Sonatype Lifecycle Reviews

Name: Sonatype Lifecycle
Brand: Sonatype
Rating: 4.2 (45 reviews)

Vendor: Sonatype

4.2 out of 5

45 reviews
90% willing to recommend

397 followers

Start review

What is Sonatype Lifecycle?

Sonatype Lifecycle is an open-source security and dependency management software that uses only one tool to automatically find open-source vulnerabilities at every stage of the System Development Life Cycle (SDLC). Users can now minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Lifecycle gives the user complete control over their software supply chain, allowing them to regain wasted time fighting risks in the SDLC. In addition, this software unifies the ability to define rules, actions, and policies that work best for your organizations and teams.

Get the Sonatype Lifecycle Buyer's Guide and find out what your peers are saying about Sonatype Lifecycle, GitLab, Snyk and more!

Sonatype Lifecycle is the #1 ranked solution in top Software Supply Chain Security solutions, #4 ranked solution in top Software Composition Analysis (SCA) solutions, and #5 ranked solution in application security solutions. PeerSpot users give Sonatype Lifecycle an average rating of 8.4 out of 10. Sonatype Lifecycle is most commonly compared to GitLab: Sonatype Lifecycle vs GitLab. Sonatype Lifecycle is popular among the large enterprise segment, accounting for 76% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 34% of all views.

Helped 849,686 peers since 2012

Featured Sonatype Lifecycle reviews

SrinathKuppannan2

Integration Manager at CommScope

While Sonatype Lifecycle effectively manages artifacts in Nexus Repository and performs code firewall checks based on rules, it has the potential to expand further. I am looking forward to additional features similar to SonarQube, especially since licenses are often split per component. SonarType could integrate cloud-based capabilities, addressing the increasing shift towards cloud workloads. While there have been demos and discussions around this, significant progress on scanning and analyzing cloud images remains to be seen. I am looking forward to Sonatype incorporating these enhancements, particularly in regard to cloud-based features. On-prem workloads are getting to the cloud workloads. * I would like to see more cloud-related insights, such as logging capabilities for the images we use and image scanning information. * Additionally, it would be beneficial to have insights into the stages of dependencies and ensure they comply with standards. If there are any violations in respect to CVSS reports, * Integrating CVSS (Common Vulnerability Scoring System) report rules into the Lifecycle module to detect and report violations would be valuable. I am hoping to see these enhancements from Sonatype in the future. On the security side, I think there's a lot of development needed. There are many security tools on the market, like open-source ones, that Sonatype doesn't integrate with.

Read full review

Shubham Shrivastava

Engineering Tools and Platform Manager at BT - British Telecom

One area of improvement, about which I have spoken to the Sonatype architect a while ago, is related to the installation. We still have an installation on Linux machines. The installation should move to EKS or Kubernetes so that we can do rollover updates, and we don't have to take the service down. My primary focus is to have at least triple line availability of my tools, which gives me a very small window to update my tools, including IQ. Not having them on Kubernetes means that every time we are performing an upgrade, there is downtime. It impacts the 0.1% allocated downtime that we are allowed to have, which becomes a challenge. So, if there is Kubernetes installation, it would be much easier. That's one thing that definitely needs to be improved. Some of our engineers came from outside of BT, and there are some features that they are used to from rival products, but they are currently not there in Sonatype IQ. For example, Snyk has a feature to stop a particular check-in from happening at the merge stage in case something is different or wrong. This feature is still in the development phase in IQ. Such a feature would be handy in IQ. Another area where Nexus can severely improve is the licensing model. I am not worried about the licensing cost, but the way they calculate the number of licenses being used needs to be improved. They have been quite ambiguous in terms of how they calculate who is using Nexus or IQ, and this ambiguity has not been good. At times, we think we have a certain number of customers, but Sonatype says that it is not true, and we have some other number. They haven't been able to explain very well how they calculate that number, which has been a challenge for us.

Read full review

Michael Esmeraldo

Sr. Enterprise Architect at MIB Group, Inc.

