Sonatype Lifecycle Reviews

Name: Sonatype Lifecycle
Brand: Sonatype
Rating: 4.2 (46 reviews)

Vendor: Sonatype

4.2 out of 5

46 reviews
90% willing to recommend

Leave a review

What is Sonatype Lifecycle?

Sonatype Lifecycle is an open-source security and dependency management software that uses only one tool to automatically find open-source vulnerabilities at every stage of the System Development Life Cycle (SDLC). Users can now minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Lifecycle gives the user complete control over their software supply chain, allowing them to regain wasted time fighting risks in the SDLC. In addition, this software unifies the ability to define rules, actions, and policies that work best for your organizations and teams.

Get the Sonatype Lifecycle Buyer's Guide and find out what your peers are saying about Sonatype Lifecycle, SonarQube, Snyk and more!

Sonatype Lifecycle is the #4 ranked solution in top Software Composition Analysis (SCA) solutions, #5 ranked solution in top AI Software Development solutions, #6 ranked solution in top Software Supply Chain Security solutions, and #8 ranked solution in application security solutions. PeerSpot users give Sonatype Lifecycle an average rating of 8.4 out of 10. Sonatype Lifecycle is most commonly compared to SonarQube: Sonatype Lifecycle vs SonarQube. Sonatype Lifecycle is popular among the large enterprise segment, accounting for 68% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 28% of all views.

Helped 879,310 peers since 2012

Featured Sonatype Lifecycle reviews

@RahulVerma

Presales Engineer at Rah Infotech Pvt Ltd

Sonatype Lifecycle already does a nice job, but as you use it, you can’t help but notice a few spots where it could feel even smoother. Imagine opening it and immediately seeing a clearer, friendlier dashboard that tells you exactly what deserves your attention without digging around. As you move through your workflow, it would be great if the tool connected more naturally with what you’re already using, so everything just flows. And when an issue pops up, instead of leaving you guessing, it could guide you through what to do next in a way that feels simple and supportive. Even having a bit more visibility into anything happening behind the scenes would make the experience feel more complete. It’s already strong, but with touches like these, it could feel even more helpful and intuitive in everyday use.

Read full review

Carlos Leão

Analista De Sistemas at Dataprev

Both JFrog and Sonatype should redesign their products to separate the binary repository management solution from the software composition analysis solutions. We prefer to purchase the binary repository management solution independently, but they offer both together, which increases costs. This integration is good but raises the price, being a significant issue for us. We also noticed a lack of detailed information for configuring Sonatype Lifecycle for high availability and data recovery.

Read full review

Goutham Kumar

Principal DevSecOPs at a computer software company with 10,001+ employees

It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections. It is specific to only one category, and we would like them to add more diverse application security features. We expect products to do multiple things. It only does one thing, and we want it to expand its capabilities.

Read full review

Sonatype Lifecycle mindshare

Product category:

As of December 2025, the mindshare of Sonatype Lifecycle in the Software Composition Analysis (SCA) category stands at 4.9%, down from 5.3% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Software Composition Analysis (SCA) Market Share Distribution
Product	Market Share (%)
Sonatype Lifecycle	4.9%
Black Duck SCA	13.5%
Snyk	11.5%
Other	70.1%

Software Composition Analysis (SCA)

PeerResearch reports based on Sonatype Lifecycle reviews

Type	Title	Date
Category	Software Composition Analysis (SCA)	Dec 30, 2025	Download
Product	Reviews, tips, and advice from real users	Dec 30, 2025	Download
Comparison	Sonatype Lifecycle vs Snyk	Dec 30, 2025	Download
Comparison	Sonatype Lifecycle vs Black Duck SCA	Dec 30, 2025	Download
Comparison	Sonatype Lifecycle vs Veracode	Dec 30, 2025	Download

Valuable Features

Sonatype Lifecycle's key aspects include automatic blocking of insecure libraries, seamless integration with DevOps tools, policy management, and continuous monitoring. It offers detailed vulnerability analysis, proactive security updates, and risk management. Users appreciate low false positives, rich data quality, and ease of integration. Sonatype enables identification of secure components during development and helps automate open-source governance, reducing risks and ensuring security compliance efficiently. Its streamlined process benefits developers and security teams widely across various sectors.

"Sonatype Lifecycle has positively impacted my organization by ensuring we stay compliant, making our clients in the financial sector feel much more secure to use open source with the incorporation of Sonatype Lifecycle in our environment."
"The most valuable feature for us is Sonatype Lifecycle's capability in identifying vulnerabilities."
"This ensures we can address issues proactively."

Room for Improvement

Sonatype Lifecycle faces challenges with integration, particularly with non-Java languages, reporting inconsistency, and the complexity of the user interface. Users express the need for better support in transitive dependency management and more comprehensive security insights. They desire improvements in customizing defect tickets and more seamless connections with existing workflows. There's a demand for enhanced training resources and clearer guidance in handling vulnerabilities and managing high availability and data recovery configurations.

