Sold by: Sonatype
Deployed on AWS
Free Trial
AWS Free Tier
Block malicious open source at the door, before entering your devops pipeline
4.5
Overview
Block Malicious Open Source at the Door
Strengthen your software supply chain security by automatically detecting known and unknown open source malware before it enters development. Sonatype Repository Firewall is the only automated solution that stops open source malware at the source. Powered by next-generation AI behavioral analysis and automated policy enforcement, it evaluates components before they reach your repository, ensuring developers can work with safe, up-to-date OSS components and avoid costly issues later in the development lifecycle.
What Makes Repository Firewall Different:
- Block Open-Source Malware Automatically: Prevent malicious components from entering your software supply chain with AI-driven detection and automated policy enforcement.
- Eliminate Existing Threats: Identify and remove malware already in your repositories, keeping your development environment secure.
- Protect Without Slowing Developers: Seamlessly safeguard your pipeline without disrupting workflows or slowing innovation.
- Sonatype Repository Firewall is your first line of defense against open-source malware, combining automated protection with seamless integration to reduce security burdens and accelerate time to market - all without compromising speed, quality, or innovation. Develop fearlessly. Innovate confidently.
As the industry-leading software supply chain management platform, the Sonatype Platform is the choice of organizations that are currently using or evaluating solutions such as Mend, Jfrog, Snyk, or GitLab. Sonatype provides a comprehensive and integrated solution for all aspects of the software development lifecycle, from secure development to release automation, helping organizations reduce risk and accelerate their time to market.
Highlights
- Start your 30-day Free Trial on AWS Marketplace today!
- Bad actors are constantly evolving their attack vectors. Sonatype has identified and blocked over 143k malicious and suspicious packages.
- Sonatype Repository Firewall has prevented over $1.5 Billion in potential losses from malicious open source attacks.
Details
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Free trial
Try this product free according to the free trial terms set by the vendor.
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
Repository Firewall | For One User | $302.00 |
Vendor refund policy
We do not offer a refund policy.
Custom pricing options
Request a private offer to receive a custom quote.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Sonatype
By Solve DevOps
Top
10
In Software Development
Top
10
In Continuous Integration and Continuous Delivery, Application Development, Security
Top
10
In Agile Lifecycle Management, Source Control
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
AI-Powered Malware Detection
Utilizes next-generation AI behavioral analysis to automatically detect known and unknown open source malware before components enter the development pipeline.
Automated Policy Enforcement
Enforces automated policies to block malicious components at the repository level, preventing them from entering the software supply chain.
Threat Remediation
Identifies and removes malware already present in existing repositories to eliminate threats from the development environment.
Repository Integration
Integrates seamlessly with repository systems to evaluate and filter components before they reach the development pipeline without disrupting workflows.
Supply Chain Security Scanning
Evaluates open source components for security vulnerabilities and malicious characteristics as part of the software supply chain management process.
Artifact Repository Management
Universal artifact management supporting 50+ natively supported package and file types, including ML models and generic repositories.
Software Composition Analysis
Modern, holistic software composition analysis with contextual vulnerability analysis and prioritization across the software development lifecycle.
Supply Chain Security Governance
Application risk governance with evidence-based policy enforcement, anti-tampering mechanisms, and signed provenance across the entire software development lifecycle.
Secure Artifact Distribution
Fast, secure distribution of verified, multi-repository release bundles with geo-distributed synchronization capabilities to multiple deployment targets.
Multi-Format Artifact Support
Supports multiple artifact formats including Docker, Java, Go, PHP, and Python
Private Repository Hosting
Provides private hosted repositories for centralized artifact storage and management
Role-Based Access Control
Implements role-based access controls for managing user permissions and security
CI/CD Integration
Enables automation and CI/CD processes to publish and retrieve versioned applications and dependencies
Centralized Dependency Management
Offers a single central location for managing and tracking all software artifacts and their dependencies
Standard contract
No
No
Customer reviews
GauravS08
Automated policy checks have protected builds and now prevent vulnerable dependencies in real time
Reviewed on Apr 28, 2026
Review from a verified AWS customer
What is our primary use case?
My main use case for Sonatype Repository Firewall is to check dependencies for vulnerabilities, block any download content that poses a risk, and enforce and adhere to security policies in real-time. I check for any suspicious activity and prevent vulnerable and malicious code from entering the build. When application teams create images, I check for vulnerabilities, block critical and vulnerable-level content, and block packages if someone tries to download unauthorized images or engages in suspicious activities using vulnerability intelligence.
An example would be when a developer is building a Java-based application with Maven. As they write code and add dependencies, the build tool requests a package from Sonatype Repository Firewall , which is integrated with the proxy repository that connects to the internet to download packages. During this process, whenever a request goes to the Nexus repository, Sonatype Repository Firewall checks the component before downloading it. If any vulnerability is detected, such as one related to Log4j, the policies applied at the firewall level help block the component containing critical severity vulnerabilities. The actions taken include blocking the download, putting the component into quarantine, and informing the developer that it was locked due to a critical vulnerability.
What is most valuable?
