Skip to main content
TrustRadius
Sonatype Platform

Sonatype Platform

Overview

What is Sonatype Platform?

Sonatype secures the software supply chain and protects organizations' vital software development lifecycle(SDLC). The platform unites security teams and developers to accelerate digital innovation without sacrificing security or quality across the SDLC. With users among more than 2,000 organizations and…

Read more
Recent Reviews

Lives up to the hype

10 out of 10
December 05, 2023
We have been utilizing Repository Manager and Lifecyle for approximately five years now. The entire software development team interacts …
Continue reading
Read all reviews

Reviewer Pros & Cons

View all pros & cons
Verified User
Contributor in Information Technology
Telecommunications Company, 5001-10,000 employees
Verified User
Manager in Information Technology
Retail Company, 10,001+ employees
Return to navigation

Pricing

View all pricing

Sonatype Nexus Repository

$145

On Premise
per year per user

Sonatype Air-Gapped Environment Nexus Repository

$175

On Premise
per year per user

Sonatype Repository Firewall

$224

On Premise
per year per user

Entry-level set up fee?

  • Setup fee required
    Required
For the latest information on pricing, visithttps://www.sonatype.com/nexus/product…

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Starting price (does not include set up fee)

  • $165 Per user per month, billed annually per user
Return to navigation

Product Details

What is Sonatype Platform?

Sonatype secures the software supply chain and protects organizations' vital software development lifecycle(SDLC). The platform unites security teams and developers to accelerate digital innovation without sacrificing security or quality across the SDLC. With users among more than 2,000 organizations and 15 million software developers, Sonatype tools and guidance help users to deliver and maintain exceptional and secure software. Core product offerings include:
  1. Sonatype Repository Firewall the first line of defense against against software supply chain attacks. It blocks malicious and suspicious packages, prevents known vulnerabilities and harmful open source releases from downloading into the repository, and automatically releases cleared components back into the development pipeline.
  2. Sonatype Lifecycle enables continuous monitoring of business critical applications that have been released or deployed to determine risk level and remediate vulnerabilities faster, with precise component intelligence. This helps to prevent unplanned work, security breaches, and maintainability issues with early detection and remediation.
  3. Sonatype Nexus Repository helps manage components, binaries and build artifacts across the entire software supply chain, serving billions of components to developers weekly so they can build more quickly and reliably.

Sonatype Platform Features

  • Supported: Continuous Monitoring
  • Supported: Policy Enforcement
  • Supported: Integrations and Language Support
  • Supported: Reporting & Analytics
  • Supported: Remediation
  • Supported: Flexible deployment options (Cloud, Self-hosted, Air-gapped)
  • Supported: Scalability
  • Supported: SBOM
  • Supported: Protection from unknown vulnerabilities
  • Supported: Hosted repository protection from namespace confusion attack
  • Supported: Suspicious auto-quarantine
  • Supported: Automated version replacement for dependencies
  • Supported: Support for artifactory enterprise

Sonatype Platform Screenshots

Screenshot of Sonatype LifecycleScreenshot of Sonatype Lifecycle - Chrome extensionScreenshot of Sonatype Advanced Legal PackScreenshot of Sonatype Nexus RepositoryScreenshot of Sonatype Nexus Repository ManagerScreenshot of Remediation of vulnerabilitiesScreenshot of Sonatype Lifecycle IntegrationsScreenshot of Sonatype Repository Firewall

Sonatype Platform Videos

"Run Anywhere" with Sonatype
Full Spectrum Software Supply Chain Automation

Sonatype Platform Integrations

Sonatype Platform Competitors

Sonatype Platform Technical Details

Deployment TypesOn-premise, Software as a Service (SaaS), Cloud, or Web-Based
Operating SystemsWindows, Linux, Mac
Mobile ApplicationNo
Supported CountriesNorth America, EMEA, APJ, Latin America
Supported LanguagesEnglish

Sonatype Platform Downloadables

Frequently Asked Questions

Sonatype Platform starts at $165.

Snyk, Veracode, and Black Duck Software Composition Analysis (SCA) are common alternatives for Sonatype Platform.

The most common users of Sonatype Platform are from Enterprises (1,001+ employees).

