Skip to main content
TrustRadius
Sonatype Platform

Sonatype Platform

Overview

What is Sonatype Platform?

Sonatype secures the software supply chain and protects organizations' vital software development lifecycle(SDLC). The platform unites security teams and developers to accelerate digital innovation without sacrificing security or quality across the SDLC. With users among more than 2,000 organizations and…

Read more
Recent Reviews

Lives up to the hype

10 out of 10
December 05, 2023
We have been utilizing Repository Manager and Lifecyle for approximately five years now. The entire software development team interacts …
Continue reading
Read all reviews

Reviewer Pros & Cons

View all pros & cons
Verified User
Contributor in Information Technology
Telecommunications Company, 5001-10,000 employees
Verified User
Manager in Information Technology
Retail Company, 10,001+ employees
Return to navigation

Pricing

View all pricing

Sonatype Nexus Repository

$145

On Premise
per year per user

Sonatype Air-Gapped Environment Nexus Repository

$175

On Premise
per year per user

Sonatype Repository Firewall

$224

On Premise
per year per user

Entry-level set up fee?

  • Setup fee required
    Required
For the latest information on pricing, visithttps://www.sonatype.com/nexus/product…

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Starting price (does not include set up fee)

  • $165 Per user per month, billed annually per user
Return to navigation

Product Details

What is Sonatype Platform?

Sonatype secures the software supply chain and protects organizations' vital software development lifecycle(SDLC). The platform unites security teams and developers to accelerate digital innovation without sacrificing security or quality across the SDLC. With users among more than 2,000 organizations and 15 million software developers, Sonatype tools and guidance help users to deliver and maintain exceptional and secure software. Core product offerings include:
  1. Sonatype Repository Firewall the first line of defense against against software supply chain attacks. It blocks malicious and suspicious packages, prevents known vulnerabilities and harmful open source releases from downloading into the repository, and automatically releases cleared components back into the development pipeline.
  2. Sonatype Lifecycle enables continuous monitoring of business critical applications that have been released or deployed to determine risk level and remediate vulnerabilities faster, with precise component intelligence. This helps to prevent unplanned work, security breaches, and maintainability issues with early detection and remediation.
  3. Sonatype Nexus Repository helps manage components, binaries and build artifacts across the entire software supply chain, serving billions of components to developers weekly so they can build more quickly and reliably.

Sonatype Platform Features

  • Supported: Continuous Monitoring
  • Supported: Policy Enforcement
  • Supported: Integrations and Language Support
  • Supported: Reporting & Analytics
  • Supported: Remediation
  • Supported: Flexible deployment options (Cloud, Self-hosted, Air-gapped)
  • Supported: Scalability
  • Supported: SBOM
  • Supported: Protection from unknown vulnerabilities
  • Supported: Hosted repository protection from namespace confusion attack
  • Supported: Suspicious auto-quarantine
  • Supported: Automated version replacement for dependencies
  • Supported: Support for artifactory enterprise

Sonatype Platform Screenshots

Screenshot of Sonatype LifecycleScreenshot of Sonatype Lifecycle - Chrome extensionScreenshot of Sonatype Advanced Legal PackScreenshot of Sonatype Nexus RepositoryScreenshot of Sonatype Nexus Repository ManagerScreenshot of Remediation of vulnerabilitiesScreenshot of Sonatype Lifecycle IntegrationsScreenshot of Sonatype Repository Firewall

Sonatype Platform Videos

"Run Anywhere" with Sonatype
Full Spectrum Software Supply Chain Automation

Sonatype Platform Integrations

Sonatype Platform Competitors

Sonatype Platform Technical Details

Deployment TypesOn-premise, Software as a Service (SaaS), Cloud, or Web-Based
Operating SystemsWindows, Linux, Mac
Mobile ApplicationNo
Supported CountriesNorth America, EMEA, APJ, Latin America
Supported LanguagesEnglish

Sonatype Platform Downloadables

Frequently Asked Questions

Sonatype Platform starts at $165.

Snyk, Veracode, and Black Duck Software Composition Analysis (SCA) are common alternatives for Sonatype Platform.

The most common users of Sonatype Platform are from Enterprises (1,001+ employees).

