Sonatype Platform

We at HTI use Sonatype products extensively. Specially Nexus repository manager, IQ & Firewall. We have a massive scale of our users almost 40k who are using our platform (Artefcats Management). We have many complex use cases, one of them being hosting docker on Nexus. We have millions of public, private & hosted images on our platform & lot of tier0 services depend on us for their build & deployments. Any outage or slowness on docker nexus instance impacts them heavily & its huge impact on our reputation as well as business. Sonatype team is regularly helping us tune our Nexus repository manager in such a way that our service is not only highly available but optimized enough to ensure our business continues as usual. Nexus repository manager as a tool has come long way & Sonatype team ensures we as a customer get the required features & service.

• Our usage has grown from 3k users in 2011 to 40k today
• We use almost all features on nexus very extensively like logging, tasks, clean up, etc.

APF Software Firewall

Jenkins, GitHub

We use the Sonatype Platform in the Software-Development-Process to make sure we a) are better informed on what goes live and what not and b) research what problems can be fixed how and when. Theese 2 tools help to make sure we also can add Quality-Gates to our CI/CD pipelines.

• Helps to be pro-active and informed
• Helps to get started fast and reduces CVEs, IF the language support is there
• Helps to get an overview of SBOMs, on what you have in development to production environments

Sonatype Nexus Lifecycle, we are able to identify issues with the 3rd party controls/components in our software very early into the development stage. Sonatype Lifecycle works very well within our DevOps practice, it helps us to implement continuous monitoring on 3rd party controls/components. It provides detailed reporting that helps us to understand the associated Vulnerabilities with the components and its dependencies.

• SCA

• Early identifying & fixing the issues into SDLC

Veracode

Veracode, Security Compass SD Elements

Top tier platform for identifying, remediating and managing known source code vulnerabilities across a large portfolio of applications. We incorporated Nexus Lifecycle scanning into our end to end pipelines with great success.

• Vulnerability Identification / Remediation Guidance
• Relatively simple ingest/onboarding process per application
• Outstanding support

• Enabled us to be more proactive on vulnerability remediation
• Significant reduction in legacy technical debt
• Being proactive with monthly touchpoints to keep our progress moving forward

Black Duck Software Composition Analysis (SCA)

AWS Batch, Jenkins, GitHub

In our organization we use Sonatype's Nexus Platform to manage repositories, artifacts like docker images and libraries and to distribute/share artifacts amongst different teams. Integrates well with gitlab/github repositories making it a good choice as repository manager. It has web browser to browse different artifacts and manage the artifacts (deprecate the ones not required)

Some teams use Nexus Lifecycle to identify vulnerabilities in build components and has been great help!

• Management of artifact's using Sonatype Repository manager
• Checking for Vulnerabilities using Sonatype's LifeCycle
• Sharing of artifacts using Nexus Repository
• Integration with Gitlab for CI/CD operations

• Sonatype Nexus has a positive ROI my organization. It has saved cost of hardware and network bandwidth by acting as repository manager
• It has eliminated vulnerability threats by checking the components for security risk and vulnerabilities
• It has allowed the management of the artifacts thus saving on the disk space on servers

Apache Archiva and JFrog Artifactory

Google Kubernetes Engine, AWS CodeArtifact, IntelliJ IDEA