Sonatype Lifecycle Reviews

Name: Sonatype Lifecycle
Brand: Sonatype
Rating: 4.2 (44 reviews)

Vendor: Sonatype

4.2 out of 5

44 reviews
89% willing to recommend

454 followers

Post review

What is Sonatype Lifecycle?

Sonatype Lifecycle is an open-source security and dependency management software that uses only one tool to automatically find open-source vulnerabilities at every stage of the System Development Life Cycle (SDLC). Users can now minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Lifecycle gives the user complete control over their software supply chain, allowing them to regain wasted time fighting risks in the SDLC. In addition, this software unifies the ability to define rules, actions, and policies that work best for your organizations and teams.

Get the Sonatype Lifecycle Buyer's Guide and find out what your peers are saying about Sonatype Lifecycle, GitLab, Veracode and more!

Sonatype Lifecycle is the #1 ranked solution in top Software Supply Chain Security solutions, #4 ranked solution in top Software Composition Analysis (SCA) solutions, and #5 ranked solution in application security solutions. PeerSpot users give Sonatype Lifecycle an average rating of 8.4 out of 10. Sonatype Lifecycle is most commonly compared to GitLab: Sonatype Lifecycle vs GitLab. Sonatype Lifecycle is popular among the large enterprise segment, accounting for 76% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 34% of all views.

Helped 831,020 peers since 2012

Featured reviews

SrinathKuppannan2

Integration Manager at CommScope

While Sonatype Lifecycle effectively manages artifacts in Nexus Repository and performs code firewall checks based on rules, it has the potential to expand further. I am looking forward to additional features similar to SonarQube, especially since licenses are often split per component. SonarType could integrate cloud-based capabilities, addressing the increasing shift towards cloud workloads. While there have been demos and discussions around this, significant progress on scanning and analyzing cloud images remains to be seen. I am looking forward to Sonatype incorporating these enhancements, particularly in regard to cloud-based features. On-prem workloads are getting to the cloud workloads. * I would like to see more cloud-related insights, such as logging capabilities for the images we use and image scanning information. * Additionally, it would be beneficial to have insights into the stages of dependencies and ensure they comply with standards. If there are any violations in respect to CVSS reports, * Integrating CVSS (Common Vulnerability Scoring System) report rules into the Lifecycle module to detect and report violations would be valuable. I am hoping to see these enhancements from Sonatype in the future. On the security side, I think there's a lot of development needed. There are many security tools on the market, like open-source ones, that Sonatype doesn't integrate with.

Read full review

Shubham Shrivastava

Engineering Tools and Platform Manager at BT - British Telecom

One area of improvement, about which I have spoken to the Sonatype architect a while ago, is related to the installation. We still have an installation on Linux machines. The installation should move to EKS or Kubernetes so that we can do rollover updates, and we don't have to take the service down. My primary focus is to have at least triple line availability of my tools, which gives me a very small window to update my tools, including IQ. Not having them on Kubernetes means that every time we are performing an upgrade, there is downtime. It impacts the 0.1% allocated downtime that we are allowed to have, which becomes a challenge. So, if there is Kubernetes installation, it would be much easier. That's one thing that definitely needs to be improved. Some of our engineers came from outside of BT, and there are some features that they are used to from rival products, but they are currently not there in Sonatype IQ. For example, Snyk has a feature to stop a particular check-in from happening at the merge stage in case something is different or wrong. This feature is still in the development phase in IQ. Such a feature would be handy in IQ. Another area where Nexus can severely improve is the licensing model. I am not worried about the licensing cost, but the way they calculate the number of licenses being used needs to be improved. They have been quite ambiguous in terms of how they calculate who is using Nexus or IQ, and this ambiguity has not been good. At times, we think we have a certain number of customers, but Sonatype says that it is not true, and we have some other number. They haven't been able to explain very well how they calculate that number, which has been a challenge for us.

Read full review

Michael Esmeraldo

Sr. Enterprise Architect at MIB Group, Inc.

