Login Contact Us Book a Demo

CONAN PACKAGE AND C/C++ LANGUAGE SUPPORT

Securely Govern You C/C++ Packages with Conan and Sonatype

Share your C/C++ packages from a single, trusted repository and reduce software supply chain risk with Sonatype’s package support for Conan. Sonatype maintains Conan package support across the Sonatype Platform, so teams can host, proxy, analyze, and govern Conan packages for safe, repeatable builds.

Header-LR-Gray-(RIGHT)
Header-LR-Gray-(LEFT)

 

Why Conan Matters for C/C++ and How Sonatype Fits

Conan is the leading C++ package manager for modern C/C++ development. It standardizes formats, simplifies dependency resolution, and helps teams share binary packages across platforms and configurations. As teams grow, vulnerable Conan packages become a risk, especially with transitive dependencies and platform-specific binaries. Sonatype’s Conan package support lets organizations centralize Conan artifacts, apply policies to enforce quality and provenance, and combine repository hosting with automated analysis and SBOM production. Engineering and security teams get the visibility and controls they need to keep C/C++ supply chains reliable and secure.

Supported Features

Central Repository

Host and proxy Conan packages in a single repository, creating a consistent source of truth for C/C++ dependencies.

Access Control

Use role-based permissions and repository-level controls to manage who can publish, read, and promote Conan packages.

Vulnerability Scanning

Scan Conan packages and their dependencies for known security issues to catch risks before they reach production.

Package Provenance

Capture metadata, provenance, and signatures to verify package origins and build information.

Repository Firewall

Block high-risk or malicious packages before they reach developer builds with policy-driven defenses.

SBOM Generation

Generate accurate C/C++ SBOMs for compliance and faster incident response.

Secure, Govern, and Scale Conan at Enterprise Speed

Sonatype’s Conan package support brings policy-driven security, provenance tracking, and enterprise-grade hosting that scale with your C/C++ projects and help you meet compliance goals.

  • Unified Governance

    Standardize dependency and security policies across all repositories and CI systems for consistent compliance and reduced risk.

  • Improved Build Reliability

    Reduce outages proxying and caching Conan packages from public registries and serve artifacts locally.

  • Faster Incident Response

    Identify and remediate artifacts that depend on vulnerable or compromised components using accurate package metadata and SBOMs.

Take Control of Your Conan Packages

Book a Demo

Resources

Conan Repositories + Nexus Repository Support

See Documentation

C/C++ Application Analysis in Sonatype Lifecycle

See Documentation

Conan Components in Nexus Repository

See Documentation

Frequently Asked Questions

Does Sonatype host binary Conan packages or just proxy public packages? 

Sonatype supports both hosting private Conan packages (a single internal repository) and proxying public remotes so teams can cache and control external Conan packages.

Can I enforce security or license policies for Conan packages? 

Yes. Integrating Conan repositories with policy and analysis tooling lets you flag or block packages that violate vulnerability, license, or provenance policies.

How do SBOMs work for C/C++ projects that use Conan?

An SBOM for a Conan-based project lists the package references, resolved versions, and binary artifacts, enabling traceability from source/build to shipped artifacts for compliance and incident handling.