I won't say there aren't a ton of features, but primarily we use it as an artifact repository. Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well. The default policies and the policy engine provide the flexibility we need. The default policy was good enough for us. We didn't really mess with it. We left it alone because the default policy engine pretty much works for our use cases. The integrations into developer tooling work just fine. We primarily use Gradle to build our applications. We just point the URL to what we call our "public repository group" in Nexus. It's a front for everything, so it can see all of the other underlying repositories. Our developers, in their Gradle builds, just point them to this public repository and they can pull down any dependency that they need. It doesn't really integrate with our IDE. It's just simply that we use Gradle and it makes it very straightforward. Nexus blocks undesirable open-source components from entering our development lifecycle because of the IQ policy actions. We define what sort of level of risk we're willing to take. For example for "security-critical," we could just fail them across the board; we don't want anything that has a security-critical. That's something we define as a CVE security number of nine or 10. If it has a known vulnerability of nine or 10 we could even stop it from coming down from Maven Central; it's quarantined because it has a problem that we don't want to even introduce into our network. We've also created our own policy that we call an "architecture blacklist," which means we don't want certain components to be used from an architectural standpoint. For example, we don't want anybody to build anything with Struts 1. We put it on the architecture blacklist. If a component comes in and it has that tag, it fails immediately.

Read full review

Sonatype Lifecycle mindshare

Product category:

As of May 2025, the mindshare of Sonatype Lifecycle in the Software Composition Analysis (SCA) category stands at 5.2%, down from 6.1% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Software Composition Analysis (SCA)

PeerResearch reports based on Sonatype Lifecycle reviews

Type	Title	Date
Category	Software Composition Analysis (SCA)	May 1, 2025	Download
Product	Reviews, tips, and advice from real users	May 1, 2025	Download
Comparison	Sonatype Lifecycle vs Black Duck	May 1, 2025	Download
Comparison	Sonatype Lifecycle vs Veracode	May 1, 2025	Download
Comparison	Sonatype Lifecycle vs Snyk	May 1, 2025	Download

Title	Rating	Mindshare	Recommending
GitLab	4.3	4.4%	97%	82 interviews Add to research
Snyk	4.0	14.8%	100%	45 interviews Add to research

Valuable Features

Developers appreciate Sonatype Lifecycle for its robust vulnerability detection and user-friendly integration with DevOps tools like Jenkins and GitHub. It provides comprehensive security insights and easy policy management, allowing teams to automate risk reduction. Its low false-positive rate and proactive monitoring ensure high confidence in data quality. The platform's comprehensive data helps fast-track remediation and decision-making, enabling efficient updates and ensuring applications remain secure and compliant.

"The most valuable feature for us is Sonatype Lifecycle's capability in identifying vulnerabilities."
"This ensures we can address issues proactively."
"The solution provides a comprehensive overview of dependencies and their security status."

Room for Improvement

Sonatype Lifecycle needs improvements in integrating with non-Java languages, especially JavaScript and .NET, and enhancing support for Maven Central dependency management. Reporting lacks flexibility and integration with tools used by enterprises. The user interface, installation, and documentation need refinement for better usability. Customization options for ticket creation and issue tracking are limited. Fortifying language support, improving plugin consistency across IDEs, and providing better cloud-related features would address current gaps.

"Both JFrog and Sonatype should redesign their products to separate the binary repository management solution from the software composition analysis solutions."
"It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections."
"It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections."

ROI

Sonatype Lifecycle users noted improvements in security management and development efficiency. They experienced increased developer productivity, reduced time for finding vulnerabilities, and fewer security-related issues. Visibility into software components and integrated security protocols led to enhanced risk management. Some users witnessed cost savings and faster application releases. Devs appreciated the tool’s effectiveness in managing vulnerabilities, although quantifying financial impact was challenging. Users highlighted longer-term benefits, like improved workflows and developer satisfaction.

Pricing

Sonatype Lifecycle pricing is positioned as competitive within the market, offering value that balances cost and capabilities. While it is perceived as more expensive than some alternatives, many organizations find the pricing justifiable due to the added features and security benefits. Licensing is generally bundled, and users often pay annually. Additional setup and support services may incur separate fees, and costs can fluctuate based on user numbers and optional add-ons.

"In comparison with other tools, Sonatype Nexus Lifecycle could be more expensive. Still, at the same time, my company prioritizes security, so the pricing for Sonatype Nexus Lifecycle hasn't been an issue.If IT security weren't at the top of the list for my company, somebody would have raised the question about cost and how Sonatype Nexus Lifecycle is in terms of ROI. So far, there's been no question about the price. The cost of Sonatype Nexus Lifecycle hasn't been a problem so far.My company pays for the license yearly, plus technical support."
"Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
"There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses."

