Sonatype Adds Native Container Scanning to Nexus Lifecycle


DevOps teams can now automatically and continuously examine the quality of open source components used in containerized applications

Fulton, MD  August 10, 2017 - Sonatype, the leader in software supply chain automation, today released a new version of its popular Nexus Lifecycle product which now includes a built-in service that enables software development teams to automatically and continuously examine the security and quality of open source components used within container images.

According to the 2017 DevSecOps Community survey, 88% of IT professionals are contemplating new and different approaches to security as container images are fast becoming an operational standard in DevOps-native environments.

The free service, known as Lifecycle Container Analysis (LCA), gives customers the ability to surface intelligence with respect to the quality of open source components inside of a container image and automatically apply and manage policies based on the results. With LCA, Nexus Lifecycle customers can now automatically govern open source hygiene for containerized applications in the same way they have long governed hygiene for non-containerized applications. Additionally, by using Sonatype’s Nexus Repository as a free, private Docker registry, these same customers can easily organize, manage, and distribute trusted containers across their DevOps pipelines.

Supporting Quotes

Wayne Jackson, CEO, Sonatype

“Rather than treating security as an afterthought, high performance technology organizations view containers as an unprecedented opportunity to embed automated security controls into every phase of the software delivery pipeline. We have hundreds of enterprise customers like Goldman Sachs, Intuit, and Liberty Mutual already using Nexus Lifecycle to continuously govern the security and quality of open source components being used within their applications -- and beginning today the remarkable intelligence of Nexus Lifecycle has been extended to containers as well.”

Edwin Kwan, Application Security Lead, Tyro Payments

“The amount of open source components used by modern developers combined with the emergence of containers and continuous delivery requires me, as a security professional, to align more closely than ever with my counterparts in development,” “Whether an application is containerized or not, Nexus Lifecycle gives our organization the ability to automatically monitor for violations of security or licensing policies early and everywhere across the lifecycle.”

Chris Morgan, Technical Director, OpenShift Ecosystem, Red Hat

“The growth of heterogeneous datacenter infrastructure and cloud-native applications coupled with the drive towards hybrid and multi-cloud deployments has helped to create significant complexity for IT organizations, especially around application security. With containerized applications, trust is temporal; the older the container image, the greater the chance that the components inside could be a security risk. Red Hat has recognized this challenge with the launch of the Container Health Index and we’re pleased to see partners like Sonatype helping to drive additional container security innovations, like automated container inspection capabilities that help enterprises to realize the benefits of DevSecOps automation.”

Additional Resources

About Sonatype

With more than 100,000 installations, companies around the globe use Sonatype’s Nexus solutions to manage reusable components and improve the quality, speed and security of their software supply chains. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel, Hummer Winblad Venture Partners, Morgenthaler Ventures, Bay Partners and Goldman Sachs. For more information, visit:

Media Contact
Jennifer Edgerly
SpeakerBox Communications for Sonatype