Sold by: Sonatype
Deployed on AWS
For the more than 90% of companies that rely on open source software (OSS), Sonatype secures the software supply chain. We do this in a way that accelerates digital innovation without sacrificing security or quality across the software supply chain. It is the only automated malware and vulnerability detection solution that will keep your repositories secure, reduce security rework for your developers, and accelerate your time to market. Get started today with Sonatype Lifecycle and Sonatype Repository Firewall.
4.3
Overview
Sonatype is the gold standard in Open Source Security (OSS) and software supply chain management. Sonatype unites the security team and developers and the ops team to accelerate digital innovation without sacrificing security or quality across the software supply chain.
What Makes Sonatype Different:
#1 Demonstrated ROI, Clear Results: A third-party study estimates a 232% ROI and 12-month payback on the Sonatype platform. In-platform insights show risks managed and benchmark your performance.
#2 Intelligent Risk Management: AI-enabled behavioral analysis combined with a 60+ person world-class research team experience discovers vulnerabilities 10x faster than the National Vulnerabilities Database and 95x more malicious packages versus alternative solutions.
#3 You Can Write Better Code Faster: Sonatype Lifecycle combines security policy automation with instant, detailed developer feedback. There is no tradeoff between risk management and productivity.
Our award-winning, analyst-recognized offers include:
Sonatype Lifecycle - Software Composition Analysis (SCA), Software Supply Chain Security, Developer Enablement - Have full control over your software supply chain with the ability to define security, license, enforcement and remediation policies that work best for your organization - all in a single platform. Lifecycle helps you continuously monitor risks at every stage of the software development lifecycle (SDLC) and automatically remediate them with intelligent guidance, helping teams develop software fearlessly and at scale.
Sonatype Repository Firewall - Software Supply Chain Security - An automated malware and vulnerability detection system that guards the door of your repository to protect your organizations from both known and unknown risks, including malware, present in third-party libraries and open source ecosystems. Repository Firewall automatically defends against software supply threats including dependency/namespace confusion and malware injection.
With Sonatype, you can develop software fearlessly by mitigating risk without sacrificing speed, quality, or developer productivity.
Contact us for private offers at aws-opportunities@sonatype.com
Highlights
- Reduce vulnerability remediation time by more than 80 percent by using the most comprehensive vulnerability intelligence data with more than 130M components analyzed.
- Rely on technology trusted by more than 15M developers worldwide from the leader in Open Source Software (OSS) Security.
- Increase software release velocity by 6x by automating security into the development process.
Details
Sold by
Categories
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
Lifecycle Only | For 450 Users | $409,500.00 |
Lifecycle & Firewall | For 420 Users | $495,660.00 |
Vendor refund policy
We do not offer a refund policy.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Solve DevOps
Top
10
In Source Control
Top
10
In Continuous Integration and Continuous Delivery, Application Development, Security
Top
10
In Agile Lifecycle Management, Source Control
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Vulnerability Detection and Intelligence
AI-enabled behavioral analysis combined with research team expertise discovers vulnerabilities 10x faster than the National Vulnerabilities Database and identifies 95x more malicious packages versus alternative solutions, analyzing more than 130M components.
Malware and Vulnerability Protection
Automated malware and vulnerability detection system that guards repository access to protect against known and unknown risks in third-party libraries and open source ecosystems, including dependency/namespace confusion and malware injection attacks.
Software Composition Analysis
Comprehensive Software Composition Analysis (SCA) capability that continuously monitors risks at every stage of the software development lifecycle with the ability to define security, license, enforcement and remediation policies.
Security Policy Automation
Security policy automation combined with instant, detailed developer feedback that enables continuous risk monitoring and automatic remediation with intelligent guidance throughout the development process.
Supply Chain Risk Management
Centralized platform for defining and enforcing security, license, and remediation policies across the software supply chain with in-platform insights to track risks managed and benchmark organizational performance.
Artifact Repository Management
Universal artifact management supporting 50+ natively supported package and file types, including ML models and generic repositories.
Software Composition Analysis
Modern, holistic software composition analysis with contextual vulnerability analysis and prioritization across the software development lifecycle.
Supply Chain Security Governance
Application risk governance with evidence-based policy enforcement, anti-tampering mechanisms, and signed provenance across the entire software development lifecycle.
Secure Artifact Distribution
Fast, secure distribution of verified, multi-repository release bundles with geo-distributed synchronization capabilities to multiple deployment targets.
Multi-Format Artifact Support
Supports multiple artifact formats including Docker, Java, Go, PHP, and Python
Private Repository Hosting
Provides private hosted repositories for centralized artifact storage and management
Role-Based Access Control
Implements role-based access controls for managing user permissions and security
CI/CD Integration
Enables automation and CI/CD processes to publish and retrieve versioned applications and dependencies
Centralized Dependency Management
Offers a single central location for managing and tracking all software artifacts and their dependencies
Standard contract
No
No
Customer reviews
GauravS08
Automated policy checks have protected builds and now prevent vulnerable dependencies in real time
Reviewed on Apr 28, 2026
Review from a verified AWS customer
What is our primary use case?
My main use case for Sonatype Repository Firewall is to check dependencies for vulnerabilities, block any download content that poses a risk, and enforce and adhere to security policies in real-time. I check for any suspicious activity and prevent vulnerable and malicious code from entering the build. When application teams create images, I check for vulnerabilities, block critical and vulnerable-level content, and block packages if someone tries to download unauthorized images or engages in suspicious activities using vulnerability intelligence.