Sonatype Platform Customer Size Distribution

Consumers0%
Small Businesses (1-50 employees)0%
Mid-Size Companies (51-500 employees)10%
Enterprises (more than 500 employees)90%
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(18)

Attribute Ratings

Reviews

(1-7 of 7)
Companies can't remove reviews or game the system. Here's why
March 20, 2024

SonaType Nexus: Best platform for managing artifacts

Verified User
Contributor in Information Technology
Telecommunications Company, 5001-10,000 employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
In our organization we use Sonatype's Nexus Platform to manage repositories, artifacts like docker images and libraries and to distribute/share artifacts amongst different teams. Integrates well with gitlab/github repositories making it a good choice as repository manager. It has web browser to browse different artifacts and manage the artifacts (deprecate the ones not required)
Some teams use Nexus Lifecycle to identify vulnerabilities in build components and has been great help!
Pros and Cons
  • Store and share artifacts likes java libraries and docker images
  • Find vulnerabilities and malicious code in the builds using LifeCycle
  • Integrates quite well with Gitlab ci/cd and provides
  • Managing/browsing different artifacts in the repo
  • UI can be improved. The error messages can be made clearer.
  • Repository mirroring between Nexus and Artifactory breaks from time to time
  • We have run into issues with Nexus and various plug-ins specifically maven from time to time.
Likelihood to Recommend
We use two modules of Sonatype Nexus platform, Nexus LifeCycle and Nexus Repository.
  • Nexus Repository: Nexus Repository is a good choice for being a repository manager. IAs such it does a good job of mirroring external repositories like artifactory etc. It saves network bandwidth/hard ware costs by allowing the teams to share artifacts with each other. Repository UI allows managing different artifacts. For bulk operations, CLI provides a value add. Support is available and helpful. Its a great choice is one is looking for repository manager which comes with support.
  • Nexus LifeCycle : Provides checking the vulnerabilities in the builds. It is probably the best thing which Nexus offers. It comes with its REST api. Artifacts can be checked before getting deployed.
December 04, 2023

Sonatype Platform (Nexus Lifecycle) - Proactive SCA & SBOM Management Tool

Verified User
Administrator in Information Technology
Banking Company, 501-1000 employees
Score 8 out of 10
Vetted Review
Verified User
Use Cases and Deployment Scope
We use Sonatype Platform Nexus Lifecycle to manage and remediate source code vulnerabilities and also using it for real-time monitoring of components throughout the SDLC, alerting teams about security vulnerabilities and other policy violations. Also, we use it to enforce software license compliance by identifying components with specific licensing terms and managing issues related to it.
Pros and Cons
  • Security scanning and vulnerabilities management
  • Policy enforcements on components usage
  • Real-time monitoring of components throughout the SDLC
  • Provides reporting on vulnerability assessments
  • Sonatype Platform support is quite responsive
  • Limited feature in IDE plugins
  • Provide alternate component where no new version fix for vulnerability exists
  • Reporting can to be improved
  • Some functionalities are not there in UI and not accessible via API
Likelihood to Recommend
One of the best SCA tools available in market. Well suited for scenarios for where open source binaries are used. Also, allows users to minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Platform Lifecycle also gives the user complete control over their software supply chain, allowing them managing SDLC.
October 27, 2023

Sonatype Nexus Lifecycle

Verified User
Advisor in Professional Services
Computer Software Company, 1001-5000 employees
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Sonatype Nexus Lifecycle, we are able to identify issues with the 3rd party controls/components in our software very early into the development stage. Sonatype Lifecycle works very well within our DevOps practice, it helps us to implement continuous monitoring on 3rd party controls/components. It provides detailed reporting that helps us to understand the associated Vulnerabilities with the components and its dependencies.
Pros and Cons
  • Scan Speed/time
  • Detailed reports
  • Their own analysis
  • Provision to see the historical reporting/analysis with 3rd party components.
Likelihood to Recommend
Using SCA tool in development stage helps development teams to identify issues with the Open-Source Software/3rd party components early into the development stage. that overall helps organization to fix the issues with lesser cost compared while making a plan to fix after the product is fully developed. For all the new development we prefer to use SCA platform like Sonatype from the beginning.
July 21, 2023

