Listing Thumbnail

    Sonatype Lifecycle

     Info
    Sold by: Sonatype 
    Deployed on AWS
    Designed to continuously monitor for problems at every stage of the software development lifecycle.
    4.2

    Overview

    Play video

    Control open source risk across your SDLC

    Traditional SCA tools only highlight problems; Sonatype Lifecycle delivers solutions. With more than 90% of companies using open source software (OSS), protecting your software supply chain is critical to mitigating security, legal, and quality risks to your business. Make safer open source choices across the software development life cycle (SDLC), and innovate fearlessly with less risk.

    SDLC Manager for Better Vulnerability Monitoring

    Ensure you're always ahead of vulnerabilities and compliance issues. Be ready for the next software supply chain attack with custom policies, continuous monitoring, and remediation guidance - all in one tool.

    Minimize Risk, Accelerate Builds

    Getting developers to embrace security and SCA tools can be challenging but Sonatype's automated dependency management makes it easy. Lifecycle allows teams to shift-left, takes the guesswork out of decision-making with automated fixes and waivers, and accelerates time to value with a platform that balances the dual demands of security and productivity. With Sonatype Lifecycle you can:

    • Continuously monitor and receive alerts for security, legal, and quality risks at every stage of the SDLC.
    • Reduce manual compliance checks by enforcing customizable policies.
    • Generate accurate SBOMs (Software Bill of Materials).
    • Discover open source in container images, with continuous monitoring and policy-driven enforcement.
    • Govern AI/ML models with AI SCA, providing visibility and control over usage including model-level license support.
    • Automatically remediate violations that are guaranteed not to break builds or reduce app quality.
    • Leverage our reachability analysis engine to prioritize remediation across your organization.
    • Improve fix rates with remediation guidance to quickly resolve any violations.
    • Automatically waive security violations that have no path forward.

    As the industry-leading software supply chain management platform and a Leader in The Forrester Wave™: Software Composition Analysis Software, Q4 2024, the Sonatype Platform is the choice of organizations currently using or evaluating solutions such as Mend, JFrog, Snyk, or GitLab. Sonatype provides a comprehensive and integrated solution for all aspects of the software development lifecycle, from secure development to release automation, helping organizations reduce risk and accelerate their time to market.

    Highlights

    • Companies have experienced 6X faster release velocity and 80% reduction in remediation time using Sonatype. Reducing even 25% in false positives over the course of year provides 2x time savings for developers. Sonatype Lifecycle delivered 95% reduction in time spent remediating newly discovered vulnerabilities.
    • More than 2,000 organizations, including 70% of the Fortune 100, and 15 million software developers rely on Sonatype.
    • Sonatype is a DevOps Competency, Qualified Software, and Select Partner.

    Details

    Sold by

    Delivery method

    Deployed on AWS
    New

    Introducing multi-product solutions

    You can now purchase comprehensive solutions tailored to use cases and industries.

    Multi-product solutions

    Features and programs

    Trust Center

    Trust Center
    Access real-time vendor security and compliance information through their Trust Center powered by Drata or Vanta. Review certifications and security standards before purchase.

    Buyer guide

    Gain valuable insights from real users who purchased this product, powered by PeerSpot.
    Buyer guide

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Pricing

    Sonatype Lifecycle

     Info
    Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.

    12-month contract (1)

     Info
    Dimension
    Description
    Cost/12 months
    Sonatype Lifecycle
    For One User
    $931.00

    Vendor refund policy

    We do not offer refunds.

    Custom pricing options

    Request a private offer to receive a custom quote.

    How can we make this page better?

    Tell us how we can improve this page, or report an issue with this product.
    Tell us how we can improve this page, or report an issue with this product.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    Software as a Service (SaaS)

    SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.

