I have used Sonatype Lifecycle for one year, primarily as a part of DevSecOps and software composition analysis initiatives focused on my application security project, which involves identifying and managing open-source dependencies risks within application environments. For Sonatype Lifecycle, I actually use it for two purposes in application security: security composition analysis (SCA) and Static Application Security Testing (SAST), with the intention to identify code-level vulnerabilities when developers write any code, allowing me to scan the code, prioritize vulnerabilities, and fix those areas to reduce overall application risks. Before using Sonatype Lifecycle, I used to get vulnerabilities in the deployment phase, also known as Dynamic Application Security Testing (DAST), but after implementing Sonatype Lifecycle, it adds an additional security layer by allowing me to conduct SAST and SCA scans early in the coding phase, enabling me to prioritize and remediate vulnerabilities as soon as possible, which reduces time and effort.
My main use case for Sonatype Lifecycle is open-source scanning for SCA. We pair it with Fortify (our SAST/DAST platform), and together they give us a more complete security picture within the CI/CD pipeline. A recent example: we integrated Sonatype Lifecycle with its Nexus SCA Manager into our Jenkins workflow. Our code already went through SAST/DAST, but some smaller open-source packages and sub-libraries were not primary focus —especially those with licensing or legal considerations. Lifecycle fills that gap by checking every component for vulnerabilities, version risks, and license obligations, so we’re confident the entire codebase is covered. We also use Lifecycle’s JSON mapping to share vulnerability and application data across Jenkins, Fortify, and other tools. What used to be a bit scattered is now clean, automated, and easy to maintain. This brings better visibility on all components across applications and versions.
DevOps engineer at a tech vendor with 10,001+ employees
Real User
Top 10
Apr 24, 2025
Whenever we have builds, we upload our builds or artifacts to Sonatype Container ( /products/sonatype-container-reviews ). This is the basic purpose. Sonatype Container ( /products/sonatype-container-reviews ) makes cleanup and uploading artifacts easy with its clear UI for management.
Automation Technical Lead at a tech vendor with 10,001+ employees
Real User
Aug 25, 2022
Sonatype Nexus Container is used mainly for storing your dependencies and the libraries that the applications are using. Additionally, it is used when the applications are downloading the dependencies from the containers.
Sonatype Lifecycle enables enterprises to manage software risk efficiently with automation and robust data, facilitating quicker issue resolution throughout the software development lifecycle.
Sonatype Lifecycle reduces software development risks by providing automation and high-quality data management for open source and AI risks across the complete SDLC. Features like Golden Pull Requests, smart recommendations, reachability analysis, and zero effort fixes help streamline remediation and...
I have used Sonatype Lifecycle for one year, primarily as a part of DevSecOps and software composition analysis initiatives focused on my application security project, which involves identifying and managing open-source dependencies risks within application environments. For Sonatype Lifecycle, I actually use it for two purposes in application security: security composition analysis (SCA) and Static Application Security Testing (SAST), with the intention to identify code-level vulnerabilities when developers write any code, allowing me to scan the code, prioritize vulnerabilities, and fix those areas to reduce overall application risks. Before using Sonatype Lifecycle, I used to get vulnerabilities in the deployment phase, also known as Dynamic Application Security Testing (DAST), but after implementing Sonatype Lifecycle, it adds an additional security layer by allowing me to conduct SAST and SCA scans early in the coding phase, enabling me to prioritize and remediate vulnerabilities as soon as possible, which reduces time and effort.
My main use case for Sonatype Lifecycle is open-source scanning for SCA. We pair it with Fortify (our SAST/DAST platform), and together they give us a more complete security picture within the CI/CD pipeline. A recent example: we integrated Sonatype Lifecycle with its Nexus SCA Manager into our Jenkins workflow. Our code already went through SAST/DAST, but some smaller open-source packages and sub-libraries were not primary focus —especially those with licensing or legal considerations. Lifecycle fills that gap by checking every component for vulnerabilities, version risks, and license obligations, so we’re confident the entire codebase is covered. We also use Lifecycle’s JSON mapping to share vulnerability and application data across Jenkins, Fortify, and other tools. What used to be a bit scattered is now clean, automated, and easy to maintain. This brings better visibility on all components across applications and versions.
Whenever we have builds, we upload our builds or artifacts to Sonatype Container ( /products/sonatype-container-reviews ). This is the basic purpose. Sonatype Container ( /products/sonatype-container-reviews ) makes cleanup and uploading artifacts easy with its clear UI for management.
Sonatype Nexus Container is used mainly for storing your dependencies and the libraries that the applications are using. Additionally, it is used when the applications are downloading the dependencies from the containers.