Sonatype Debuts New Capabilities for Red Hat Quay, Offers Users Continuous Container Security for Open Source


BOSTON - Red Hat Summit – May 7, 2019 - Sonatype, the inventors of software supply chain automation, announced new capabilities for Red Hat Quay enterprise container registry enabling modern organizations to automate and enforce open source governance policies in the containerized applications they use every day.

Enterprises are increasingly moving toward cloud infrastructures and containers to increase application velocity. Containers make it easier for developers to innovate faster and build modern applications, and with 80% - 90% of an application made up of open source components, it's now more important than ever to automatically enforce open source policy and control risk across every phase of the software development lifecycle.

“Containers moving through a DevOps pipeline must be continuously scanned and monitored for security vulnerabilities and license risk,” said Brian Fox, CTO and Co-founder of Sonatype. “Running an untrusted container can lead to numerous attacks, which is why we’re excited to launch these new capabilities and make it possible for Red Hat Quay users to easily validate containers across the entire SDLC and prior to any runtime execution.”

How it Works:

  1. Developers or CI tools push new images to Red Hat Quay
  2. Quay then triggers the Nexus webhook listener, which triggers Nexus Lifecycle to scan the published image
  3. The developer then automatically sees if any vulnerabilities are present

The Nexus webhook listener at the core of the solution for Red Hat Quay can also be used to integrate Nexus with a variety of tools to help Nexus users easily expand their DevOps pipeline to further fit their needs.

The Nexus Lifecycle solution for Quay is designed to enable:

  • Developers to continuously adopt containers, increasing speed time to innovation without adding additional risk to their projects.
  • Security teams to have peace of mind, knowing that applications are continuously monitored for open source vulnerabilities across the SDLC, including production applications.
  • Operations teams to welcome the continued use of containers to reduce the time and complexity involved in delivering and maintaining production applications.

“With Red Hat Quay, customers have access to an enterprise container registry focused on enhanced security, scalability and automation,” said Chris Morgan, director, Cloud Platforms Technical Marketing, Red Hat. “By working with companies like Sonatype, we help customers extend those capabilities across containerized services and applications to fuel digital transformation efforts.”

Additional Resources:

About Sonatype

More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source.  Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.  Sonatype is privately held with investments from TPG, Goldman Sachs, Accel Partners, and Hummer Winblad Venture Partners. Learn more at

Red Hat is the trademark or registered trademark of Red Hat, Inc. or its subsidiaries in the United States and other countries.