We performed a comparison between Gitlab and Sonatype Nexus Lifecycle based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Based on the parameters we compared, Sonatype Nexus Lifecycle comes out ahead of GitLab. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that GitLab’s price is higher and has uncertain long-term support.
"The most valuable features of Gitlab are integration with CIE and the ability to rapidly deploy solutions, projects, and applications. It is very easy to use, and there are no complaints."
"The stability is good."
"Key features allow creation of well-presented Wiki that includes ideas, development, and domains."
"The most valuable features of GitLab are ease of use and highly intuitive UI and performance."
"The tool helps to integrate CI/CD pipeline deployments. It is very easy to learn. Its security model is good."
"The solution has an established roadmap that lays out its plans for upgrades over the next two to three years."
"The most valuable features of GitLab are the CI/CD pipeline and code management."
"The most valuable features of GitLab are the review, patch repo, and plans are in YAML."
"The key feature for Nexus Lifecycle is the proprietary data they have on vulnerabilities. The way that they combine all the different sources and also their own research into one concise article that clearly explains what the problem is. Most of the time, and even if you do notice that you have a problem, the public information available is pretty weak. So, if we want to assess if a problem applies to our product, it's really hard. We need to invest a lot of time digging into the problem. This work is basically done by Sonatype for us. The data that it delivers helps us with fixing or understanding the issue a lot quicker than without it."
"The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository."
"Vulnerability detection accuracy is good."
"The reference provided for each issue is extremely helpful."
"The value I get from IQ Server is that I get information on real business risks. Is something compliant, are we using the proper license?"
"The Software Security Center, which is often overlooked, stands out as the most effective feature."
"The solution is very easy to use."
"The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable."
"I believe there's room for improvement in the advanced features, particularly in enhancing the pipeline functionalities."
"It should be used by a larger number of people. They should raise awareness."
"GitLab's Windows version is yet not available and having this would be an improvement."
"When deploying the solution on cloud and the CI/CD pipeline, we have to define the steps and it becomes confusing."
"It is a little complex to set up the pipelines within the solution."
"I used Spring Cloud config and to connect that to GitLab was so hard."
"We have only seen a couple of issues on Gitlab, which we use for building some of the applications."
"The initial setup was quite challenging because it takes some time to understand how to pull out or push the code."
"Fortify's software security center needs a design refresh."
"It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier."
"We had some issues, and I think we might still have some issues, where the Sonatype Nexus Repository has integrations with IQ and SonarQube. We're getting some errors on the UI, so we've had Sonatype look into that a little bit."
"If there is something which is not in Maven Central, sometimes it is difficult to get the right information because it's not found."
"Another feature they could use is more languages. Sonatype has been mainly a Java shop because they look after Maven Central... But we've slowly been branching out to different languages. They don't cover all of them, and those that they do cover are not as in-depth as we would like them to be."
"Sonatype Nexus Lifecycle can improve by having a feature to automatically detect vulnerabilities. Additionally, if it could automatically push the dependencies or create notifications it would be beneficial."
"Not all languages are supported in Fortify."
"We use Griddle a lot for integrating into our local builds with the IDE, which is another built system. There is not a lot of support for it nor published modules that can be readily used. So, we had to create our own. No Griddle plugins have been released."
GitLab is ranked 6th in Software Composition Analysis (SCA) with 70 reviews while Sonatype Lifecycle is ranked 5th in Software Composition Analysis (SCA) with 43 reviews. GitLab is rated 8.6, while Sonatype Lifecycle is rated 8.4. The top reviewer of GitLab writes "Powerful, mature, and easy to set up and manage". On the other hand, the top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". GitLab is most compared with Microsoft Azure DevOps, Bamboo, SonarQube, AWS CodePipeline and Snyk, whereas Sonatype Lifecycle is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, Checkmarx One and Mend.io. See our GitLab vs. Sonatype Lifecycle report.
See our list of best Software Composition Analysis (SCA) vendors and best Application Security Tools vendors.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.