Try our new research platform with insights from 80,000+ expert users
Sonatype Lifecycle Logo

Sonatype Lifecycle Reviews

Vendor: Sonatype
4.2 out of 5
Badge Leader
Leave a review

What is Sonatype Lifecycle?

Sonatype Lifecycle is an open-source security and dependency management software that uses only one tool to automatically find open-source vulnerabilities at every stage of the System Development Life Cycle (SDLC). Users can now minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Lifecycle gives the user complete control over their software supply chain, allowing them to regain wasted time fighting risks in the SDLC. In addition, this software unifies the ability to define rules, actions, and policies that work best for your organizations and teams.

Get the Sonatype Lifecycle Buyer's Guide and find out what your peers are saying about Sonatype Lifecycle, SonarQube Server (formerly SonarQube), GitLab and more!
Sonatype Lifecycle is the #3 ranked solution in top Software Supply Chain Security solutions, #4 ranked solution in top Software Composition Analysis (SCA) solutions, and #7 ranked solution in application security solutions. PeerSpot users give Sonatype Lifecycle an average rating of 8.4 out of 10. Sonatype Lifecycle is most commonly compared to SonarQube Server (formerly SonarQube): Sonatype Lifecycle vs SonarQube Server (formerly SonarQube). Sonatype Lifecycle is popular among the large enterprise segment, accounting for 74% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 32% of all views.
Buyer's Guide
Sonatype Lifecycle
August 2025
Get the report
Helped 865,738 peers since 2012

Featured Sonatype Lifecycle reviews

Read more reviews

Sonatype Lifecycle mindshare

Product category:
Software Composition Analysis (SCA)
As of August 2025, the mindshare of Sonatype Lifecycle in the Software Composition Analysis (SCA) category stands at 5.2%, down from 5.8% compared to the previous year, according to calculations based on PeerSpot user engagement data.
Software Composition Analysis (SCA) Market Share Distribution
ProductMarket Share (%)
Sonatype Lifecycle5.2%
Black Duck17.8%
Snyk13.7%
Other63.3%
Software Composition Analysis (SCA)

PeerResearch reports based on Sonatype Lifecycle reviews

TypeTitleDate
CategorySoftware Composition Analysis (SCA)Aug 25, 2025Download
ProductReviews, tips, and advice from real usersAug 25, 2025Download
ComparisonSonatype Lifecycle vs Black DuckAug 25, 2025Download
ComparisonSonatype Lifecycle vs SnykAug 25, 2025Download
ComparisonSonatype Lifecycle vs VeracodeAug 25, 2025Download
Suggested products
TitleRatingMindshareRecommending
SonarQube Server (formerly SonarQube)4.0N/A81%116 interviewsAdd to research
GitLab4.24.1%97%85 interviewsAdd to research
 
 
Key learnings from peers

Valuable Features

Developers appreciate Sonatype Lifecycle for its robust vulnerability detection and user-friendly integration with DevOps tools like Jenkins and GitHub. It provides comprehensive security insights and easy policy management, allowing teams to automate risk reduction. Its low false-positive rate and proactive monitoring ensure high confidence in data quality. The platform's comprehensive data helps fast-track remediation and decision-making, enabling efficient updates and ensuring applications remain secure and compliant.
  • "The most valuable feature for us is Sonatype Lifecycle's capability in identifying vulnerabilities."
  • "This ensures we can address issues proactively."
  • "The solution provides a comprehensive overview of dependencies and their security status."

Room for Improvement

Sonatype Lifecycle needs improvements in integrating with non-Java languages, especially JavaScript and .NET, and enhancing support for Maven Central dependency management. Reporting lacks flexibility and integration with tools used by enterprises. The user interface, installation, and documentation need refinement for better usability. Customization options for ticket creation and issue tracking are limited. Fortifying language support, improving plugin consistency across IDEs, and providing better cloud-related features would address current gaps.
  • "Both JFrog and Sonatype should redesign their products to separate the binary repository management solution from the software composition analysis solutions."
  • "It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections."
  • "It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections."

ROI

Sonatype Lifecycle users noted improvements in security management and development efficiency. They experienced increased developer productivity, reduced time for finding vulnerabilities, and fewer security-related issues. Visibility into software components and integrated security protocols led to enhanced risk management. Some users witnessed cost savings and faster application releases. Devs appreciated the tool’s effectiveness in managing vulnerabilities, although quantifying financial impact was challenging. Users highlighted longer-term benefits, like improved workflows and developer satisfaction.

Pricing

Sonatype Lifecycle pricing is positioned as competitive within the market, offering value that balances cost and capabilities. While it is perceived as more expensive than some alternatives, many organizations find the pricing justifiable due to the added features and security benefits. Licensing is generally bundled, and users often pay annually. Additional setup and support services may incur separate fees, and costs can fluctuate based on user numbers and optional add-ons.
  • "In comparison with other tools, Sonatype Nexus Lifecycle could be more expensive. Still, at the same time, my company prioritizes security, so the pricing for Sonatype Nexus Lifecycle hasn't been an issue.If IT security weren't at the top of the list for my company, somebody would have raised the question about cost and how Sonatype Nexus Lifecycle is in terms of ROI. So far, there's been no question about the price. The cost of Sonatype Nexus Lifecycle hasn't been a problem so far.My company pays for the license yearly, plus technical support."
  • "Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
  • "There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses."

