout the SDLC
Provides reporting on vulnerability assessments
Sonatype Platform support is quite responsive

Cons

Limited feature in IDE plugins
Provide alternate component where no new version fix for vulnerability exists
Reporting can to be improved
Some functionalities are not there in UI and not accessible via API

Likelihood to Recommend

One of the best SCA tools available in market. Well suited for scenarios for where open source binaries are used. Also, allows users to minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Platform Lifecycle also gives the user complete control over their software supply chain, allowing them managing SDLC.

Verified User

Administrator in Information Technology (501-1000 employees)

Vetted Review

7 years of experience

Excellent Product Suite - Enables Proactive Vulnerability & SBOM Management

Rating: 10 out of 10

Incentivized

November 16, 2023

Use Cases and Deployment Scope

Top tier platform for identifying, remediating and managing known source code vulnerabilities across a large portfolio of applications. We incorporated Nexus Lifecycle scanning into our end to end pipelines with great success.

Pros

Vulnerability identification and best path to remediation.
Very well supported platform - exceptional customer service.
Ongoing monitoring of last released BOM per application and alerting of new vulnerabilities.

Cons

Recommendations for best Energy Consumption options based on existing BOM - e.g. replace component X with component Y to reduce CPU cycles.
More specific recommendations regarding Open Source Licensing - not just saying "Copyleft" but the next level of analysis (it's difficult - but would save a lot of time)
Provide specific component replacement options where no "next version" resolves a high severity vulnerability.

Likelihood to Recommend

Product suite fits nicely in a large enterprise environment with a lot of applications.

Frederick Farber

Enterprise Architect in Information Technology at BMW of North America (10,001+ employees)

Vetted Review

3 years of experience

Deliver Agile AppSec with Sonatype Platform NexusIQ!

Rating: 6 out of 10

Incentivized

November 7, 2023

Use Cases and Deployment Scope

Sonatype Platform's Nexus Lifecycle is used in my company in the DevSecOps Department. We were looking for an SCA tool that was truly developer-oriented. We'd like security tools to be transparent for the application team, to motivate them to use them across every SDLC stage - Sonatype Platform is really good for that. It allows us to scale relatively quickly and increase the 3rd party dependencies security posture monitoring across the whole company.

Pros

SBOM continuous monitoring
Easy SCM integration
Tool onboarding

Cons

Tool capabilities for dotnet technology
More detailed remediation steps
Better pre-commit feedback for developers
More out-of-the-box features

Likelihood to Recommend

1. Team onboarding - because of the simplicity of initial tool configuration and SCM integration, onboarding of the Sonatype Platform Lifecycle is really convenient for the new teams.

2. Sonatype Platform NexusIQ is really great for Java and JavaScript technologies - configuration is really easy and the detail level from the results helps the teams to understand and mitigate the risks

3. Support for dotnet is significantly lower than for Java and JS - there is no native SBOM generation and analysis results are less detailed.

4. Some features like automatic PRs/PRs commenting/Grandfathering may be hard to understand and configure

Verified User

Engineer in Information Technology (10,001+ employees)

Vetted Review

2 years of experience

Sonatype Nexus Lifecycle

Rating: 9 out of 10

Incentivized

October 27, 2023

Use Cases and Deployment Scope

Sonatype Nexus Lifecycle, we are able to identify issues with the 3rd party controls/components in our software very early into the development stage. Sonatype Lifecycle works very well within our DevOps practice, it helps us to implement continuous monitoring on 3rd party controls/components. It provides detailed reporting that helps us to understand the associated Vulnerabilities with the components and its dependencies.

Pros

Scan Speed/time
Detailed reports
Their own analysis

Cons

Provision to see the historical reporting/analysis with 3rd party components.

Likelihood to Recommend

Using SCA tool in development stage helps development teams to identify issues with the Open-Source Software/3rd party components early into the development stage. that overall helps organization to fix the issues with lesser cost compared while making a plan to fix after the product is fully developed. For all the new development we prefer to use SCA platform like Sonatype from the beginning.

Verified User

Advisor in Professional Services (1001-5000 employees)

Vetted Review

5 years of experience

Sonatype Platform as One Platform for multiple solutions

Rating: 8 out of 10

Incentivized

October 17, 2023

Use Cases and Deployment Scope

We use Sonatype Platform as a one solution for artifactory and DevSecOps lifecycle. Our use case is integrating Sonatype Platform in SDLC deliver through CICD. We use Sonatype Platform for OSS component evaluation.

Use cases:

1. OSS packages evaluation

2. Analyse the SCA (binary package scanning)

3. container image scan

all these use cases are in our CICD journey, and it accelerate our CICD deliverables.

Pros

Nexus firewall is a great feature enabled for all our proxy repositories which are used to download the third-party opensource packages.
Nexus IQ is integrated with build stage to analyze the component against evaluation policy. This helps to figure out the application security standards.
Nexus IQ is also having a feature to scan container images before it uploads to our private repository. This is great feature for container platforms.