I won't say there aren't a ton of features, but primarily we use it as an artifact repository. Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well. The default policies and the policy engine provide the flexibility we need. The default policy was good enough for us. We didn't really mess with it. We left it alone because the default policy engine pretty much works for our use cases. The integrations into developer tooling work just fine. We primarily use Gradle to build our applications. We just point the URL to what we call our "public repository group" in Nexus. It's a front for everything, so it can see all of the other underlying repositories. Our developers, in their Gradle builds, just point them to this public repository and they can pull down any dependency that they need. It doesn't really integrate with our IDE. It's just simply that we use Gradle and it makes it very straightforward. Nexus blocks undesirable open-source components from entering our development lifecycle because of the IQ policy actions. We define what sort of level of risk we're willing to take. For example for "security-critical," we could just fail them across the board; we don't want anything that has a security-critical. That's something we define as a CVE security number of nine or 10. If it has a known vulnerability of nine or 10 we could even stop it from coming down from Maven Central; it's quarantined because it has a problem that we don't want to even introduce into our network. We've also created our own policy that we call an "architecture blacklist," which means we don't want certain components to be used from an architectural standpoint. For example, we don't want anybody to build anything with Struts 1. We put it on the architecture blacklist. If a component comes in and it has that tag, it fails immediately.

Read full review

Sonatype Lifecycle mindshare

Product category:

As of January 2025, the mindshare of Sonatype Lifecycle in the Software Composition Analysis (SCA) category stands at 5.7%, down from 7.2% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Software Composition Analysis (SCA)

PeerAnalyst reports

Type	Title	Date
Category	Software Composition Analysis (SCA)	Jan 17, 2025	Download
Product	Reviews, tips, and advice from real users	Jan 17, 2025	Download
Comparison	Sonatype Lifecycle vs Black Duck	Jan 17, 2025	Download
Comparison	Sonatype Lifecycle vs Veracode	Jan 17, 2025	Download
Comparison	Sonatype Lifecycle vs Snyk	Jan 17, 2025	Download

Title	Rating	Mindshare	Recommending
GitLab	4.3	4.7%	97%	81 interviews Add to research
Veracode	4.1	9.8%	90%	195 interviews Add to research

Valuable Features

Sonatype Lifecycle is praised for its seamless integration with existing DevOps tools and proactive security vulnerability scanning. Users find its policy management, automated open-source governance, and continuous monitoring features valuable. The data quality and real-time reporting enhance decision-making and risk reduction. Onboarding and policy grandfathering help streamline processes. Vulnerability detection accuracy and library analysis are highlighted as standout benefits. Its flexibility and low false-positive rate improve development efficiency and maintain security standards.

"This ensures we can address issues proactively."
"The solution provides a comprehensive overview of dependencies and their security status."
"The price is high."

Room for Improvement

Sonatype Lifecycle requires enhanced integration with tools like TeamCity and Azure DevOps, improved reporting formats and dependency visibility, and better handling of transitive and quarantined dependencies. Users find the interface and training resources lacking. Improvements in plugin functionality, flexibility in ticket customization, and real-time notifications are needed. They also desire broader language support, especially for .NET, cloud workload insights, and more intuitive, code-driven configurations for better automation.

"It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections."
"It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections."
"On the security side, I think there's a lot of development needed. There are many security tools on the market, like open-source ones, that Sonatype doesn't integrate with."

ROI

Many users experience ROI from Sonatype Lifecycle through improved security hygiene and reduced vulnerability risks, leading to peace of mind. There is increased developer productivity and expedited app release times, contributing to significant cost savings. ROI is also realized through proactive vulnerability management and reduced remediation costs. Though some find ROI challenging to quantify, the benefits in terms of development efficiency and security enhancement are clear. Improved clarity and reduced developer frustration are additional positive outcomes.

Pricing

Sonatype Lifecycle pricing is considered competitive, appealing to enterprises with a balance of cost and value. While some find it expensive, it offers extensive features and yearly licensing bundling options. Additional fees apply for add-ons, setup, and support. Its robust security capabilities are valued despite the potential for higher costs compared to other tools. Users appreciate the transparency and flexibility, though smaller businesses may find it less suitable due to initial implementation expenses.

"In comparison with other tools, Sonatype Nexus Lifecycle could be more expensive. Still, at the same time, my company prioritizes security, so the pricing for Sonatype Nexus Lifecycle hasn't been an issue.If IT security weren't at the top of the list for my company, somebody would have raised the question about cost and how Sonatype Nexus Lifecycle is in terms of ROI. So far, there's been no question about the price. The cost of Sonatype Nexus Lifecycle hasn't been a problem so far.My company pays for the license yearly, plus technical support."
"Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
"There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses."

