Sign in
Sign in
or
Create a new account
Agent Mode
Categories
Become a Channel Partner Sell in AWS Marketplace Amazon Web Services Home Help

Sonatype: Software Supply Chain Security (Private Cloud)

Sonatype

Reviews from AWS customer

1 AWS reviews
  • 5 star
    1
  • 4 star
    0
  • 3 star
    0
  • 2 star
    0
  • 1 star
    0

External reviews

1 review
from

External reviews are not included in the AWS star rating for the product.

    GauravS08

Automated policy checks have protected builds and now prevent vulnerable dependencies in real time

  • April 28, 2026
  • Review from a verified AWS customer

What is our primary use case?

My main use case for Sonatype Repository Firewall is to check dependencies for vulnerabilities, block any download content that poses a risk, and enforce and adhere to security policies in real-time. I check for any suspicious activity and prevent vulnerable and malicious code from entering the build. When application teams create images, I check for vulnerabilities, block critical and vulnerable-level content, and block packages if someone tries to download unauthorized images or engages in suspicious activities using vulnerability intelligence.

An example would be when a developer is building a Java-based application with Maven. As they write code and add dependencies, the build tool requests a package from Sonatype Repository Firewall, which is integrated with the proxy repository that connects to the internet to download packages. During this process, whenever a request goes to the Nexus repository, Sonatype Repository Firewall checks the component before downloading it. If any vulnerability is detected, such as one related to Log4j, the policies applied at the firewall level help block the component containing critical severity vulnerabilities. The actions taken include blocking the download, putting the component into quarantine, and informing the developer that it was locked due to a critical vulnerability.

What is most valuable?

Sonatype Repository Firewall immediately identifies vulnerable content and helps block it promptly. It stops bad components before they ever enter my environment and helps developers choose correct and safer versions. It detects problems early rather than after accidents happen, and applies automatic enforcement of policies. This protects against threats and helps reduce human errors.

The automatic enforcement happens at different stages. For instance, if an application team requests any dependency to the Nexus Sonatype repository proxy, it first goes to the firewall, which intercepts it before downloading and checks for vulnerabilities, malware signals, and policy rules. If safe, it allows the dependency to be downloaded. If anything risky is found, it blocks it instantly without human intervention. Once a component is downloaded, it gets stored in the cache, allowing faster downloads in the future since the component is already available in the local repository.

Since I started using Sonatype Repository Firewall more than five years ago, it has had a positive impact on security and development speed. It helps prevent security incidents, fixes vulnerabilities early, and enables stable releases for applications. It speeds up development with safer dependencies by eliminating manual security checks and helps reduce human error and knowledge gaps, standardizing my DevOps pipeline and framework according to security guidelines.

What needs improvement?

I recommend integrating artificial intelligence capabilities into Sonatype Repository Firewall for real-time intelligence updates regarding security risks. I also suggest enhancing policy control for improved granular policy settings and better integration with DevOps pipelines, especially in container-based workflows.

I find the documentation very good as I often refer to it for information. The user interface is also very good, but I have noticed some false positives where safe components get blocked, causing unnecessary delays for developers.

For how long have I used the solution?

I have been using Sonatype Repository Firewall for over three years.

What do I think about the stability of the solution?

Sonatype Repository Firewall is stable, and although I explored alternatives like JFrog Artifactory and JFrog X-ray, I did not find them as valuable for my organization.

What do I think about the scalability of the solution?

My product runs on a container-based platform on AWS, utilizing auto-scaling to handle distributed traffic. The policies are enforced in a stateless manner and shared across the system, which helps manage load on the primary nodes effectively during high traffic.

How are customer service and support?

My experience with customer support has been minimal since I have not faced significant issues, and any past support requests during migration were handled well.

Which other solutions did I evaluate?

Sonatype Repository Firewall is stable, and although I explored alternatives like JFrog Artifactory and JFrog X-ray, I did not find them as valuable for my organization.

What other advice do I have?

I advise others considering Sonatype Repository Firewall to ensure they have strong organization-wide policies that comply with security regulations. This product can handle large volumes of data and scale as needed, offering excellent scalability and security features. It is a good product, and I encourage others to use it for large-scale applications if they wish to implement it. I have rated this product 9 out of 10.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)

    Jay-Kim

Accurate database support blocks malicious code with excellent support

  • January 20, 2025
  • Review provided by PeerSpot

What is our primary use case?

Many companies, including ours, use Nexus Repository due to concerns about malware and critical vulnerabilities. There should be a specific method to prevent malicious packages from entering the internal network, so our company uses Nexus Repository. We usually consider adding the firewall feature on top of the Repository, with the main purpose being to block malicious packages.

What is most valuable?

The firewall is the only solution that supports Nexus Repository. This firewall comes with an accurate database, which can identify most malicious code from entering. It relies on the Sonatype accurate database, so the accuracy is excellent. There is no other option except Sonatype deploy to the firewall.

What needs improvement?

There are several features lacking in the current offering, particularly concerning container support and AI packages, like humming phase support. However, I have heard that it is on the roadmap for 2025.

For how long have I used the solution?

I have been using this solution for four years.

What do I think about the stability of the solution?

It is software, so there is always a possibility of bugs, however, they are quite fast in fixing these bugs. It is quite stable.

What do I think about the scalability of the solution?

There is an option to scale the capacity using an external database, and then you also have support. I do not think there is any issue with scalability.

How are customer service and support?

The customer service is fantastic. They provide the required responses and relevant support, which is the biggest advantage of using Sonatype.

Which solution did I use previously and why did I switch?

I do not have handling experience with another firewall. Sonatype Firewall is the only one I have been using. There is only one other alternative.

How was the initial setup?

The initial setup is quite straightforward and easy. It is not complicated.

What about the implementation team?

Just a couple of staff members can complete the installation and configuration.

What's my experience with pricing, setup cost, and licensing?

Also, I consider it average. Some people might consider it expensive, however, since it supports many beautiful features, I would say it is worth it.

Which other solutions did I evaluate?

We looked at Sonatype or Gather. There are not that many options.

What other advice do I have?

I would give the solution eight out of ten. I would look at the comparison of Sonatype to some other firewalls. There is room for improvement, especially mentioning container support and AI packages.

showing 1 - 2