Popular Use Cases

Organizations primarily use Sonatype Lifecycle for identifying vulnerabilities in code libraries and third-party dependencies within their development pipelines. It integrates with IDEs for developer support and automates security checks, ensuring compliance with license policies. Many implement it in continuous integration processes to flag security issues early, manage open-source components, enforce security standards, and maintain a robust software supply chain. It's crucial for monitoring dependencies and updating outdated packages.

Service and Support

Customers report that Sonatype Lifecycle's customer service and support are responsive, knowledgeable, and quick, providing help without cost. Support can be variable due to time zone differences, but dedicated success managers enhance communication. Some cases require product improvements, which might delay issue resolution. Frequent meetings and expert guidance are appreciated. Customers rate support performance highly, though suggestions include improved response times and modern communication options like live chat for immediate assistance.

Deployment

Many describe Sonatype Lifecycle's initial setup as simple and manageable, often requiring minimal expertise. Some encountered challenges like integrating policies and space management, while others faced hurdles with configurations or stricter environments. Installation is typically fast, but configuring policies can take more time. Users found documentation helpful, facilitating setup. Maintenance usually involves moderate effort, suggesting occasional team involvement. Sonatype also receives praise for support during and after installation.

Scalability

Scalability of Sonatype Lifecycle is well-regarded, with users noting successful handling of substantial volumes and flexibility in expanding usage. While some mention the need for cluster support and potential improvements in high-availability setups, others successfully integrate it in expansive deployments. Users appreciate the ability to add resources like CPU and memory dynamically. Despite some uncertainties in large-scale scenarios, many find it sufficient for current and planned use cases. User feedback indicates a promising path ahead.

Stability

Users describe Sonatype Lifecycle as highly stable, experiencing minimal downtime and successful updates. Clusters may need improvements, but the system functions reliably for developers and architects. Occasional issues like lag or specific database challenges have been mentioned, yet these are resolved quickly. The platform reportedly supports large-scale deployments with no major disruptions, and its consistent performance is favored in comparison to other options, rating its overall stability highly in long-term usage.
These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.
Download our Sonatype Lifecycle Buyer's Guide for additional reliable information.

Review data by company size

By reviewers
Company SizeCount
Small Business12
Midsize Enterprise7
Large Enterprise25
By reviewers
By visitors reading reviews
Company SizeCount
Small Business260
Midsize Enterprise126
Large Enterprise1080
By visitors reading reviews

Top industries

By visitors reading reviews
Financial Services Firm
32%
Computer Software Company
11%
Manufacturing Company
10%
Government
8%
Insurance Company
5%
University
4%
Healthcare Company
4%
Comms Service Provider
3%
Educational Organization
2%
Non Profit
2%
Performing Arts
2%
Energy/Utilities Company
2%
Construction Company
2%
Retailer
2%
Legal Firm
2%
Transportation Company
1%
Media Company
1%
Real Estate/Law Firm
1%
Outsourcing Company
1%
Aerospace/Defense Firm
1%
Hospitality Company
1%
Logistics Company
1%
Recreational Facilities/Services Company
1%
Pharma/Biotech Company
1%
Consumer Goods Company
1%
Engineering Company
1%

Compare Sonatype Lifecycle with alternative products

Go!

Learn more about Sonatype Lifecycle

Sonatype Lifecycle allows users to help their teams discover threats before an attack has the chance to take place by examining a database of known vulnerabilities. With continuous monitoring at every stage of the development life cycle, Sonatype Lifecycle enables teams to build secure software. The solution allows users to utilize a complete automated solution within their existing workflows. Once a potential threat is identified, the solution’s policies will automatically rectify it.

Benefits of Open-source Security Monitoring

As cybersecurity attacks are on the rise, organizations are at constant risk for data breaches. Managing your software supply chain gets trickier as your organization grows, leaving many vulnerabilities exposed. With easily accessible source code that can be modified and shared freely, open-source monitoring gives users complete transparency. A community of professionals can inspect open-source code to ensure fewer bugs, and any open-source dependency vulnerability will be detected and fixed rapidly. Users can use open-source security monitoring to avoid attacks through automatic detection of potential threats and rectification immediately and automatically.

Reviews from Real Users

Sonatype Lifecycle software receives high praise from users for many reasons. Among them are the abilities to identify and rectify vulnerabilities at every stage of the SDLC, help with open-source governance, and minimize risk.

Michael E., senior enterprise architect at MIB Group, says "Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD.”

R.S., senior architect at a insurance company, notes “Specifically features that have been good include:

• the email notifications
• the API, which has been good to work with for reporting, because we have some downstream reporting requirements
• that it's been really user-friendly to work with.”

"Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good," says Subham S., engineering tools and platform manager at BT - British Telecom.

