Sonatype Enables Engineering Teams to Take Control of InnerSource Components With First-Of-Its-Kind Feature


InnerSource Insight makes it easier and safer for developers to use software components created by others within their organization as part of their Software Supply Chain

May 11, 2022 -- Fulton, Md. -- Sonatype, the pioneer of software supply chain management, today announced an industry-first capability focused on identifying and remediating InnerSource components that contain vulnerable, malicious, or outdated open source dependencies. With InnerSource Insight, developers can easily manage their InnerSource components, see what open source packages they’re dependent on, remediate concerns immediately, and identify safe upgrade paths that won’t break builds.

InnerSource is a rapidly growing term used to describe proprietary software parts developed internally following practices and processes typically used in open source development. This means everyone in an organization has access to development artifacts, code and documentation. Teams are encouraged to use and contribute to these components as part of the application development lifecycle to save time, prevent rework, and build better software. 

“Over the past 15 years that we’ve been helping engineering teams understand, manage, and protect their software supply chains, organizations have come to understand the inherent risks of using open source software and the need to monitor it,” said Brian Fox, co-founder and CTO of Sonatype. “What’s less known is that increasingly, dangerous open source components slip into applications through these shared internal components called InnerSource. We’re helping organizations remove that risk by making it possible for developers to manage InnerSource components the same way they manage open source.” 

InnerSource components are utilizing, in some occasions, hundreds of other open source and InnerSource components that often have company policy violations that are difficult to trace and to remediate. Sonatype’s InnerSource Insight, previously available in beta, but now open to all customers of Sonatype’s Nexus Lifecycle, helps developers and security teams: 

  • Decrease manual rework, by easily identifying InnerSource components and taking action to remediate concerns or company policy violations within their dependencies 
  • Save time by quickly seeing all the different versions of an InnerSource component in an easy-to-read graphic, to then determine the most up to date version you should be using 
  • Effortlessly integrate with CycloneDX, making it possible to track, update and remediate InnerSource components in 120+ tools and languages 

Additional Resources: 

About Sonatype 

Sonatype is the software supply chain management company. We empower developers and security professionals with intelligent tools to innovate more securely at scale. Our platform addresses every element of an organization’s entire software development life cycle, including third-party open source code, first-party source code, and InnerSource code. Sonatype identifies critical security vulnerabilities and code quality issues and reports results directly to developers when they can most effectively fix them. This helps organizations develop consistently high-quality, secure software which fully meets their business needs and those of their end-customers and partners. More than 2,000 organizations, including 70% of the Fortune 100, and 15 million software developers already rely on our tools and guidance to help them deliver and maintain exceptional and secure software.