Popular Use Cases

Organizations primarily use Sonatype Lifecycle for identifying vulnerabilities in code libraries and third-party dependencies within their development pipelines. It integrates with IDEs for developer support and automates security checks, ensuring compliance with license policies. Many implement it in continuous integration processes to flag security issues early, manage open-source components, enforce security standards, and maintain a robust software supply chain. It's crucial for monitoring dependencies and updating outdated packages.

Service and Support

Customers report that Sonatype Lifecycle's customer service and support are responsive, knowledgeable, and quick, providing help without cost. Support can be variable due to time zone differences, but dedicated success managers enhance communication. Some cases require product improvements, which might delay issue resolution. Frequent meetings and expert guidance are appreciated. Customers rate support performance highly, though suggestions include improved response times and modern communication options like live chat for immediate assistance.

Deployment

Many describe Sonatype Lifecycle's initial setup as simple and manageable, often requiring minimal expertise. Some encountered challenges like integrating policies and space management, while others faced hurdles with configurations or stricter environments. Installation is typically fast, but configuring policies can take more time. Users found documentation helpful, facilitating setup. Maintenance usually involves moderate effort, suggesting occasional team involvement. Sonatype also receives praise for support during and after installation.

Scalability

Scalability of Sonatype Lifecycle is well-regarded, with users noting successful handling of substantial volumes and flexibility in expanding usage. While some mention the need for cluster support and potential improvements in high-availability setups, others successfully integrate it in expansive deployments. Users appreciate the ability to add resources like CPU and memory dynamically. Despite some uncertainties in large-scale scenarios, many find it sufficient for current and planned use cases. User feedback indicates a promising path ahead.

Stability

Users describe Sonatype Lifecycle as highly stable, experiencing minimal downtime and successful updates. Clusters may need improvements, but the system functions reliably for developers and architects. Occasional issues like lag or specific database challenges have been mentioned, yet these are resolved quickly. The platform reportedly supports large-scale deployments with no major disruptions, and its consistent performance is favored in comparison to other options, rating its overall stability highly in long-term usage.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Sonatype Lifecycle Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

34%

Computer Software Company

12%

Government

Manufacturing Company

Insurance Company

Healthcare Company

University

Comms Service Provider

Energy/Utilities Company

Educational Organization

Non Profit

Retailer

Construction Company

Real Estate/Law Firm

Media Company

Legal Firm

Transportation Company

Outsourcing Company

Aerospace/Defense Firm

Hospitality Company

Logistics Company

Performing Arts

Wholesaler/Distributor

Recreational Facilities/Services Company

Compare Sonatype Lifecycle with alternative products

Learn more about Sonatype Lifecycle

Sonatype Lifecycle allows users to help their teams discover threats before an attack has the chance to take place by examining a database of known vulnerabilities. With continuous monitoring at every stage of the development life cycle, Sonatype Lifecycle enables teams to build secure software. The solution allows users to utilize a complete automated solution within their existing workflows. Once a potential threat is identified, the solution’s policies will automatically rectify it.

Benefits of Open-source Security Monitoring

As cybersecurity attacks are on the rise, organizations are at constant risk for data breaches. Managing your software supply chain gets trickier as your organization grows, leaving many vulnerabilities exposed. With easily accessible source code that can be modified and shared freely, open-source monitoring gives users complete transparency. A community of professionals can inspect open-source code to ensure fewer bugs, and any open-source dependency vulnerability will be detected and fixed rapidly. Users can use open-source security monitoring to avoid attacks through automatic detection of potential threats and rectification immediately and automatically.

Reviews from Real Users

Sonatype Lifecycle software receives high praise from users for many reasons. Among them are the abilities to identify and rectify vulnerabilities at every stage of the SDLC, help with open-source governance, and minimize risk.

Michael E., senior enterprise architect at MIB Group, says "Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD.”

R.S., senior architect at a insurance company, notes “Specifically features that have been good include:

• the email notifications
• the API, which has been good to work with for reporting, because we have some downstream reporting requirements
• that it's been really user-friendly to work with.”

"Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good," says Subham S., engineering tools and platform manager at BT - British Telecom.

Sonatype Lifecycle was previously known as Sonatype Nexus Lifecycle, Nexus Lifecycle.