Sonatype Lifecycle was previously known as Sonatype Nexus Lifecycle, Nexus Lifecycle.

Sonatype Lifecycle customers

Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance

Related questions

  • 118
How does Sonatype Nexus Lifecycle compare with SonarQube?
  • 33
What tools do you rely on for building a DevSecOps pipeline?
  • 38
What alternatives are there for Fortify WebInspect and Fortify SCA?
  • 42
What is the best way to track open-source license compatibility?
  • 71
How long does SCA scanning take?
  • 175
Why is Software Composition Analysis (SCA) important for companies?
  • 64
Differences between Black Duck & Veracode
  • 17
What SCA solution do you recommend?
  • 9
Is there an SCA solution that finds and fixes vulnerabilities?
  • 24
Can I get SCA in my IDE?

Product Categories

Product Categories
Software Composition Analysis (SCA)
Application Security Tools
Software Supply Chain Security

Popular Comparisons

Popular Comparisons
SonarQube Server (formerly SonarQube) vs Sonatype Lifecycle Logo
SonarQube Server (formerly SonarQube) vs Sonatype Lifecycle
GitLab vs Sonatype Lifecycle Logo
GitLab vs Sonatype Lifecycle
Snyk vs Sonatype Lifecycle Logo
Snyk vs Sonatype Lifecycle
Checkmarx One vs Sonatype Lifecycle Logo
Checkmarx One vs Sonatype Lifecycle
Veracode vs Sonatype Lifecycle Logo
Veracode vs Sonatype Lifecycle
Black Duck vs Sonatype Lifecycle Logo
Black Duck vs Sonatype Lifecycle
Mend.io vs Sonatype Lifecycle Logo
Mend.io vs Sonatype Lifecycle
CrowdStrike Falcon Cloud Security vs Sonatype Lifecycle Logo
CrowdStrike Falcon Cloud Security vs Sonatype Lifecycle
GitHub Advanced Security vs Sonatype Lifecycle Logo
GitHub Advanced Security vs Sonatype Lifecycle
OpenText Core Application Security vs Sonatype Lifecycle Logo
OpenText Core Application Security vs Sonatype Lifecycle
JFrog Xray vs Sonatype Lifecycle Logo
JFrog Xray vs Sonatype Lifecycle
Acunetix vs Sonatype Lifecycle Logo
Acunetix vs Sonatype Lifecycle
Aqua Cloud Security Platform vs Sonatype Lifecycle Logo
Aqua Cloud Security Platform vs Sonatype Lifecycle
HCL AppScan vs Sonatype Lifecycle Logo
HCL AppScan vs Sonatype Lifecycle
PortSwigger Burp Suite Professional vs Sonatype Lifecycle Logo
PortSwigger Burp Suite Professional vs Sonatype Lifecycle
See all alternatives
 
Sonatype Lifecycle Reviews Summary
Author infoRatingReview Summary
Principal DevSecOPs at a computer software company with 10,001+ employees3.5We use Sonatype Lifecycle to scan third-party packages in our software composition, ensuring a secure software supply chain. Its integration into our CICD pipeline is beneficial, though we hope for expanded features, particularly in application security.
Analista De Sistemas at Dataprev4.5We use Sonatype Lifecycle mainly for managing software artifacts, valuing its vulnerability identification. Despite its stability, we wish for separate offerings of binary management and software analysis to reduce costs. Improved configuration guidance would be beneficial.
Integration Manager at CommScope4.0I work in a service-based company utilizing Sonatype Lifecycle for firewall management and code quality insight. It integrates well with tools like GitLab. While it's valuable, I'd like more frequent updates, especially for cloud-based capabilities and security enhancements.
Sr cyber analyst at a energy/utilities company with 10,001+ employees4.0We use Fortify and Sonatype for secure code and library scanning. While their integration and language support are valuable, Fortify's configuration is complex. It's costly and better suited for enterprises. Identifying vulnerabilities early saves costs during the SDLC.
Sr cyber analyst at a energy/utilities company with 10,001+ employees3.5We use Sonatype Nexus and Fortify to secure our code, appreciating Fortify’s integration capabilities and language support, despite its cost and complex configuration. Transitioning from IBM Appscan, identifying vulnerabilities early helps us save costs in the development process.
Vice President, Cybersecurity at a financial services firm with 10,001+ employees5.0We manage software security for 10,000 developers using Fortify for vulnerability detection. The Software Security Center centralizes results, but needs a design update. Despite this, Fortify offers significant ROI, broad language support, and valuable Secure Code Warrior integration.
Adjunct at University of Maryland5.0I use Sonatype Lifecycle as a SaaS tool to identify and fix vulnerabilities in static code. Its management view and Software Security Center are valuable, helping track and resolve issues efficiently. Combining it with Fortify improves application security and compliance.
Software analyst at a financial services firm4.5We use Sonatype Lifecycle and Fortify Static Code Analyzer with Azure DevOps for secure coding practices. The references for issues are invaluable for understanding security problems. The only area needing improvement is the price.