Sonatype Adds End-to-End Security for PyPI Packages


Fulton, MD – February 6, 2019 -- Today, Sonatype, the leader in automated open source governance, released a new version of its Nexus Lifecycle product giving Python development teams a simple way to manage PyPI packages and eliminate potential security risk lurking within third-party dependencies.

The use, and availability, of Python packages continues to grow exponentially as data scientists and developers begin to choose the language over R.  Sonatype’s 2018 State of the Software Supply Chain reported that downloads from the PyPI repository grew significantly in 2017, averaging between 4.3 and 4.7 billion per month — or 52 billion on an annualized basis. However, as the language increases in popularity, the potential for vulnerabilities within development and production applications, grows with it. Sonatype researchers found that approximately 11% of PyPI packages have at least one known vulnerability.

“Whether developing in Java, JavaScript, NuGet, or other languages; we’ve seen first-hand how important it is for teams to automatically enforce policies pertaining to open source security and licensing,” said Brian Fox, CTO of Sonatype. “We’re now delivering this same level of enterprise control to Python development teams so they can fully automate PyPI governance across every phase of their SDLC.”

This new Nexus Lifecycle capability enables Python development teams and application security professionals to write policy so they can:

  • Automatically and contextually enforce policies across the entire SDLC and ensure that Python applications contain only secure packages.

  • Continuously visualize package intelligence within popular tools including Jenkins, Bamboo, and Maven plugins

Additional Resources:

About Sonatype

More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source.  Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.  Sonatype is privately held with investments from TPG, Goldman Sachs, Accel Partners, and Hummer Winblad Venture Partners. Learn more at