Sonatype Lifecycle Reviews

Name: Sonatype Lifecycle
Brand: Sonatype
Rating: 4.2 (44 reviews)

Vendor: Sonatype

4.2 out of 5

44 reviews
89% willing to recommend

454 followers

Post review

What is Sonatype Lifecycle?

Sonatype Lifecycle is an open-source security and dependency management software that uses only one tool to automatically find open-source vulnerabilities at every stage of the System Development Life Cycle (SDLC). Users can now minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Lifecycle gives the user complete control over their software supply chain, allowing them to regain wasted time fighting risks in the SDLC. In addition, this software unifies the ability to define rules, actions, and policies that work best for your organizations and teams.

Get the Sonatype Lifecycle Buyer's Guide and find out what your peers are saying about Sonatype Lifecycle, GitLab, Veracode and more!

Sonatype Lifecycle is the #1 ranked solution in top Software Supply Chain Security solutions, #4 ranked solution in top Software Composition Analysis (SCA) solutions, and #5 ranked solution in application security solutions. PeerSpot users give Sonatype Lifecycle an average rating of 8.4 out of 10. Based on the analysis of the 44 most recent Sonatype Lifecycle reviews, the overall sentiment is positive, with a sentiment score of 7.4. Sonatype Lifecycle is most commonly compared to GitLab: Sonatype Lifecycle vs GitLab. Sonatype Lifecycle is popular among the large enterprise segment, accounting for 76% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 35% of all views.

Helped 824,168 peers since 2012

Featured reviews

SrinathKuppannan2

Integration Manager at CommScope

While Sonatype Lifecycle effectively manages artifacts in Nexus Repository and performs code firewall checks based on rules, it has the potential to expand further. I am looking forward to additional features similar to SonarQube, especially since licenses are often split per component. SonarType could integrate cloud-based capabilities, addressing the increasing shift towards cloud workloads. While there have been demos and discussions around this, significant progress on scanning and analyzing cloud images remains to be seen. I am looking forward to Sonatype incorporating these enhancements, particularly in regard to cloud-based features. On-prem workloads are getting to the cloud workloads. * I would like to see more cloud-related insights, such as logging capabilities for the images we use and image scanning information. * Additionally, it would be beneficial to have insights into the stages of dependencies and ensure they comply with standards. If there are any violations in respect to CVSS reports, * Integrating CVSS (Common Vulnerability Scoring System) report rules into the Lifecycle module to detect and report violations would be valuable. I am hoping to see these enhancements from Sonatype in the future. On the security side, I think there's a lot of development needed. There are many security tools on the market, like open-source ones, that Sonatype doesn't integrate with.

Read full review

reviewer2317233

Vice President, Cybersecurity at Fiserv

The Software Security Center, which is often overlooked, stands out as the most effective feature. This on-premises portal, included with their primary SaaS offering, streamlines the process of triaging our results. With thousands of daily active users, the Software Security Center serves as a centralized platform, consolidating results from various tools, including Sonatype, WebInspect's DAST results, and Pen Test findings from our internal team. This unified view eliminates the need for developers to log into multiple portals to access code vulnerabilities, open-source issues, web app scans, and Pen Test results. Instead, they can access everything they need from a single, convenient location. Secure Code Warrior is an invaluable integration and partnership for us. Fortify consistently collaborates with top-tier companies to deliver cutting-edge solutions. For instance, if a developer encounters a common code vulnerability, such as a path manipulation vulnerability in their Java website, and is unsure of how to resolve it, Fortify provides some guidance and standard response protocols. However, for more in-depth information and assistance, they direct us to Secure Code Warrior. Upon providing information on the vulnerability type and language, Secure Code Warrior offers tailored training courses, such as how to fix path manipulations in Java-based applications. This remediation technique, which is unmatched by any other provider, has proven to be incredibly effective.

