Sonatype Announces 300% Growth in Use of Nexus Repository Manager


Momentum fueled by demand for DevOps-native open source governance tools

Fulton, MD – January 18, 2017 – Sonatype, the leader in software supply chain automation, today announced 300 percent growth in the use of Nexus Repository over the past three years.  During this period, the number of active instances of Nexus Repository grew from 30,000 to 120,000 spurred by the introduction of Nexus Repository v3, universal support for component formats, and growing concern among enterprises about security vulnerabilities in open source components and containers.

Number of Nexus Repository installations actively downloading components from the Central Repository (2009 - 2016)

Organizations that rely on the Nexus Repository to house open source software components and containerized applications have gained new visibility into the quality of components flowing through their software supply chains. In 2016 alone, Nexus Repository saw a 40 percent increase in the use of its Repository Health Check feature.  Today, 23,000 organizations utilize Repository Health Check every day to automatically analyze security, licensing, and architectural risks across 58 million components living inside local Nexus Repository Managers.

The popularity of open source software development continues to grow because it minimizes the need to code from scratch.  However, as indicated in the most recent State of the Software Supply Chain Report, 1 in 15 open source components used in production applications has at least one known security vulnerability.  In order to eliminate security risk, improve quality, and accelerate innovation, DevOps-native organizations are beginning to automatically manage the quality of components being used to assemble software applications.

Gartner analysts Neil MacDonald and Ian Head wrote in Gartner’s September 2016 report, DevSecOps: How to Seamlessly Integrate Security into DevOpsthat, “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.”

“There is increasing evidence that more organizations are taking software supply chain automation and component security seriously,” said Wayne Jackson, CEO of Sonatype. “Specifically, DevOps-native organizations are embracing tools such as Nexus Repository and Nexus Firewall to automatically block bad components from entering into their mission-critical applications.”

Gartner analysts, Neil MacDonald and Ian Head echoed this sentiment in their DevSecOps report, writing, “The issue is that often developers (knowingly or unknowingly) download known vulnerable open source components and frameworks for use in their applications.”  A best practice recommended in the report is to “implement an ‘OSS firewall’ to proactively prevent developers from downloading known vulnerable code from Maven, GitHub, and other OSS code repositories by policy.”

Additional Resources

About Sonatype

Last year developers requested 31 billion components from the Central Repository to manufacture the software applications that run the world. Additionally, with more than 120,000 installations, companies around the globe use Sonatype’s Nexus solutions to manage reusable components and improve the quality, speed and security of their software supply chains. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Hummer Winblad Venture Partners, Morgenthaler Ventures, Bay Partners and Goldman Sachs. For more information, visit:

Media Contact
Jennifer Edgerly
SpeakerBox Communications for Sonatype