"One downside to Sonatype life-cycle is that it's Policies and alert is feel overwhelming , when first seen by the team as it is too early in security journey/life-cycle. Usually just highlighting gaps is best as too informative dashboards lead to priority fatigue."
"Both JFrog and Sonatype should redesign their products to separate the binary repository management solution from the software composition analysis solutions."
"It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections."

ROI

Sonatype Lifecycle users observe ROI through improved security, better visibility, and increased efficiency. Vulnerability management is enhanced, leading to reduced risks and faster issue resolution. It aids in quicker app releases, saving reactive costs. Developer productivity rises significantly as integrations are streamlined and technical debt is addressed. ROI is often challenging to quantify, especially when anticipating future security events or estimating time saved, but businesses recognize its value in time and resource savings.

Pricing

Sonatype Lifecycle offers competitive pricing within the market. While licensing fees can be high, users generally find the pricing justified by the product's features and capabilities. Many enterprise customers appreciate the value provided relative to other tools, despite some costs for training, consultation, and add-ons. Some users note that pricing complexity might be an issue, but overall, the return on investment and enhanced security features make the pricing acceptable for larger organizations.

"In comparison with other tools, Sonatype Nexus Lifecycle could be more expensive. Still, at the same time, my company prioritizes security, so the pricing for Sonatype Nexus Lifecycle hasn't been an issue.If IT security weren't at the top of the list for my company, somebody would have raised the question about cost and how Sonatype Nexus Lifecycle is in terms of ROI. So far, there's been no question about the price. The cost of Sonatype Nexus Lifecycle hasn't been a problem so far.My company pays for the license yearly, plus technical support."
"Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
"There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses."

Popular Use Cases

Sonatype Lifecycle is primarily used for enhancing security by identifying vulnerabilities in third-party libraries and managing open-source dependencies. Companies integrate it into their build pipelines for DevSecOps automation. It provides governance over open-source software, ensuring compliance with licensing and mitigating security risks. Organizations utilize it to scan applications, safeguard the software supply chain, and automate quality assurance, all while monitoring and addressing issues in libraries across various programming languages and platforms.

Service and Support

Sonatype Lifecycle's support is praised for its promptness and helpfulness. Responses are typically quick, with knowledgeable staff providing clear solutions. While there are occasional issues with delayed responses, the overall quality of assistance is frequently rated highly. Regular communication, dedicated success engineers, and proactive team outreach are valued. However, some users have encountered challenges with licensing clarity and resource allocation. Overall, the support is efficient, with many rating it between eight and ten out of ten.

Deployment

Users described Sonatype Lifecycle's initial setup as generally straightforward, with many noting ease due to clear documentation and intuitive processes. Some encountered space issues, configuration complexity, or needed support due to strict environments, but most found the process manageable. Deployment times varied, with many achieving setup in under a day, while others faced challenges requiring coordination and consultation. Policy management occasionally added complexity, necessitating additional effort for customization and integration.

Scalability

Sonatype Lifecycle's scalability generally stands favorable among users, though opinions vary. Some users commend its ability to expand across diverse environments with minimal disruptions, while others note high-availability limitations. Many emphasize its adaptability in both on-premise and cloud setups, allowing for resource augmentation. Some challenges arise when scaling user numbers or integrating certain components. A few users anticipate improvements in clustering capabilities and manageability as usage increases.

Stability

Sonatype Lifecycle exhibits strong stability with minimal issues reported by users. Users find it reliable even with significant workloads, though some suggest further maturation in cluster technology. There are few instances of minor lag in real-time builds and occasional mandatory downtime for updates. Security monitoring is effective, and data integrity is maintained even after major outages. Users appreciate its low maintenance and consistent performance, rating stability high despite minimal isolated challenges.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Sonatype Lifecycle Buyer's Guide for additional reliable information.

Review data by company size

By reviewers
Company Size	Count
Small Business	11
Midsize Enterprise	7
Large Enterprise	22

By reviewers

By visitors reading reviews
Company Size	Count
Small Business	262
Midsize Enterprise	108
Large Enterprise	796

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

28%

Computer Software Company

10%

Manufacturing Company

Government

Insurance Company

Healthcare Company

Comms Service Provider

Performing Arts

University

Outsourcing Company

Construction Company

Educational Organization

Energy/Utilities Company

Retailer

Media Company

Non Profit

Legal Firm

Transportation Company

Real Estate/Law Firm

Wholesaler/Distributor

Marketing Services Firm

Aerospace/Defense Firm

Hospitality Company

Logistics Company

Recreational Facilities/Services Company

Leisure / Travel Company

Consumer Goods Company

Engineering Company

Compare Sonatype Lifecycle with alternative products

Learn more about Sonatype Lifecycle

Sonatype Lifecycle allows users to help their teams discover threats before an attack has the chance to take place by examining a database of known vulnerabilities. With continuous monitoring at every stage of the development life cycle, Sonatype Lifecycle enables teams to build secure software. The solution allows users to utilize a complete automated solution within their existing workflows. Once a potential threat is identified, the solution’s policies will automatically rectify it.