    Resources

    Vendor resources

    Support

    Vendor support

    Sonatype offers support Contact: https://support.sonatype.com  Resources:

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Product comparison

     Info
    Updated weekly

    Accolades

     Info
    Top
    25
    In Software Development
    Top
    10
    In Continuous Integration and Continuous Delivery, Application Development, Security
    Top
    10
    In Agile Lifecycle Management, Source Control

    Customer reviews

     Info
    Sentiment is AI generated from actual customer reviews on AWS and G2
    Reviews
    Functionality
    Ease of use
    Customer service
    Cost effectiveness
    5 reviews
    Insufficient data
    Insufficient data
    Insufficient data
    0 reviews
    Insufficient data
    Insufficient data
    Insufficient data
    Insufficient data
    Positive reviews
    Mixed reviews
    Negative reviews

    Overview

     Info
    AI generated from product descriptions
    Continuous Vulnerability Monitoring
    Continuously monitors and alerts for security, legal, and quality risks at every stage of the software development lifecycle with custom policy enforcement.
    Automated Dependency Management
    Automatically remediates violations with guaranteed non-breaking fixes and provides automated waiver generation for violations without viable remediation paths.
    Reachability Analysis Engine
    Leverages reachability analysis to prioritize remediation efforts across the organization and identify vulnerabilities with actual exploitable code paths.
    Software Bill of Materials Generation
    Generates accurate Software Bill of Materials (SBOMs) and discovers open source components in container images with continuous monitoring and policy-driven enforcement.
    AI/ML Model Governance
    Provides visibility and control over AI and machine learning model usage through AI SCA with model-level license support and governance capabilities.
    Artifact Repository Management
    Universal artifact management supporting 50+ natively supported package and file types, including ML models and generic repositories.
    Software Composition Analysis
    Modern, holistic software composition analysis with contextual vulnerability analysis and prioritization across the software development lifecycle.
    Supply Chain Security Governance
    Application risk governance with evidence-based policy enforcement, anti-tampering mechanisms, and signed provenance across the entire software development lifecycle.
    Secure Artifact Distribution
    Fast, secure distribution of verified, multi-repository release bundles with geo-distributed synchronization capabilities to multiple deployment targets.
    Multi-Format Artifact Support
    Supports multiple artifact formats including Docker, Java, Go, PHP, and Python
    Private Repository Hosting
    Provides private hosted repositories for centralized artifact storage and management
    Role-Based Access Control
    Implements role-based access controls for managing user permissions and security
    CI/CD Integration
    Enables automation and CI/CD processes to publish and retrieve versioned applications and dependencies
    Centralized Dependency Management
    Offers a single central location for managing and tracking all software artifacts and their dependencies

    Contract

     Info
    Standard contract
    No
    No

    Customer reviews

    Ratings and reviews

     Info
    4.2
    18 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    50%
    44%
    6%
    0%
    0%
    1 AWS reviews
    |
    17 external reviews
    External reviews are from G2  and PeerSpot .
    Amal Alshehri

    Automation has strengthened devsecops and has enabled faster secure releases

    Reviewed on Jul 06, 2026
    Review provided by PeerSpot

    What is our primary use case?

    Sonatype Lifecycle  is basically a central use case for scanning applications in the CI/CD for vulnerabilities or non-compliant open-source dependencies and enforces policy across the dev lifecycle. It is reactive, continuous monitoring of what's already in your application. This is the benefit of it.

    What is most valuable?

    The benefits or features that I appreciate about Sonatype Lifecycle  are that it is reactive and it supports CI/CD. There is early detection, so it will flag the vulnerabilities in the open-source dependencies straight away. Also, if you have the policies, it will automate the enforcement for you. If you have severity thresholds or you define something, it enforces them automatically in the CI/CD builds.

    There is also the remediation guidance. It will give you the best version to upgrade to. It will not just flag that there is a CVE, but it will also give you recommendations on what version you need to fix to. Continuous monitoring is another benefit.

    The reporting, audit and reporting is also valuable. In the dashboard, you will see the application risks reports, and security teams will look at and see what's happening with certain applications. In a nutshell, it enables faster releases and lower security exposure.