An example would be when a developer is building a Java-based application with Maven. As they write code and add dependencies, the build tool requests a package from Sonatype Repository Firewall , which is integrated with the proxy repository that connects to the internet to download packages. During this process, whenever a request goes to the Nexus repository, Sonatype Repository Firewall checks the component before downloading it. If any vulnerability is detected, such as one related to Log4j, the policies applied at the firewall level help block the component containing critical severity vulnerabilities. The actions taken include blocking the download, putting the component into quarantine, and informing the developer that it was locked due to a critical vulnerability.
What is most valuable?
Sonatype Repository Firewall immediately identifies vulnerable content and helps block it promptly. It stops bad components before they ever enter my environment and helps developers choose correct and safer versions. It detects problems early rather than after accidents happen, and applies automatic enforcement of policies. This protects against threats and helps reduce human errors.
The automatic enforcement happens at different stages. For instance, if an application team requests any dependency to the Nexus Sonatype repository proxy, it first goes to the firewall, which intercepts it before downloading and checks for vulnerabilities, malware signals, and policy rules. If safe, it allows the dependency to be downloaded. If anything risky is found, it blocks it instantly without human intervention. Once a component is downloaded, it gets stored in the cache, allowing faster downloads in the future since the component is already available in the local repository.
Since I started using Sonatype Repository Firewall more than five years ago, it has had a positive impact on security and development speed. It helps prevent security incidents, fixes vulnerabilities early, and enables stable releases for applications. It speeds up development with safer dependencies by eliminating manual security checks and helps reduce human error and knowledge gaps, standardizing my DevOps pipeline and framework according to security guidelines.
What needs improvement?
I recommend integrating artificial intelligence capabilities into Sonatype Repository Firewall for real-time intelligence updates regarding security risks. I also suggest enhancing policy control for improved granular policy settings and better integration with DevOps pipelines, especially in container-based workflows.
I find the documentation very good as I often refer to it for information. The user interface is also very good, but I have noticed some false positives where safe components get blocked, causing unnecessary delays for developers.
For how long have I used the solution?
I have been using Sonatype Repository Firewall for over three years.
What do I think about the stability of the solution?
Sonatype Repository Firewall is stable, and although I explored alternatives like JFrog Artifactory and JFrog X-ray, I did not find them as valuable for my organization.
What do I think about the scalability of the solution?
My product runs on a container-based platform on AWS , utilizing auto-scaling to handle distributed traffic. The policies are enforced in a stateless manner and shared across the system, which helps manage load on the primary nodes effectively during high traffic.
How are customer service and support?
My experience with customer support has been minimal since I have not faced significant issues, and any past support requests during migration were handled well.
Which other solutions did I evaluate?
Sonatype Repository Firewall is stable, and although I explored alternatives like JFrog Artifactory and JFrog X-ray, I did not find them as valuable for my organization.
What other advice do I have?
I advise others considering Sonatype Repository Firewall to ensure they have strong organization-wide policies that comply with security regulations. This product can handle large volumes of data and scale as needed, offering excellent scalability and security features. It is a good product, and I encourage others to use it for large-scale applications if they wish to implement it. I have rated this product 9 out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Jay-Kim
Accurate database support blocks malicious code with excellent support
Reviewed on Jan 20, 2025
Review provided by PeerSpot
What is our primary use case?
Many companies, including ours, use Nexus Repository due to concerns about malware and critical vulnerabilities. There should be a specific method to prevent malicious packages from entering the internal network, so our company uses Nexus Repository . We usually consider adding the firewall feature on top of the Repository, with the main purpose being to block malicious packages.
What is most valuable?
The firewall is the only solution that supports Nexus Repository. This firewall comes with an accurate database, which can identify most malicious code from entering. It relies on the Sonatype accurate database, so the accuracy is excellent. There is no other option except Sonatype deploy to the firewall.
What needs improvement?
There are several features lacking in the current offering, particularly concerning container support and AI packages, like humming phase support. However, I have heard that it is on the roadmap for 2025.
For how long have I used the solution?
I have been using this solution for four years.
What do I think about the stability of the solution?
It is software, so there is always a possibility of bugs, however, they are quite fast in fixing these bugs. It is quite stable.
What do I think about the scalability of the solution?
There is an option to scale the capacity using an external database, and then you also have support. I do not think there is any issue with scalability.
How are customer service and support?
The customer service is fantastic. They provide the required responses and relevant support, which is the biggest advantage of using Sonatype.
Which solution did I use previously and why did I switch?
I do not have handling experience with another firewall. Sonatype Firewall is the only one I have been using. There is only one other alternative.
How was the initial setup?
The initial setup is quite straightforward and easy. It is not complicated.
What about the implementation team?
Just a couple of staff members can complete the installation and configuration.
What's my experience with pricing, setup cost, and licensing?
Also, I consider it average. Some people might consider it expensive, however, since it supports many beautiful features, I would say it is worth it.
Which other solutions did I evaluate?
We looked at Sonatype or Gather. There are not that many options.
What other advice do I have?
I would give the solution eight out of ten. I would look at the comparison of Sonatype to some other firewalls. There is room for improvement, especially mentioning container support and AI packages.