Try our new research platform with insights from 80,000+ expert users

GitHub Advanced Security vs Sonatype Lifecycle comparison

GitHub and Sonatype are both solutions in the Application Security Tools category. GitHub is ranked #14 with an average rating of 8.9, while Sonatype is ranked #5 with an average rating of 8.3. GitHub holds a 5.9% mindshare in AS, compared to Sonatype’s 2.9% mindshare. Additionally, 100% of GitHub users are willing to recommend the solution, compared to 89% of Sonatype users who would recommend it.
GitHub Advanced Security
Read 7 GitHub Advanced Security reviews
  • 4,168 Views
  • 3,677 Comparison Views
100% willing to recommend
Sonatype Lifecycle
Read 43 Sonatype Lifecycle reviews
  • 10,282 Views
  • 5,468 Comparison Views
89% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive Summary
We performed a comparison between GitHub Advanced Security and Sonatype Lifecycle based on real PeerSpot user reviews.

Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed GitHub Advanced Security vs. Sonatype Lifecycle Report (Updated: September 2024).
Buyer's Guide
GitHub Advanced Security vs. Sonatype Lifecycle
September 2024
Download the complete report
Helped 800,688 peers since 2012
 

Categories and Ranking

GitHub Advanced Security
Ranking in Application Security Tools
14th
Average Rating
8.8
Number of Reviews
7
Ranking in other categories
No ranking in other categories
Sonatype Lifecycle
Ranking in Application Security Tools
5th
Average Rating
8.4
Number of Reviews
43
Ranking in other categories
Software Composition Analysis (SCA) (4th), Software Supply Chain Security (1st)
 

Mindshare comparison

As of September 2024, in the Application Security Tools category, the mindshare of GitHub Advanced Security is 5.9%, up from 0.0% compared to the previous year. The mindshare of Sonatype Lifecycle is 2.9%, down from 5.0% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Featured Reviews

DO
Jul 1, 2024
Primarily targets code security and uses AI, specifically CodeQL, to analyze code,
It finds hardcoded secrets directly in the code and points them out immediately. Then, I can go back to the developers and let them know. I can even block the commit in the repository so they cannot commit until they fix the issue. AI in the backend: CodeQL uses AI algorithms, so it reduces false positives. For example, in a SQL injection, it finds the user input flow of the code instead of looking for hardcoded SQL statements. It looks at where parameters can be created and filled with data. If it ends on a path where it comes from a user, then you really get an SQL injection. If it's just a parameter populated through something else, there is no danger. This is one difference between SonarQube and GitHub Advanced Security. It gives you fewer false positives, so you don't waste time figuring out if it's a real security issue or a false alarm.
Read full review
AA
Oct 26, 2023
Integrates easily with many IDEs, and enables development and security teams to work together
One downside to it is that it is costly. I can see it only for enterprises. I cannot see it for small businesses or for individual use. The configuration part is a little bit tricky. There is a learning curve there because it has multiple components. If someone has used another type of scanner, they would not think of the configuration intuitively. The configuration part can be better. Installation is straightforward, but the configuration can be better. It can be improved. There is a learning curve. Before we started using this tool, I did a lot of sessions with the vendors themselves to give an overview to the people. I also did a small documentation on how to install it because there are many components here and there. You need to understand how everything is put together. They can integrate it or make it a simpler process. During the short experience that we have had with it, we have noticed that some of the languages such as JavaScript and TypeScript consume high resources. They take a longer time to scan. Memory consumption is also very high for those languages. We are working with Fortify to find ways to optimize the scan. I noticed this with these types of languages. By nature, they take time. It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier. For integration with IDEs, they have so many plugins. For example, they have something called security analysis, and they have something called remediation. As a user, I would love to have them as one. Why should we have two plugins in the same IDE? Just give me one plugin that I can hook to the tool and use it. This is one thing. Some of the features in these plugins also need more testing. They are not consistent across all the IDEs. From what I saw, there are different options in these tools. For example, if you install it with IntelliJ, it will be different from VS Code. Some options are different, or one tool has more options than others. They can invest more in making them consistent.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The most valuable is the developer experience and the extensibility of the overall ecosystem."
"GitHub provides advanced security, which is why the customers choose this tool; it allows them to rely solely on GitHub as one platform for everything they need."
"It is a stable solution...It is a scalable solution as it can handle new applications along with the analysis part."
"GitHub Advanced Security uses artificial intelligence in the backend, specifically CodeQL, to analyze code and provide fewer but more reliable findings, so there are less false positives."
"Dependency scanning is a valuable feature."
"The product's most valuable features are security scan, dependency scan, and cost-effectiveness."
"It ensures user passwords or sensitive information are not accidentally exposed in code or reports."
"Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well."
"I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions."
"The component piece, where you can analyze the component, is the most valuable. You can pull the component up and you can look at what versions are bad, what versions are clean, and what versions haven't been reported on yet. You can make decisions based off of that, in terms of where you want to go. I like that it puts all that information right there in a window for you."
"When developers are consuming open-source libraries from the internet, it's able to automatically block the ones that are insecure. And it has the ability to make suggestions on the ones they should be using instead."
"Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good."
"Due to the sheer amount of vulnerabilities and the fact that my company is still working on eliminating all vulnerabilities, it's still too early for me to say what I like most about Sonatype Nexus Lifecycle. Still, one of the best functions of the product is the guidance it gives in finding which components or applications have vulnerabilities. For example, my team had a vulnerability or a CVE connected to Apache last week. My team couldn't find which applications had the vulnerability initially, but using Sonatype Nexus Lifecycle helped. My team deployed new versions on that same day and successfully eliminated the vulnerabilities, so right now, the best feature of Sonatype Nexus Lifecycle is finding which applications have vulnerabilities."
"Among its valuable features, it's easy to handle and easy configure, it's user-friendly, and it's easy to map and integrate."
"The most valuable feature is that I get a quick overview of the libraries that are included in the application, and the issues that are connected with them. I can quickly understand which problems there are from a security point of view or from a licensing point of view. It's quick and very exact."
More Sonatype Lifecycle pros
 