Read full review

Jumani Blango

Adjunct at University of Maryland

As a security analyst, I like the management view. From there, you can review the code and review findings in order to approve, deny, or recommend. Their Software Security Center, which acts as a portal, is quite useful. It's a good overview. You can really see what's happening after you've developed something. Fortify's AppSec testing is great for application portfolio inventory and project releases. It works both at a portfolio level and also at a project level. They also give you the capability to click train of all your vulnerabilities that happened within Apache Crossroads support. You give them a history to keep track of them, how they've been developed, how they've been saved, to give you a way of tracking your issues and how they get resolved. It's pretty easy to find vulnerabilities. Then, you go to the source. It is very good at tracking to see where the data or the issue enters into your source code so you can track it or go back to where it started. Fortify helps remediate potential vulnerabilities by using more accurate, reliable results. They offer recommended remediation. I can go to the website tools to resolve issues and search for remediations. This helps our developers to build more secure code from the start. It has reduced vulnerabilities. We've never had issues when we ran our scans. We're notified, and we're able to identify most of our vulnerabilities and fix them before anything goes to production. If you're running this on your CI/CD pipeline, notifications are in real-time. The level of detail is very informative. It provides you with recommendations on how to fix items. And they provide you with other resources available for how to address the issues. You can also see the root cause. It works well with cloud-native applications. Fortify helped us to free up staff time since it helps us resolve issues faster. It's helped us save costs as, if we catch a vulnerability faster, it's easier to fix than later. Fortify and Sonatype help maintain compliance with the applicable regulations. We mostly use Sonatype for compliance and licenses. By combining both solutions together, it enables you to solve a lot of issues that may occur in the future.

Read full review

Sonatype Lifecycle mindshare

Product category:

As of December 2024, the mindshare of Sonatype Lifecycle in the Software Composition Analysis (SCA) category stands at 5.8%, down from 7.4% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Software Composition Analysis (SCA)

PeerAnalyst reports

Type	Title	Date
Category	Software Composition Analysis (SCA)	Dec 25, 2024	Download
Product	Reviews, tips, and advice from real users	Dec 25, 2024	Download
Comparison	Sonatype Lifecycle vs Black Duck	Dec 25, 2024	Download
Comparison	Sonatype Lifecycle vs Veracode	Dec 25, 2024	Download
Comparison	Sonatype Lifecycle vs Snyk	Dec 25, 2024	Download

Title	Rating	Mindshare	Recommending
GitLab	4.3	4.6%	97%	80 interviews Add to research
Veracode	4.1	9.7%	90%	196 interviews Add to research

Valuable Features

Sonatype Lifecycle is praised for its seamless integration with existing DevOps tools and proactive security vulnerability scanning. Users find its policy management, automated open-source governance, and continuous monitoring features valuable. The data quality and real-time reporting enhance decision-making and risk reduction. Onboarding and policy grandfathering help streamline processes. Vulnerability detection accuracy and library analysis are highlighted as standout benefits. Its flexibility and low false-positive rate improve development efficiency and maintain security standards.

"This ensures we can address issues proactively."
"The solution provides a comprehensive overview of dependencies and their security status."
"The price is high."

Room for Improvement

Sonatype Lifecycle requires enhanced integration with tools like TeamCity and Azure DevOps, improved reporting formats and dependency visibility, and better handling of transitive and quarantined dependencies. Users find the interface and training resources lacking. Improvements in plugin functionality, flexibility in ticket customization, and real-time notifications are needed. They also desire broader language support, especially for .NET, cloud workload insights, and more intuitive, code-driven configurations for better automation.

"It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections."
"It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections."
"On the security side, I think there's a lot of development needed. There are many security tools on the market, like open-source ones, that Sonatype doesn't integrate with."

ROI

Many users experience ROI from Sonatype Lifecycle through improved security hygiene and reduced vulnerability risks, leading to peace of mind. There is increased developer productivity and expedited app release times, contributing to significant cost savings. ROI is also realized through proactive vulnerability management and reduced remediation costs. Though some find ROI challenging to quantify, the benefits in terms of development efficiency and security enhancement are clear. Improved clarity and reduced developer frustration are additional positive outcomes.

Pricing

Sonatype Lifecycle pricing is considered competitive, appealing to enterprises with a balance of cost and value. While some find it expensive, it offers extensive features and yearly licensing bundling options. Additional fees apply for add-ons, setup, and support. Its robust security capabilities are valued despite the potential for higher costs compared to other tools. Users appreciate the transparency and flexibility, though smaller businesses may find it less suitable due to initial implementation expenses.

"In comparison with other tools, Sonatype Nexus Lifecycle could be more expensive. Still, at the same time, my company prioritizes security, so the pricing for Sonatype Nexus Lifecycle hasn't been an issue.If IT security weren't at the top of the list for my company, somebody would have raised the question about cost and how Sonatype Nexus Lifecycle is in terms of ROI. So far, there's been no question about the price. The cost of Sonatype Nexus Lifecycle hasn't been a problem so far.My company pays for the license yearly, plus technical support."
"Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
"There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses."