    If we add Sonatype Lifecycle for Azure , it works for pipelines, and it allows you to run pipelines in the environment. You will have CI/CD, continuous integration, continuous development. People will have faster results. Instead of having DevOps, we have DevSecOps  because of this. It improves security and allows teams to have security shift left from the beginning, instead of just leaving it at the end to find out this open-source library is insecure or having to rewrite the code in other ways or reuse a different library.

    Sometimes changing those libraries or open-source requires a rewrite. I remember one time we had a vulnerability of some Java, and the solution was to use another Java. Using that another Java forced the developer to rewrite many components because there was a huge difference. This helps identify issues fast instead of waiting until the end to find out it is vulnerable and having to make changes.

    What needs improvement?

    The areas for improvement in Sonatype Lifecycle could be the UI. There is way to improve it as it has many tabs and nested sections. Sometimes when you look for something, if you are new to this, it might take you a little to get your head around things. This is something I feel they can simplify.

    Also, the policy configuration is powerful, but at the same time, there is a steep learning curve. You need to make sure that you configure it correctly. You do not want to configure it in a way that blocks things.

    If they improve the reporting, the UI, and the user experience, it would be beneficial. The design could be improved. If they add certain features and make it simple for the security analyst and to the user as well, it would help. Sometimes you have to look for many things to find a button that does something specific. They can do a good job fixing this.

    Also, in the waiver management, it currently does not send notification. If some developer raises a waiver or adds a waiver to some component, we will not be notified. I have to go to the system to find out. This can be improved.

    For how long have I used the solution?

    I do not have specific information about how many years I have been aware of Sonatype Lifecycle. Probably since I am aware, maybe four or five years. I could be wrong, but this is as far as I remember.

    What do I think about the stability of the solution?

    It is very, very stable. I hardly had any issue with it going down or something.

    What do I think about the scalability of the solution?

    I think it is scalable, but being costly will make you revise what you want to do. If you have an expensive tool, you want it to work the bare minimum to cover the environment. It covers all our environment. I do not see any problem with the scalability.

    How are customer service and support?

    I would give the same support rating for Sonatype Lifecycle as previous products. They are the same people.

    Which solution did I use previously and why did I switch?

    I have not used or compared Sonatype Lifecycle to any similar products. Maybe there were tools in the past, but I was not here. This is the only thing I know.

    How was the initial setup?

    We did not run the installers ourselves for the installation and deployment process of Sonatype Lifecycle. We are two teams and we have another team who do the administration, the installation, and the patching. We are more from the security side. We are the policy administrators. Another team handles the installation and setup. I am not aware of any problems. We have the support from the vendor themselves, and sometimes if they need help, they get the help.

    What about the implementation team?

    Some developers did integrate Sonatype Lifecycle with CI/CD tools, but I am not aware of the details. I know they tried something. We use Azure DevOps  mainly.

    What was our ROI?

    I really do not know how to quantify time or money savings from using Sonatype Lifecycle. For me to answer this, I need to be aware of everything. There are some savings, but I do not know how much. I cannot state it.

    What's my experience with pricing, setup cost, and licensing?

    It is expensive. It is one of the pricier SCA  tools in the market. You license their developer application, and it can be expensive at scale. If you want to scale, you just need to pay more. For us, we have the IQ Server and we have the firewall, which is already another separate license. So to have all together, it is an expensive environment to run, honestly speaking. If they can do something about that, it would be beneficial.

    What other advice do I have?

    Automation of policy enforcement impacts my development process. You can build it in a way that stops the CI/CD itself if a library has a vulnerability or certain severity. You can be specific about things that stop the pipeline or if it has vulnerabilities or certain conditions. This helps a lot for creating security policies around applications.

    Component health is very important. We can always see the health of the open-source component. It shows if it is vulnerable or not, what is the severity, is it banned, is it standard, is it not standard. The health is the same as when you say severity of something. Is it okay to be used or not?