Sonatype Platform Customer Size Distribution

Consumers0%
Small Businesses (1-50 employees)0%
Mid-Size Companies (51-500 employees)10%
Enterprises (more than 500 employees)90%
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(18)

Attribute Ratings

Reviews

(1-4 of 4)
Companies can't remove reviews or game the system. Here's why
March 20, 2024

SonaType Nexus: Best platform for managing artifacts

Verified User
Contributor in Information Technology
Telecommunications Company, 5001-10,000 employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
In our organization we use Sonatype's Nexus Platform to manage repositories, artifacts like docker images and libraries and to distribute/share artifacts amongst different teams. Integrates well with gitlab/github repositories making it a good choice as repository manager. It has web browser to browse different artifacts and manage the artifacts (deprecate the ones not required)
Some teams use Nexus Lifecycle to identify vulnerabilities in build components and has been great help!
Pros and Cons
  • Store and share artifacts likes java libraries and docker images
  • Find vulnerabilities and malicious code in the builds using LifeCycle
  • Integrates quite well with Gitlab ci/cd and provides
  • Managing/browsing different artifacts in the repo
  • UI can be improved. The error messages can be made clearer.
  • Repository mirroring between Nexus and Artifactory breaks from time to time
  • We have run into issues with Nexus and various plug-ins specifically maven from time to time.
Likelihood to Recommend
We use two modules of Sonatype Nexus platform, Nexus LifeCycle and Nexus Repository.
  • Nexus Repository: Nexus Repository is a good choice for being a repository manager. IAs such it does a good job of mirroring external repositories like artifactory etc. It saves network bandwidth/hard ware costs by allowing the teams to share artifacts with each other. Repository UI allows managing different artifacts. For bulk operations, CLI provides a value add. Support is available and helpful. Its a great choice is one is looking for repository manager which comes with support.
  • Nexus LifeCycle : Provides checking the vulnerabilities in the builds. It is probably the best thing which Nexus offers. It comes with its REST api. Artifacts can be checked before getting deployed.
Most Important Features
  • Management of artifact's using Sonatype Repository manager
  • Checking for Vulnerabilities using Sonatype's LifeCycle
  • Sharing of artifacts using Nexus Repository
  • Integration with Gitlab for CI/CD operations
Return on Investment
  • Sonatype Nexus has a positive ROI my organization. It has saved cost of hardware and network bandwidth by acting as repository manager
  • It has eliminated vulnerability threats by checking the components for security risk and vulnerabilities
  • It has allowed the management of the artifacts thus saving on the disk space on servers
Alternatives Considered
Sonatype nexus platform is an excellent choice in comparison to the other products. As a platform it is a combination of various modules plus it comes with the support. So its a great choice for organizations which are not looking for open source. Nexus comes with LifeCycle and IQ servers. Lifecycle performs the vulnerability assessment on the builds/artifacts thus making sure the systems are not compromised.
Other products are good choice if one is looking for open-source as repository manager. They are not a platform.
Other Software Used
Users and Roles
200
Sonatype platform is used by the various teams which includes security compliance, software governance teams and developers The nexus repository is the since source of truth for all artifacts. LCM helps with the automation of open sources selection. Security teams use various features of platform to perform vulnerability scanning of various containers and artifacts.
Support Headcount Required
8
The skills of the team varies. The profile includes Network Engineers who are responsible for managing firewalls and access. System Admins are responsible for maintaining the user access, repos and troubleshooting admin problems Devops is involved in creating various scripts to create repos and creating custom cleanup policies using groovy.
Business Processes Supported
  • Vulnerability scanning
  • Opensource governance
  • Artifact repository
Innovative Uses
  • Allowing policy compliant packages
  • Performing software composition analysis
  • Container image scanning
Future Planned Uses
  • Operational Risk Analysis (info on outdated software)
  • Create tickets from software vulnerability automatically
  • Use auditor function
Likelihood to Renew
8
Sonatype supports more than 200 dev(s). It proves with the repository to store the artifacts. Allows for governance of open source software used by the different teams. It is used by security teams to scan for vulnerabilities in software(s) and in the deployed containers. It helps ensure code quality.
December 05, 2023

Lives up to the hype

Verified User
Manager in Information Technology
Retail Company, 10,001+ employees
Score 10 out of 10
Vetted Review
Verified User
Use Cases and Deployment Scope
We have been utilizing Repository Manager and Lifecyle for approximately five years now. The entire software development team interacts with the Sonatype Platform on a daily basis. Repository Manager is used as a proxy to external repositories, store internally developed artifacts, and Docker images. Since all packages that developers retrieve flow through Repository Manager, we are able to enforce our open source best practices. Allowing us to prevent unauthorized packages from being implemented into projects. Repository Manager and Lifecycle are both integrated into our CI/CD pipeline. While Repository Manager is used to pull and deploy packages, Lifecycle is searching for vulnerabilities. With each build, we are receiving a report for all of the components. Based on the valuable data Sonatype provides us, we are able to make decisions on whether to allow the build to continue. This prevents any vulnerable component from being introduced to our environments. Lifecycle also allows us to view newly discovered vulnerabilities within applications that have already been deployed, so they can be resolved as well.<br><br>Overall, Sonatype Platform greatly reduces the risk we assume each day.
Pros and Cons
  • Easy integration and automation with CI/CD pipeline
  • Block unsupported packages
  • Developer friendly vulnerability reports
  • Vulnerability reporting
  • easily manage custom artifacts
  • Better abilities to share vulnerability reports
  • VS 2022 plugin is here, but it would be nice to use the plugin without having to specify an app within Lifecyle
Likelihood to Recommend
The different features Sonatype Platform offers checks all the boxes for us. From the artifact management with Repository Manager, to the vulnerability data from Lifecycle. Over the years it has proven itself, and I'm glad we went with the product.
Most Important Features
  • Blocking builds
  • Vulnerability scans
  • package management
  • blocking packages
Return on Investment
  • Reduces the risk of using open source libraries
  • Allows easy artifact management
  • Easy integration
November 07, 2023

Deliver Agile AppSec with Sonatype Platform NexusIQ!