Popular Use Cases

Sonatype Lifecycle is primarily employed for security and open-source governance in build pipelines. It's used to manage dependencies, ensuring third-party libraries are free of vulnerabilities and licensing issues. Teams integrate it into development processes for continuous monitoring, allowing early identification of potential threats. It enables automatic DevSecOps, checks code quality, and provides visibility into security gaps, helping organizations minimize risk and maintain compliance with secure software development standards.

Service and Support

Sonatype Lifecycle's customer support receives high praise for promptness, helpfulness, and clear communication. Many users appreciate the knowledgeable team, quick problem-solving, and availability of dedicated support or success managers. Some suggest improvements for faster responses and better resources for specific tasks. Despite time zone differences and communication challenges, support is generally responsive and proactive, often scoring between eight and ten out of ten from users. Complaints occasionally arise regarding issues requiring product enhancement.

Deployment

Users found Sonatype Lifecycle's initial setup straightforward and quick. Deployment often completed within minutes to a few days, depending on team coordination and policy configurations. While some encountered challenges with space and policy integration, updates improved functionality. Most setups needed minimal expertise, aided by clear documentation. Maintenance generally required modest ongoing support, with teams finding it beneficial to tailor configurations to specific requirements. Users appreciated ease of integration into existing development workflows.

Scalability

Sonatype Lifecycle exhibits good scalability with capabilities in place for expanding usage, particularly in infrastructure and licensing. Users have successfully increased usage, highlighting its flexibility. While certain users believe more improvements can be made, especially relating to clustering and high availability, many have not faced major scaling issues. Organizations with diverse user bases, including developers and IT professionals, find it suitable, with potential for scaling in line with business growth and application needs.

Stability

Sonatype Lifecycle demonstrates strong stability with minimal downtime and no significant issues reported by users. Some mention a need for cluster technology improvement but praise its low maintenance and easy updates. Although a few experienced slight lag in real-time builds, most find it highly reliable. Users appreciate its security management, with prompt vulnerability notifications. Despite isolated incidents, stability ratings range between seven and ten out of ten, reflecting high satisfaction.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Sonatype Lifecycle Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

35%

Computer Software Company

11%

Government

Manufacturing Company

Insurance Company

Healthcare Company

University

Energy/Utilities Company

Retailer

Educational Organization

Real Estate/Law Firm

Media Company

Non Profit

Comms Service Provider

Construction Company

Legal Firm

Transportation Company

Wholesaler/Distributor

Aerospace/Defense Firm

Logistics Company

Hospitality Company

Outsourcing Company

Engineering Company

Recreational Facilities/Services Company

Pharma/Biotech Company

Performing Arts

Compare Sonatype Lifecycle with alternative products

Learn more about Sonatype Lifecycle

Sonatype Lifecycle allows users to help their teams discover threats before an attack has the chance to take place by examining a database of known vulnerabilities. With continuous monitoring at every stage of the development life cycle, Sonatype Lifecycle enables teams to build secure software. The solution allows users to utilize a complete automated solution within their existing workflows. Once a potential threat is identified, the solution’s policies will automatically rectify it.

Benefits of Open-source Security Monitoring

As cybersecurity attacks are on the rise, organizations are at constant risk for data breaches. Managing your software supply chain gets trickier as your organization grows, leaving many vulnerabilities exposed. With easily accessible source code that can be modified and shared freely, open-source monitoring gives users complete transparency. A community of professionals can inspect open-source code to ensure fewer bugs, and any open-source dependency vulnerability will be detected and fixed rapidly. Users can use open-source security monitoring to avoid attacks through automatic detection of potential threats and rectification immediately and automatically.

Reviews from Real Users

Sonatype Lifecycle software receives high praise from users for many reasons. Among them are the abilities to identify and rectify vulnerabilities at every stage of the SDLC, help with open-source governance, and minimize risk.

Michael E., senior enterprise architect at MIB Group, says "Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD.”

R.S., senior architect at a insurance company, notes “Specifically features that have been good include:

• the email notifications
• the API, which has been good to work with for reporting, because we have some downstream reporting requirements
• that it's been really user-friendly to work with.”

"Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good," says Subham S., engineering tools and platform manager at BT - British Telecom.

Sonatype Lifecycle was previously known as Sonatype Nexus Lifecycle, Nexus Lifecycle.