No more typing reviews! Try our Samantha, our new voice AI agent.
Sonatype Lifecycle Logo

Sonatype Lifecycle pros and cons

Vendor: Sonatype
4.2 out of 5
Leave a review

Pros & Cons summary

Sonatype Lifecycle offers accurate vulnerability assessments with low false-positives, enhancing trust. Its proprietary data and research aid in swift issue resolution. The policy application across applications, including legacy support, facilitates effective vulnerability management. Seamless integration with developer tools allows vulnerability insights directly in IDEs. While comprehensive open-source library scanning is a strength, reporting is unintuitive, documentation is lacking, language support is limited, Azure integration is subpar, and transitive dependencies need better handling.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.
Get the report

Prominent pros & cons

PROS

Nexus Lifecycle offers low false-positive results, providing a high confidence factor in vulnerability detection.
The system allows defining and applying policies selectively across applications, enhancing security management.
Integration with developer tooling and IDEs like Eclipse, Visual Studio, and WebStorm streamlines the development process.
Proprietary data on vulnerabilities combines various sources and research, offering concise explanations and aiding quick resolution.
Continuous monitoring and proactive alerts ensure developers stay informed about library security status, optimizing open-source use.

CONS

Sonatype Lifecycle reporting interfaces can be confusing for infrequent users, prompting the creation of Wiki pages for clarity.
A wider range of language support is necessary; current offerings are mainly Java-centric.
Server space issues arise with Nexus Repository due to ongoing build artifact additions without adequate space notifications.
Better integration with Azure DevOps and Azure Active Directory is needed, with current workarounds proving insufficient.
Clarification on transitive dependencies is required, as they cause confusion when unexpected libraries are pulled in.
 

Sonatype Lifecycle Pros review quotes

@RahulVerma - PeerSpot reviewer
@RahulVerma
Presales Engineer at Rah Infotech Pvt Ltd
Dec 10, 2025
Sonatype Lifecycle has positively impacted my organization by ensuring we stay compliant, making our clients in the financial sector feel much more secure to use open source with the incorporation of Sonatype Lifecycle in our environment.
Read full review
CL
Carlos Leão
Analista De Sistemas at Dataprev
Mar 24, 2025
The most valuable feature for us is Sonatype Lifecycle's capability in identifying vulnerabilities.
Read full review
SrinathKuppannan2 - PeerSpot reviewer
SrinathKuppannan2
Integration Manager at CommScope
Jun 26, 2024
The violation reports provided by Lifecycle are key, giving specific details on the types of violations and identifying the component within the application.
Read full review
Buyer's Guide
Sonatype Lifecycle
April 2026
Free Report: Sonatype Lifecycle Reviews and More
Learn what your peers think about Sonatype Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: April 2026.
DOWNLOAD NOW
893,221 professionals have used our research since 2012.
GK
Goutham Kumar
Principal DevSecOPs at a computer software company with 10,001+ employees
Dec 24, 2024
The solution provides a comprehensive overview of dependencies and their security status.
Read full review
AA
Amal Alshehri
Sr cyber analyst at a energy/utilities company with 10,001+ employees
Dec 29, 2023
I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions.
Read full review
AA
Amal Alshehri
Sr cyber analyst at a energy/utilities company with 10,001+ employees
Oct 26, 2023
Automating the Jenkins plugins and the build title is a big plus.
Read full review
AJ
AbhilashJain
DevOps engineer at a tech vendor with 10,001+ employees
Apr 24, 2025
Sonatype Container makes cleanup and uploading artifacts easy with its clear UI for management.
Read full review
reviewer2317233 - PeerSpot reviewer
reviewer2317233
Vice President, Cybersecurity at a financial services firm with 10,001+ employees
Dec 29, 2023
The Software Security Center, which is often overlooked, stands out as the most effective feature.
Read full review
JB
Jumani Blango
Adjunct at University of Maryland
Dec 29, 2023
You can really see what's happening after you've developed something.
Read full review
VF
Vincenzo Fioravanti
Software analyst at a financial services firm
Dec 29, 2023
The reference provided for each issue is extremely helpful.
Read full review
Show 10 more reviews (out of 47)
 

Sonatype Lifecycle Cons review quotes

@RahulVerma - PeerSpot reviewer
@RahulVerma
Presales Engineer at Rah Infotech Pvt Ltd
Dec 10, 2025
One downside to Sonatype life-cycle is that it's Policies and alert is feel overwhelming , when first seen by the team as it is too early in security journey/life-cycle. Usually just highlighting gaps is best as too informative dashboards lead to priority fatigue.
Read full review
CL
Carlos Leão
Analista De Sistemas at Dataprev
Mar 24, 2025
Both JFrog and Sonatype should redesign their products to separate the binary repository management solution from the software composition analysis solutions.
Read full review
SrinathKuppannan2 - PeerSpot reviewer
SrinathKuppannan2
Integration Manager at CommScope
Jun 26, 2024
On the security side, I think there's a lot of development needed. There are many security tools on the market, like open-source ones, that Sonatype doesn't integrate with.
Read full review
Buyer's Guide
Sonatype Lifecycle
April 2026
Free Report: Sonatype Lifecycle Reviews and More
Learn what your peers think about Sonatype Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: April 2026.
DOWNLOAD NOW
893,221 professionals have used our research since 2012.
GK
Goutham Kumar
Principal DevSecOPs at a computer software company with 10,001+ employees
Dec 24, 2024
It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections.
Read full review
AA
Amal Alshehri
Sr cyber analyst at a energy/utilities company with 10,001+ employees
Dec 29, 2023
It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier.
Read full review
AA
Amal Alshehri
Sr cyber analyst at a energy/utilities company with 10,001+ employees
Oct 26, 2023
Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize.
Read full review
AJ
AbhilashJain
DevOps engineer at a tech vendor with 10,001+ employees
Apr 24, 2025
Sonatype Container can accommodate bigger file sizes for artifacts and improve performance, especially when dealing with large files.
Read full review
reviewer2317233 - PeerSpot reviewer
reviewer2317233
Vice President, Cybersecurity at a financial services firm with 10,001+ employees
Dec 29, 2023
Fortify's software security center needs a design refresh.
Read full review
JB
Jumani Blango
Adjunct at University of Maryland
Dec 29, 2023
Their licensing is expensive.
Read full review
VF
Vincenzo Fioravanti
Software analyst at a financial services firm
Dec 29, 2023
The price can be improved.
Read full review
Show 10 more reviews (out of 47)