Cons

"The report limitations are the main issue."
"The deployment part of the product is an area of concern that needs to be made easier from an improvement perspective."
"The customizations are a little bit difficult."
"A more refined approach, categorizing and emphasizing specific vulnerabilities, would be beneficial."
"There could be a centralized dashboard to view reports of all the projects on one platform."
"Maybe make it compatible with more programming languages. Have a customized ruleset where the end-user can create their own rules for scanning."
"There could be DST features included in the product."
"One area of improvement, about which I have spoken to the Sonatype architect a while ago, is related to the installation. We still have an installation on Linux machines. The installation should move to EKS or Kubernetes so that we can do rollover updates, and we don't have to take the service down. My primary focus is to have at least triple line availability of my tools, which gives me a very small window to update my tools, including IQ. Not having them on Kubernetes means that every time we are performing an upgrade, there is downtime. It impacts the 0.1% allocated downtime that we are allowed to have, which becomes a challenge. So, if there is Kubernetes installation, it would be much easier. That's one thing that definitely needs to be improved."
"Sonatype Nexus Lifecycle can improve the functionality. Some functionalities are missing from the UI that could be accessed using the API but they are not available. For example, seeing more than the 100 first reports or, seeing your comments when you process a waiver for a vulnerability or a violation."
"They could do with making more plugins for the more common integration engines out there. Right now, it supports automation engine by Jenkins but it doesn't fully support something like TeamCity."
"In the beginning, we sometimes struggle to access the customer environment. The customer must issue the required certificates because many customers use cell phone certificates, and Sonatype needs a valid CA certificate."
"The team managing Nexus Lifecycle reported that their internal libraries were not being identified, so they have asked Sonatype's technical team to include that in the upcoming version."
"One thing that it is lacking, one thing I don't like, is that when you label something or add a status to it, you do it as an overall function, but you can't go back and isolate a library that you want to call out individually and remove a status from it. It's still lacking some functionality-type things for controlling labels and statuses. I'd like to be able to apply it across all of my apps, but then turn it off for one, and I can't do that."
"We use Griddle a lot for integrating into our local builds with the IDE, which is another built system. There is not a lot of support for it nor published modules that can be readily used. So, we had to create our own. No Griddle plugins have been released."
"Fortify's software security center needs a design refresh."
More Sonatype Lifecycle cons
 

Pricing and Cost Advice

"The solution is expensive."
"The current licensing model, which relies on active commitments, poses challenges, particularly in predicting and managing growth."
"Pricing is comparable with some of the other products. We are happy with the pricing."
"There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses."
"In comparison with other tools, Sonatype Nexus Lifecycle could be more expensive. Still, at the same time, my company prioritizes security, so the pricing for Sonatype Nexus Lifecycle hasn't been an issue. If IT security weren't at the top of the list for my company, somebody would have raised the question about cost and how Sonatype Nexus Lifecycle is in terms of ROI. So far, there's been no question about the price. The cost of Sonatype Nexus Lifecycle hasn't been a problem so far. My company pays for the license yearly, plus technical support."
"Cost is a drawback. It's somewhat costly."
"We're pretty happy with the price, for what it is delivering for us and the value we're getting from it."
"Its pricing is competitive within the market. It's not very cheap, it's not very expensive."
"It's expensive, but you get what you pay for. There were no problems with the base license and how they do it. It was transparent. You don't have to worry. You can scan to your heart's delight."
"The price is good. We certainly get a lot more in return. However, it's also hard to get the funds to roll out such a product for the entire firm. Therefore, pricing has been a limiting factor for us. However, it's a fair price."
More Sonatype Lifecycle pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
See recommendations
800,688 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
13%
Computer Software Company
13%
Manufacturing Company
9%
Government
7%
Financial Services Firm
34%
Computer Software Company
12%
Government
9%
Manufacturing Company
7%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about GitHub Advanced Security?
It is a stable solution...It is a scalable solution as it can handle new applications along with the analysis part.
See all answers
What needs improvement with GitHub Advanced Security?
Maybe make it compatible with more programming languages. Have a customized ruleset where the end-user can create their own rules for scanning. Also, support for container stuff, like when the code...
See all answers
What is your primary use case for GitHub Advanced Security?
I use it for Azure DevOps, for example. This tool focuses on the security of the code. It performs code analysis to identify security issues, such as hard-coded secrets and passwords, potential SQL...
See all answers
How does Sonatype Nexus Lifecycle compare with SonarQube?
We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding the issues a lot quicker. The policy engine allows you to set up different t...
See all answers
What do you like most about Sonatype Nexus Lifecycle?
Fortify integrates with various development environments and tools, such as IDEs (Integrated Development Environments) and CI/CD pipelines.
See all answers
What is your experience regarding pricing and costs for Sonatype Nexus Lifecycle?
I would rate the pricing a seven out of ten, with ten being expensive. The price is high. It depends on the number of licenses. The price increases based on the fact bundle you are collecting. The ...
See all answers
 