Benefits of Open-source Security Monitoring

As cybersecurity attacks are on the rise, organizations are at constant risk for data breaches. Managing your software supply chain gets trickier as your organization grows, leaving many vulnerabilities exposed. With easily accessible source code that can be modified and shared freely, open-source monitoring gives users complete transparency. A community of professionals can inspect open-source code to ensure fewer bugs, and any open-source dependency vulnerability will be detected and fixed rapidly. Users can use open-source security monitoring to avoid attacks through automatic detection of potential threats and rectification immediately and automatically.

Reviews from Real Users

Sonatype Lifecycle software receives high praise from users for many reasons. Among them are the abilities to identify and rectify vulnerabilities at every stage of the SDLC, help with open-source governance, and minimize risk.

Michael E., senior enterprise architect at MIB Group, says "Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD.”

R.S., senior architect at a insurance company, notes “Specifically features that have been good include:

• the email notifications
• the API, which has been good to work with for reporting, because we have some downstream reporting requirements
• that it's been really user-friendly to work with.”

"Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good," says Subham S., engineering tools and platform manager at BT - British Telecom.

Sonatype Lifecycle was previously known as Sonatype Nexus Lifecycle, Nexus Lifecycle.

Sonatype Lifecycle customers

Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance

Title	Rating	Mindshare	Recommending
SonarQube	4.0	N/A	83%	134 interviews Add to research
Snyk	4.1	11.5%	100%	50 interviews Add to research

Author info	Rating	Review Summary
Presales Engineer at Rah Infotech Pvt Ltd	4.5	I've used Sonatype Lifecycle mainly for open-source scanning; it's easy to integrate, ensures compliance, and saves time, though improvements in documentation, support, and integration visibility would enhance the overall user experience.
Analista De Sistemas at Dataprev	4.5	We use Sonatype Lifecycle mainly for managing software artifacts, valuing its vulnerability identification. Despite its stability, we wish for separate offerings of binary management and software analysis to reduce costs. Improved configuration guidance would be beneficial.
Principal DevSecOPs at a computer software company with 10,001+ employees	3.5	We use Sonatype Lifecycle to scan third-party packages in our software composition, ensuring a secure software supply chain. Its integration into our CICD pipeline is beneficial, though we hope for expanded features, particularly in application security.
Integration Manager at CommScope	4.0	I work in a service-based company utilizing Sonatype Lifecycle for firewall management and code quality insight. It integrates well with tools like GitLab. While it's valuable, I'd like more frequent updates, especially for cloud-based capabilities and security enhancements.
Vice President, Cybersecurity at a financial services firm with 10,001+ employees	5.0	We manage software security for 10,000 developers using Fortify for vulnerability detection. The Software Security Center centralizes results, but needs a design update. Despite this, Fortify offers significant ROI, broad language support, and valuable Secure Code Warrior integration.
Sr cyber analyst at a energy/utilities company with 10,001+ employees	4.0	We use Fortify and Sonatype for secure code and library scanning. While their integration and language support are valuable, Fortify's configuration is complex. It's costly and better suited for enterprises. Identifying vulnerabilities early saves costs during the SDLC.
Sr cyber analyst at a energy/utilities company with 10,001+ employees	3.5	We use Sonatype Nexus and Fortify to secure our code, appreciating Fortify’s integration capabilities and language support, despite its cost and complex configuration. Transitioning from IBM Appscan, identifying vulnerabilities early helps us save costs in the development process.
Senior manager at a consultancy with 11-50 employees	5.0	As consultants supporting a primary banking group in Italy, we rely on Sonatype and Fortify for comprehensive code analysis. Fortify excels in reducing vulnerabilities and aligning with compliance requirements, although it could expand language support.

Sonatype Lifecycle Reviews

What is Sonatype Lifecycle?

Featured Sonatype Lifecycle reviews

Sonatype Lifecycle mindshare

PeerResearch reports based on Sonatype Lifecycle reviews

Valuable Features

Room for Improvement

ROI

Pricing

Popular Use Cases

Service and Support

Deployment

Scalability

Stability

Review data by company size

Top industries

Compare Sonatype Lifecycle with alternative products

Learn more about Sonatype Lifecycle

Sonatype Lifecycle customers

Related questions

Product Categories

Popular Comparisons