Cons

Nexus IQ policy creation
Nexus repository manager clean up policy.
Nexus firewall quarantine auto release

Likelihood to Recommend

Sonatype Platform is suitable for big budget project where doesn't have storage issues.

Sonatype Platform is lacking some better dashboards for management perspective.

Verified User

Manager in Information Technology (501-1000 employees)

Vetted Review

6 years of experience

Sonatype Platform used at Enterprise scale make developers life easy

Rating: 9 out of 10

Incentivized

August 23, 2023

Use Cases and Deployment Scope

With over 3.000 business applications, 100 million lines of code, 500 development teams and roughly 1.500 builds per day, standardization, governance and control are key aspects we address with the Sonatype Platform.

Nexus Repository is used as the golden source for artifact management and acts as the crown jewel of the software development factory. All builds and off-the-shelf packages are pulled from Nexus prior to deployments downstream.

Any dependency that is consumed is first checked using Sonatype Firewall and subsequently scanned using Sonatype Lifecycle in the pipelines. Custom and default policies work together in securing our organization against attack vectors like malware, malicious components, security vulnerabilities, license violations and end of life dependencies.

Authorization to application information is centrally governed, access management too. Many integrations between pipelines running on Azure or on premise are centrally governed. Security reviews by expert teams is arranged through integration between Nexus Lifecycle and ServiceNow.

Risk Acceptance and other policy deviations are centrally managed and are used as vital information to assess the overall security posture of our organization.

Support for new technologies and assistance with remediation of new vulnerabilities that are found in components is received at a decent frequency by Sonatype.

Pros

Advice on remediation of vulnerabilities in open source components
Support for the top 20 most commonly used software development languages/ frameworks/ packages
Protection against threats from an early stage in the threat-lifecycle

Cons

Support on the end of life lifecycle of known open source components that are going end of life, or already went end of life
Support for emerging infrastructure as code frameworks
Support for native/ default retention, archiving and clean up policies for hosted repositories

Likelihood to Recommend

For a medium to large size organization with the possibility to setup a central support team to support the governance, maintenance and implementation of the Sonatype Platform, the product suite from Sonatype is very well suited. Setting up detailed configurations requires quite some effort and deep understanding of the Sonatype Platform. Whenever needed the support teams from Sonatype are available for technical and functional support. As well the Innovate platform of Sonatype offers customers to interact on specific topics and set up customer reference calls.

Verified User

Manager in Information Technology (10,001+ employees)

Vetted Review

7 years of experience

Nobody knows Open Source like Sonatype

Rating: 8 out of 10

Incentivized

July 21, 2023

Use Cases and Deployment Scope

Our company uses the Sonatype Platform to repose our developed artifacts, proxy to external open source repositories, and centrally manage the companies artifacts. We also use the Sonatype Platform to managed the SDLC related to license and security vulnerabilities via policy. We use the policies to prevent unwanted libraries from being brought into the environment, as well as inform developers on remediations that need to be made. We support more than 5000 developers that are distributed across the globe. The Sonatype Platform is an essential part of how we manage open source libraries, which is a core part of our software development. We are a financial services company, and therefore, we own data that is considered a high value target for bad actors. The Sonatype Platform is integrated throughout the development lifecycle.

Pros

Block unwanted open source libraries from entering our environment
Provides appropriate level information to help our developers identify and remediate vulnerabilities.
Cost effective enterprise management of open source libraries.
Provides enterprise level reporting on our vulnerability footprint.

Cons

Sonatype Platform architecture is antiquated and needs to be updated on modern technologies.
Sonatype Platform UI is lacking in several basic usability features
There needs to be better features and support for their IDE plugins.

Likelihood to Recommend

I don't think that Sonatype has any legitimate competitors regarding their knowledge of open source software. That knowledge is seamlessly woven into their products. They have extended the value of that knowledge by applying AI to their library analysis. The false positive rate is near 0. If you are not developing software using a large percentage of open source code, there may be better options. Or, if you value minimizing costs over remediating vulnerabilities, there are probably better tools.

Verified User

Director in Information Technology (10,001+ employees)

Vetted Review

15 years of experience

Loading Reviews List....

Sonatype Platform used at Enterprise scale make developers life easy

Rating: 9 out of 10

Incentivized

August 23, 2023

Use Cases and Deployment Scope

Risk Acceptance and other policy deviations are centrally managed and are used as vital information to assess the overall security posture of our organization.

Support for new technologies and assistance with remediation of new vulnerabilities that are found in components is received at a decent frequency by Sonatype.

Pros

Advice on remediation of vulnerabilities in open source components
Support for the top 20 most commonly used software development languages/ frameworks/ packages
Protection against threats from an early stage in the threat-lifecycle

Cons

Support on the end of life lifecycle of known open source components that are going end of life, or already went end of life
Support for emerging infrastructure as code frameworks
Support for native/ default retention, archiving and clean up policies for hosted repositories

Likelihood to Recommend

Verified User

Manager in Information Technology (10,001+ employees)

Vetted Review

7 years of experience