Sonatype Platform

In our organization we use Sonatype's Nexus Platform to manage repositories, artifacts like docker images and libraries and to distribute/share artifacts amongst different teams. Integrates well with gitlab/github repositories making it a good choice as repository manager. It has web browser to browse different artifacts and manage the artifacts (deprecate the ones not required)
Some teams use Nexus Lifecycle to identify vulnerabilities in build components and has been great help!

We have been utilizing Repository Manager and Lifecyle for approximately five years now. The entire software development team interacts with the Sonatype Platform on a daily basis. Repository Manager is used as a proxy to external repositories, store internally developed artifacts, and Docker images. Since all packages that developers retrieve flow through Repository Manager, we are able to enforce our open source best practices. Allowing us to prevent unauthorized packages from being implemented into projects. Repository Manager and Lifecycle are both integrated into our CI/CD pipeline. While Repository Manager is used to pull and deploy packages, Lifecycle is searching for vulnerabilities. With each build, we are receiving a report for all of the components. Based on the valuable data Sonatype provides us, we are able to make decisions on whether to allow the build to continue. This prevents any vulnerable component from being introduced to our environments. Lifecycle also allows us to view newly discovered vulnerabilities within applications that have already been deployed, so they can be resolved as well.<br><br>Overall, Sonatype Platform greatly reduces the risk we assume each day.

We use Sonatype Platform Nexus Lifecycle to manage and remediate source code vulnerabilities and also using it for real-time monitoring of components throughout the SDLC, alerting teams about security vulnerabilities and other policy violations. Also, we use it to enforce software license compliance by identifying components with specific licensing terms and managing issues related to it.

Top tier platform for identifying, remediating and managing known source code vulnerabilities across a large portfolio of applications. We incorporated Nexus Lifecycle scanning into our end to end pipelines with great success.

Sonatype Platform's Nexus Lifecycle is used in my company in the DevSecOps Department. We were looking for an SCA tool that was truly developer-oriented. We'd like security tools to be transparent for the application team, to motivate them to use them across every SDLC stage - Sonatype Platform is really good for that. It allows us to scale relatively quickly and increase the 3rd party dependencies security posture monitoring across the whole company.

Sonatype Nexus Lifecycle, we are able to identify issues with the 3rd party controls/components in our software very early into the development stage. Sonatype Lifecycle works very well within our DevOps practice, it helps us to implement continuous monitoring on 3rd party controls/components. It provides detailed reporting that helps us to understand the associated Vulnerabilities with the components and its dependencies.

We use Sonatype Platform as a one solution for artifactory and DevSecOps lifecycle. Our use case is integrating Sonatype Platform in SDLC deliver through CICD. We use Sonatype Platform for OSS component evaluation.
Use cases:
1. OSS packages evaluation
2. Analyse the SCA (binary package scanning)
3. container image scan
all these use cases are in our CICD journey, and it accelerate our CICD deliverables.

With over 3.000 business applications, 100 million lines of code, 500 development teams and roughly 1.500 builds per day, standardization, governance and control are key aspects we address with the Sonatype Platform.

Nexus Repository is used as the golden source for artifact management and acts as the crown jewel of the software development factory. All builds and off-the-shelf packages are pulled from Nexus prior to deployments downstream.

Any dependency that is consumed is first checked using Sonatype Firewall and subsequently scanned using Sonatype Lifecycle in the pipelines. Custom and default policies work together in securing our organization against attack vectors like malware, malicious components, security vulnerabilities, license violations and end of life dependencies.

Authorization to application information is centrally governed, access management too. Many integrations between pipelines running on Azure or on premise are centrally governed. Security reviews by expert teams is arranged through integration between Nexus Lifecycle and ServiceNow.

Risk Acceptance and other policy deviations are centrally managed and are used as vital information to assess the overall security posture of our organization.

Support for new technologies and assistance with remediation of new vulnerabilities that are found in components is received at a decent frequency by Sonatype.

Our company uses the Sonatype Platform to repose our developed artifacts, proxy to external open source repositories, and centrally manage the companies artifacts. We also use the Sonatype Platform to managed the SDLC related to license and security vulnerabilities via policy. We use the policies to prevent unwanted libraries from being brought into the environment, as well as inform developers on remediations that need to be made. We support more than 5000 developers that are distributed across the globe. The Sonatype Platform is an essential part of how we manage open source libraries, which is a core part of our software development. We are a financial services company, and therefore, we own data that is considered a high value target for bad actors. The Sonatype Platform is integrated throughout the development lifecycle.

We use Sonatype Lifecycle to scan our open software dependencies and raise issues if these are vulnerable. It is easy to integrate this scan with a CI tool, the scan itself takes seconds and you can see the results in the log output or in a link that opens Sonatype Lifecycle report. The report is easy to understand, categorizing the vulnerabilities by its severity. You can look at lots of details for each vulnerability, this helps greatly identifying if you are vulnerable to the issue and if there is a new version of the dependency available that fixes the issue.

We use Nexus as a repository for our code artifacts for different languages. Mainly for JavaScript/Typescript libraries and Java libraries but also docker images. The libraries are typically provided for multiple projects. Another use-case is to use Nexus as a proxy to other Maven-based repositories.

We use the Nexus platform to keep track of our built test and production binaries and to make it easy to access third-party libraries used by our system at compile time. It’s used on daily basis in all our development teams in the organization. Related to third-party libraries, Nexus is used to ensure we have a cached version in-house in case the online source disappears.