Verified User
Engineer in Information Technology
Automotive Company, 10,001+ employees
Score 6 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Sonatype Platform's Nexus Lifecycle is used in my company in the DevSecOps Department. We were looking for an SCA tool that was truly developer-oriented. We'd like security tools to be transparent for the application team, to motivate them to use them across every SDLC stage - Sonatype Platform is really good for that. It allows us to scale relatively quickly and increase the 3rd party dependencies security posture monitoring across the whole company.
Pros and Cons
  • SBOM continuous monitoring
  • Easy SCM integration
  • Tool onboarding
  • Tool capabilities for dotnet technology
  • More detailed remediation steps
  • Better pre-commit feedback for developers
  • More out-of-the-box features
Likelihood to Recommend
1. Team onboarding - because of the simplicity of initial tool configuration and SCM integration, onboarding of the Sonatype Platform Lifecycle is really convenient for the new teams.
2. Sonatype Platform NexusIQ is really great for Java and JavaScript technologies - configuration is really easy and the detail level from the results helps the teams to understand and mitigate the risks
3. Support for dotnet is significantly lower than for Java and JS - there is no native SBOM generation and analysis results are less detailed.
4. Some features like automatic PRs/PRs commenting/Grandfathering may be hard to understand and configure
Most Important Features
  • Give us visibility on the security posture of 3rd party dependencies used
  • Enable continuous monitoring to react on zero-day vulnerabilities quicker
  • Dashboards and reporting capabilities are easy to understand for management
Return on Investment
  • Less vulnerabilities in our products
  • SCA implementation in SSDLC
  • Dotnet configuration is more challenging comparing to other technologies
Alternatives Considered
  • Black Duck Software Composition Analysis (SCA)
Sonatype Platform's Nexus Lifecycle performs pretty great while talking about security vulnerabilities. It uses multiple vulnerability databases and provides really detailed reports. The tool is easy to use for endusers on different levels: within the IDE, CI pipeline and in maintenance level.
BlackDuck is a tool that is better from the licence management perspective, however it is harder to use and configure. I really like the way how BD calculates the risk, however this feature is also available in Sonatype Platform NexusIQ now.
July 21, 2023

Get you covered - Scan your Open Source Dependencies

Verified User
Engineer in Research & Development
Computer Networking Company, 5001-10,000 employees
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use Sonatype Lifecycle to scan our open software dependencies and raise issues if these are vulnerable. It is easy to integrate this scan with a CI tool, the scan itself takes seconds and you can see the results in the log output or in a link that opens Sonatype Lifecycle report. The report is easy to understand, categorizing the vulnerabilities by its severity. You can look at lots of details for each vulnerability, this helps greatly identifying if you are vulnerable to the issue and if there is a new version of the dependency available that fixes the issue.

Pros and Cons
  • Scan all open source dependencies, looking for vulnerabilities
  • Detailed information about each vulnerability
  • Great customer support!
  • Container scanning is cumbersome, difficult to get it working
  • If you look at a scan result in the dashboard, you cannot see the git branch where it was produced (you only see the commit hash)
Likelihood to Recommend
Sonatype Lifecycle is a strong product when it comes to scanning open source dependencies. I works really good with modern languages where using a dependency manager tool (gradle, maven, npm, pip...). It struggles more with projects where dependencies are manually managed like C/C++ legacy projects.

You can also scan a container, looking for vulnerabilities in the image itself. This works fine although a little bit more difficult to setup than the application dependency scans. If your product is container based, with Sonatype Lifecycle you have all your software footprint scanned.
Most Important Features
  • Dependency Scanning
  • License Check
  • Reporting and mitigation information
Return on Investment
  • Helps us to meet our security requirements
  • Helps us keeping our open source dependencies up to date
  • Helps us managing licenses, ensuring all components we use are ok to be used in a commercial scenario
Alternatives Considered
Out of other products we evaluated before choosing Sonatype, the later looked far more user friendly, easy to understand and work with. This was key for us, as the tool needs to be used by many engineers that don't have security as their main focus. Having a tool that is easy to understand and work with, makes the process of evaluating open source dependencies much easier and appealing for developers.
Return to navigation