Comparisons

SonarQube vs GitHub Advanced Security Logo
SonarQube vs GitHub Advanced Security
Compared 52% of the time
Snyk vs GitHub Advanced Security Logo
Snyk vs GitHub Advanced Security
Compared 28% of the time
Veracode vs GitHub Advanced Security Logo
Veracode vs GitHub Advanced Security
Compared 8% of the time
Fortify on Demand vs GitHub Advanced Security Logo
Fortify on Demand vs GitHub Advanced Security
Compared 4% of the time
More GitHub Advanced Security Competitors
SonarQube vs Sonatype Lifecycle Logo
SonarQube vs Sonatype Lifecycle
Compared 36% of the time
Black Duck vs Sonatype Lifecycle Logo
Black Duck vs Sonatype Lifecycle
Compared 13% of the time
Fortify Static Code Analyzer vs Sonatype Lifecycle Logo
Fortify Static Code Analyzer vs Sonatype Lifecycle
Compared 11% of the time
GitLab vs Sonatype Lifecycle Logo
GitLab vs Sonatype Lifecycle
Compared 7% of the time
Mend.io vs Sonatype Lifecycle Logo
Mend.io vs Sonatype Lifecycle
Compared 5% of the time
More Sonatype Lifecycle Competitors
 

Product Reports

Buyer's Guide
GitHub Advanced Security
August 2024
GitHub Advanced Security reportDownload GitHub Advanced Security product report
Buyer's Guide
Sonatype Lifecycle
August 2024
Sonatype Lifecycle reportDownload Sonatype Lifecycle product report
 

Also Known As

No data available
Sonatype Nexus Lifecycle, Nexus Lifecycle
 

Learn More

GitHub
Sonatype
 

Overview

GitHub makes extra security features available to customers under an Advanced Security license. These features are also enabled for public repositories on GitHub.com.

Sonatype Lifecycle is an open-source security and dependency management software that uses only one tool to automatically find open-source vulnerabilities at every stage of the System Development Life Cycle (SDLC). Users can now minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Lifecycle gives the user complete control over their software supply chain, allowing them to regain wasted time fighting risks in the SDLC. In addition, this software unifies the ability to define rules, actions, and policies that work best for your organizations and teams.

Sonatype Lifecycle allows users to help their teams discover threats before an attack has the chance to take place by examining a database of known vulnerabilities. With continuous monitoring at every stage of the development life cycle, Sonatype Lifecycle enables teams to build secure software. The solution allows users to utilize a complete automated solution within their existing workflows. Once a potential threat is identified, the solution’s policies will automatically rectify it.

Benefits of Open-source Security Monitoring

As cybersecurity attacks are on the rise, organizations are at constant risk for data breaches. Managing your software supply chain gets trickier as your organization grows, leaving many vulnerabilities exposed. With easily accessible source code that can be modified and shared freely, open-source monitoring gives users complete transparency. A community of professionals can inspect open-source code to ensure fewer bugs, and any open-source dependency vulnerability will be detected and fixed rapidly. Users can use open-source security monitoring to avoid attacks through automatic detection of potential threats and rectification immediately and automatically.

Reviews from Real Users

Sonatype Lifecycle software receives high praise from users for many reasons. Among them are the abilities to identify and rectify vulnerabilities at every stage of the SDLC, help with open-source governance, and minimize risk.

Michael E., senior enterprise architect at MIB Group, says "Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD.”

R.S., senior architect at a insurance company, notes “Specifically features that have been good include:

• the email notifications
• the API, which has been good to work with for reporting, because we have some downstream reporting requirements
• that it's been really user-friendly to work with.”

"Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good," says Subham S., engineering tools and platform manager at BT - British Telecom.

 

Sample Customers

Information Not Available
Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
Buyer's Guide
GitHub Advanced Security vs. Sonatype Lifecycle
September 2024
Free Report: GitHub Advanced Security vs. Sonatype Lifecycle
Find out what your peers are saying about GitHub Advanced Security vs. Sonatype Lifecycle and other solutions. Updated: September 2024.
DOWNLOAD NOW
800,688 professionals have used our research since 2012.
See our GitHub Advanced Security vs. Sonatype Lifecycle report.
See our list of best Application Security Tools vendors.

We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.