Product Categories

Product Categories
Software Composition Analysis (SCA)
Application Security Tools
Cloud Cost Management
Software Supply Chain Security
AI Software Development

Popular Comparisons

Popular Comparisons
SonarQube vs Sonatype Lifecycle Logo
SonarQube vs Sonatype Lifecycle
Snyk vs Sonatype Lifecycle Logo
Snyk vs Sonatype Lifecycle
Checkmarx One vs Sonatype Lifecycle Logo
Checkmarx One vs Sonatype Lifecycle
GitLab vs Sonatype Lifecycle Logo
GitLab vs Sonatype Lifecycle
Veracode vs Sonatype Lifecycle Logo
Veracode vs Sonatype Lifecycle
CrowdStrike Falcon Cloud Security vs Sonatype Lifecycle Logo
CrowdStrike Falcon Cloud Security vs Sonatype Lifecycle
JFrog Xray vs Sonatype Lifecycle Logo
JFrog Xray vs Sonatype Lifecycle
Black Duck SCA vs Sonatype Lifecycle Logo
Black Duck SCA vs Sonatype Lifecycle
Acunetix vs Sonatype Lifecycle Logo
Acunetix vs Sonatype Lifecycle
PortSwigger Burp Suite Professional vs Sonatype Lifecycle Logo
PortSwigger Burp Suite Professional vs Sonatype Lifecycle
Mend.io vs Sonatype Lifecycle Logo
Mend.io vs Sonatype Lifecycle
OpenText Core Application Security vs Sonatype Lifecycle Logo
OpenText Core Application Security vs Sonatype Lifecycle
GitHub Advanced Security vs Sonatype Lifecycle Logo
GitHub Advanced Security vs Sonatype Lifecycle
GitGuardian Platform vs Sonatype Lifecycle Logo
GitGuardian Platform vs Sonatype Lifecycle
Nutanix Cloud Manager (NCM) vs Sonatype Lifecycle Logo
Nutanix Cloud Manager (NCM) vs Sonatype Lifecycle
See all alternatives

Product Categories

Product Categories
Software Composition Analysis (SCA)
Application Security Tools
Cloud Cost Management
Software Supply Chain Security
AI Software Development

Popular Comparisons

Popular Comparisons
SonarQube vs Sonatype Lifecycle Logo
SonarQube vs Sonatype Lifecycle
Snyk vs Sonatype Lifecycle Logo
Snyk vs Sonatype Lifecycle
Checkmarx One vs Sonatype Lifecycle Logo
Checkmarx One vs Sonatype Lifecycle
GitLab vs Sonatype Lifecycle Logo
GitLab vs Sonatype Lifecycle
Veracode vs Sonatype Lifecycle Logo
Veracode vs Sonatype Lifecycle
CrowdStrike Falcon Cloud Security vs Sonatype Lifecycle Logo
CrowdStrike Falcon Cloud Security vs Sonatype Lifecycle
JFrog Xray vs Sonatype Lifecycle Logo
JFrog Xray vs Sonatype Lifecycle
Black Duck SCA vs Sonatype Lifecycle Logo
Black Duck SCA vs Sonatype Lifecycle
Acunetix vs Sonatype Lifecycle Logo
Acunetix vs Sonatype Lifecycle
PortSwigger Burp Suite Professional vs Sonatype Lifecycle Logo
PortSwigger Burp Suite Professional vs Sonatype Lifecycle
Mend.io vs Sonatype Lifecycle Logo
Mend.io vs Sonatype Lifecycle
OpenText Core Application Security vs Sonatype Lifecycle Logo
OpenText Core Application Security vs Sonatype Lifecycle
GitHub Advanced Security vs Sonatype Lifecycle Logo
GitHub Advanced Security vs Sonatype Lifecycle
GitGuardian Platform vs Sonatype Lifecycle Logo
GitGuardian Platform vs Sonatype Lifecycle
Nutanix Cloud Manager (NCM) vs Sonatype Lifecycle Logo
Nutanix Cloud Manager (NCM) vs Sonatype Lifecycle
See all alternatives
Related questions
  • 98
How does Sonatype Nexus Lifecycle compare with SonarQube?
  • 66
What tools do you rely on for building a DevSecOps pipeline?
  • 74
What alternatives are there for Fortify WebInspect and Fortify SCA?
  • 48
What is the best way to track open-source license compatibility?
  • 86
How long does SCA scanning take?
  • 282
Why is Software Composition Analysis (SCA) important for companies?
  • 66
Differences between Black Duck & Veracode
  • 67
What SCA solution do you recommend?
  • 70
Is there an SCA solution that finds and fixes vulnerabilities?
  • 84
Can I get SCA in my IDE?