Nobody knows Open Source like Sonatype

Verified User
Director in Information Technology
Financial Services Company, 10,001+ employees
Score 8 out of 10
Vetted Review
Verified User
Use Cases and Deployment Scope
Our company uses the Sonatype Platform to repose our developed artifacts, proxy to external open source repositories, and centrally manage the companies artifacts. We also use the Sonatype Platform to managed the SDLC related to license and security vulnerabilities via policy. We use the policies to prevent unwanted libraries from being brought into the environment, as well as inform developers on remediations that need to be made. We support more than 5000 developers that are distributed across the globe. The Sonatype Platform is an essential part of how we manage open source libraries, which is a core part of our software development. We are a financial services company, and therefore, we own data that is considered a high value target for bad actors. The Sonatype Platform is integrated throughout the development lifecycle.
Pros and Cons
  • Block unwanted open source libraries from entering our environment
  • Provides appropriate level information to help our developers identify and remediate vulnerabilities.
  • Cost effective enterprise management of open source libraries.
  • Provides enterprise level reporting on our vulnerability footprint.
  • Sonatype Platform architecture is antiquated and needs to be updated on modern technologies.
  • Sonatype Platform UI is lacking in several basic usability features
  • There needs to be better features and support for their IDE plugins.
Likelihood to Recommend
I don't think that Sonatype has any legitimate competitors regarding their knowledge of open source software. That knowledge is seamlessly woven into their products. They have extended the value of that knowledge by applying AI to their library analysis. The false positive rate is near 0. If you are not developing software using a large percentage of open source code, there may be better options. Or, if you value minimizing costs over remediating vulnerabilities, there are probably better tools.
July 21, 2023

Get you covered - Scan your Open Source Dependencies

Verified User
Engineer in Research & Development
Computer Networking Company, 5001-10,000 employees
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use Sonatype Lifecycle to scan our open software dependencies and raise issues if these are vulnerable. It is easy to integrate this scan with a CI tool, the scan itself takes seconds and you can see the results in the log output or in a link that opens Sonatype Lifecycle report. The report is easy to understand, categorizing the vulnerabilities by its severity. You can look at lots of details for each vulnerability, this helps greatly identifying if you are vulnerable to the issue and if there is a new version of the dependency available that fixes the issue.

Pros and Cons
  • Scan all open source dependencies, looking for vulnerabilities
  • Detailed information about each vulnerability
  • Great customer support!
  • Container scanning is cumbersome, difficult to get it working
  • If you look at a scan result in the dashboard, you cannot see the git branch where it was produced (you only see the commit hash)
Likelihood to Recommend
Sonatype Lifecycle is a strong product when it comes to scanning open source dependencies. I works really good with modern languages where using a dependency manager tool (gradle, maven, npm, pip...). It struggles more with projects where dependencies are manually managed like C/C++ legacy projects.

You can also scan a container, looking for vulnerabilities in the image itself. This works fine although a little bit more difficult to setup than the application dependency scans. If your product is container based, with Sonatype Lifecycle you have all your software footprint scanned.
May 07, 2022

SonaType Nexus is the right tool to manage all your projects dependencies

Verified User
Team Lead in Information Technology
Utilities Company, 1001-5000 employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use Nexus as a repository for our code artifacts for different languages. Mainly for JavaScript/Typescript libraries and Java libraries but also docker images. The libraries are typically provided for multiple projects. Another use-case is to use Nexus as a proxy to other Maven-based repositories.
Pros and Cons
  • Manage different versions of java artifacts.
  • Works as a package manager for JavaScript based apps.
  • User management integrated with our company active directory server.
  • The user interface is complex and not easy to understand for first time users.
  • The administration and configuration is kind of complex.
Likelihood to Recommend
Sonatype Nexus works well as an artifact repository for different programming languages. If set up correctly it is very easy to use in your Maven or Gradle scripts to manage your dependencies. It is also easy to aggregate different public repositories and manage access to these public repositories.
April 21, 2022

Sonatype to keep track of your libraries and binaries

Verified User
Engineer in Information Technology
Government Administration Company, 1001-5000 employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use the Nexus platform to keep track of our built test and production binaries and to make it easy to access third-party libraries used by our system at compile time. It’s used on daily basis in all our development teams in the organization. Related to third-party libraries, Nexus is used to ensure we have a cached version in-house in case the online source disappears.
Pros and Cons
  • Keep track of built artifacts.
  • Makes it possible to browse available artifacts.
  • Search and find new libraries and their latest version.
  • User interface could be improved.
  • Integration with development IDE could be improved.
Likelihood to Recommend
The Sonatype Nexus Platform is suitable if you have a need to either keep old historical versions of your builds. It’s also suitable if you have a need to ensure you can build old versions of your system even if the online source of a third-party library becomes unavailable. It's hard to justify the complexity of the platform if you are doing one-time prototyping and never have a need to go back to old builds.
Return to navigation