Sonatype Repository Firewall immediately identifies vulnerable content and helps block it promptly. It stops bad components before they ever enter my environment and helps developers choose correct and safer versions. It detects problems early rather than after accidents happen, and applies automatic enforcement of policies. This protects against threats and helps reduce human errors.
The automatic enforcement happens at different stages. For instance, if an application team requests any dependency to the Nexus Sonatype repository proxy, it first goes to the firewall, which intercepts it before downloading and checks for vulnerabilities, malware signals, and policy rules. If safe, it allows the dependency to be downloaded. If anything risky is found, it blocks it instantly without human intervention. Once a component is downloaded, it gets stored in the cache, allowing faster downloads in the future since the component is already available in the local repository.
Since I started using Sonatype Repository Firewall more than five years ago, it has had a positive impact on security and development speed. It helps prevent security incidents, fixes vulnerabilities early, and enables stable releases for applications. It speeds up development with safer dependencies by eliminating manual security checks and helps reduce human error and knowledge gaps, standardizing my DevOps pipeline and framework according to security guidelines.
What needs improvement?
I recommend integrating artificial intelligence capabilities into Sonatype Repository Firewall for real-time intelligence updates regarding security risks. I also suggest enhancing policy control for improved granular policy settings and better integration with DevOps pipelines, especially in container-based workflows.
I find the documentation very good as I often refer to it for information. The user interface is also very good, but I have noticed some false positives where safe components get blocked, causing unnecessary delays for developers.
For how long have I used the solution?
I have been using Sonatype Repository Firewall for over three years.
What do I think about the stability of the solution?
Sonatype Repository Firewall is stable, and although I explored alternatives like JFrog Artifactory and JFrog X-ray, I did not find them as valuable for my organization.
What do I think about the scalability of the solution?
My product runs on a container-based platform on AWS , utilizing auto-scaling to handle distributed traffic. The policies are enforced in a stateless manner and shared across the system, which helps manage load on the primary nodes effectively during high traffic.
How are customer service and support?
My experience with customer support has been minimal since I have not faced significant issues, and any past support requests during migration were handled well.
Which other solutions did I evaluate?
Sonatype Repository Firewall is stable, and although I explored alternatives like JFrog Artifactory and JFrog X-ray, I did not find them as valuable for my organization.
What other advice do I have?
I advise others considering Sonatype Repository Firewall to ensure they have strong organization-wide policies that comply with security regulations. This product can handle large volumes of data and scale as needed, offering excellent scalability and security features. It is a good product, and I encourage others to use it for large-scale applications if they wish to implement it. I have rated this product 9 out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Jay-Kim
Accurate database support blocks malicious code with excellent support
Reviewed on Jan 20, 2025
Review provided by PeerSpot
What is our primary use case?
Many companies, including ours, use Nexus Repository due to concerns about malware and critical vulnerabilities. There should be a specific method to prevent malicious packages from entering the internal network, so our company uses Nexus Repository . We usually consider adding the firewall feature on top of the Repository, with the main purpose being to block malicious packages.
What is most valuable?
The firewall is the only solution that supports Nexus Repository. This firewall comes with an accurate database, which can identify most malicious code from entering. It relies on the Sonatype accurate database, so the accuracy is excellent. There is no other option except Sonatype deploy to the firewall.
What needs improvement?
There are several features lacking in the current offering, particularly concerning container support and AI packages, like humming phase support. However, I have heard that it is on the roadmap for 2025.
For how long have I used the solution?
I have been using this solution for four years.
What do I think about the stability of the solution?
It is software, so there is always a possibility of bugs, however, they are quite fast in fixing these bugs. It is quite stable.
What do I think about the scalability of the solution?
There is an option to scale the capacity using an external database, and then you also have support. I do not think there is any issue with scalability.
How are customer service and support?
The customer service is fantastic. They provide the required responses and relevant support, which is the biggest advantage of using Sonatype.
Which solution did I use previously and why did I switch?
I do not have handling experience with another firewall. Sonatype Firewall is the only one I have been using. There is only one other alternative.
How was the initial setup?
The initial setup is quite straightforward and easy. It is not complicated.
What about the implementation team?
Just a couple of staff members can complete the installation and configuration.
What's my experience with pricing, setup cost, and licensing?
Also, I consider it average. Some people might consider it expensive, however, since it supports many beautiful features, I would say it is worth it.
Which other solutions did I evaluate?
We looked at Sonatype or Gather. There are not that many options.
What other advice do I have?
I would give the solution eight out of ten. I would look at the comparison of Sonatype to some other firewalls. There is room for improvement, especially mentioning container support and AI packages.
Preeti R.
Nexus Firewall
Reviewed on Mar 23, 2023
Review provided by G2
What do you like best about the product?
it blocks malicious activities & keeps your data and network security along with easy Established policy. it prevents your applications from moving forward with unapproved components.
What do you dislike about the product?
There is lack of the option of technical support .should have knowledge of SDLC , DevOps & Nexus Repository Manager. Should have to take proper understanding of solutions
What problems is the product solving and how is that benefiting you?
Want to protect our application from Open source threats. malicious activities. Want to get the automated and Complete Monitoring, Reports and Security Vulnerabilities.