Popular Use Cases

Sonatype Lifecycle is primarily employed for security and open-source governance in build pipelines. It's used to manage dependencies, ensuring third-party libraries are free of vulnerabilities and licensing issues. Teams integrate it into development processes for continuous monitoring, allowing early identification of potential threats. It enables automatic DevSecOps, checks code quality, and provides visibility into security gaps, helping organizations minimize risk and maintain compliance with secure software development standards.

Service and Support

Sonatype Lifecycle's customer support receives high praise for promptness, helpfulness, and clear communication. Many users appreciate the knowledgeable team, quick problem-solving, and availability of dedicated support or success managers. Some suggest improvements for faster responses and better resources for specific tasks. Despite time zone differences and communication challenges, support is generally responsive and proactive, often scoring between eight and ten out of ten from users. Complaints occasionally arise regarding issues requiring product enhancement.

Deployment

Users found Sonatype Lifecycle's initial setup straightforward and quick. Deployment often completed within minutes to a few days, depending on team coordination and policy configurations. While some encountered challenges with space and policy integration, updates improved functionality. Most setups needed minimal expertise, aided by clear documentation. Maintenance generally required modest ongoing support, with teams finding it beneficial to tailor configurations to specific requirements. Users appreciated ease of integration into existing development workflows.

Scalability

Sonatype Lifecycle exhibits good scalability with capabilities in place for expanding usage, particularly in infrastructure and licensing. Users have successfully increased usage, highlighting its flexibility. While certain users believe more improvements can be made, especially relating to clustering and high availability, many have not faced major scaling issues. Organizations with diverse user bases, including developers and IT professionals, find it suitable, with potential for scaling in line with business growth and application needs.

Stability

Sonatype Lifecycle demonstrates strong stability with minimal downtime and no significant issues reported by users. Some mention a need for cluster technology improvement but praise its low maintenance and easy updates. Although a few experienced slight lag in real-time builds, most find it highly reliable. Users appreciate its security management, with prompt vulnerability notifications. Despite isolated incidents, stability ratings range between seven and ten out of ten, reflecting high satisfaction.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Sonatype Lifecycle Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

34%

Computer Software Company

11%

Government

Manufacturing Company

Insurance Company

Healthcare Company

University

Energy/Utilities Company

Retailer

Educational Organization

Real Estate/Law Firm

Media Company

Comms Service Provider

Non Profit

Construction Company

Legal Firm

Transportation Company

Wholesaler/Distributor

Aerospace/Defense Firm

Logistics Company

Hospitality Company

Outsourcing Company

Engineering Company

Recreational Facilities/Services Company

Pharma/Biotech Company

Performing Arts

Compare Sonatype Lifecycle with alternative products

Learn more about Sonatype Lifecycle

Sonatype Lifecycle allows users to help their teams discover threats before an attack has the chance to take place by examining a database of known vulnerabilities. With continuous monitoring at every stage of the development life cycle, Sonatype Lifecycle enables teams to build secure software. The solution allows users to utilize a complete automated solution within their existing workflows. Once a potential threat is identified, the solution’s policies will automatically rectify it.

Benefits of Open-source Security Monitoring

As cybersecurity attacks are on the rise, organizations are at constant risk for data breaches. Managing your software supply chain gets trickier as your organization grows, leaving many vulnerabilities exposed. With easily accessible source code that can be modified and shared freely, open-source monitoring gives users complete transparency. A community of professionals can inspect open-source code to ensure fewer bugs, and any open-source dependency vulnerability will be detected and fixed rapidly. Users can use open-source security monitoring to avoid attacks through automatic detection of potential threats and rectification immediately and automatically.

Reviews from Real Users

Sonatype Lifecycle software receives high praise from users for many reasons. Among them are the abilities to identify and rectify vulnerabilities at every stage of the SDLC, help with open-source governance, and minimize risk.

Michael E., senior enterprise architect at MIB Group, says "Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD.”

R.S., senior architect at a insurance company, notes “Specifically features that have been good include:

• the email notifications
• the API, which has been good to work with for reporting, because we have some downstream reporting requirements
• that it's been really user-friendly to work with.”

"Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good," says Subham S., engineering tools and platform manager at BT - British Telecom.

Sonatype Lifecycle was previously known as Sonatype Nexus Lifecycle, Nexus Lifecycle.