    I gave this product a review rating of 8 out of 10. Although Sonatype Lifecycle is one of the most expensive solutions at a rating of 10 for cost, it is worth the investment in certain areas. The time savings is significant because it allows the CI/CD to be more productive. Security adds complexity to development. If you develop alone, that would be different than developing with security in mind. This will ease the part of security because not everyone is aware of all security. Sometimes developers may know how to code, but they do not know how to code securely. This will save them time and provide hints and alarms. It speeds the process of adopting to security and adopting to DevSecOps . It also protects the environment because you sometimes pay for something that is valuable to secure it. In these areas, it is worth the buying, although it is costly.

    SangramGupta

    Integrated DevSecOps has enabled earlier risk detection and reduced remediation effort

    Reviewed on May 19, 2026
    Review provided by PeerSpot

    What is our primary use case?

    I have used Sonatype Lifecycle  for one year, primarily as a part of DevSecOps  and software composition analysis initiatives focused on my application security project, which involves identifying and managing open-source dependencies risks within application environments.

    For Sonatype Lifecycle , I actually use it for two purposes in application security: security composition analysis (SCA ) and Static Application Security Testing (SAST ), with the intention to identify code-level vulnerabilities when developers write any code, allowing me to scan the code, prioritize vulnerabilities, and fix those areas to reduce overall application risks.

    Before using Sonatype Lifecycle, I used to get vulnerabilities in the deployment phase, also known as Dynamic Application Security Testing (DAST) , but after implementing Sonatype Lifecycle, it adds an additional security layer by allowing me to conduct SAST  and SCA  scans early in the coding phase, enabling me to prioritize and remediate vulnerabilities as soon as possible, which reduces time and effort.

    What is most valuable?

    In my opinion, the strongest feature of Sonatype Lifecycle is its ability to provide continuous visibility and governance over open-source dependencies throughout the software development lifecycle, with the most standout aspect being its effective integration of security directly into DevSecOps  workflows instead of treating security as a separate, post-development activity.

    The policy-based governance and vulnerable component rejection capabilities are tremendously valuable for my team because they shifted security enforcement earlier in the lifecycle. For example, I configured policies to flag or block builds with open-source components with critical vulnerabilities, and that was impactful when Sonatype Lifecycle detected a high-severity vulnerability during a build process.

    Overall, Sonatype Lifecycle has a very positive impact on the organization, particularly in improving software supply chain security and DevSecOps practices, with measurable improvements including earlier detection of vulnerabilities and faster remediation cycles.

    I have definitely observed measurable operational improvements after integrating Sonatype Lifecycle into my workflows, highlighted by a noticeable reduction in vulnerable open-source components progressing to production stages, allowing me to remediate them before deployment.

    What needs improvement?

    While Sonatype Lifecycle provides strong value for software composition analysis and software supply chain security, one area for improvement is alert prioritization and noise reduction, especially in larger development environments.

    The primary area for improvement I mentioned is alert prioritization and noise reduction, in addition to improving dashboard and reporting customization.

    For how long have I used the solution?

    I have used Sonatype Lifecycle for one year.

    What do I think about the stability of the solution?

    Sonatype Lifecycle is pretty stable and works fine.

    What do I think about the scalability of the solution?

    In my experience, Sonatype Lifecycle scales well for enterprise DevSecOps and software supply chain security use cases, particularly in environments with multiple development teams and a large number of applications and dependencies.

    How are customer service and support?

    The customer support for Sonatype Lifecycle is very helpful, and they are technically sound, providing positive feedback.

    Which solution did I use previously and why did I switch?

    Before Sonatype Lifecycle, I used a DAST solution called Qualys for application security, and this is my first tool for SAST and SCA scans.

    What was our ROI?

    From my point of view, once I introduce Sonatype Lifecycle with the DevSecOps pipeline, it offers automated vulnerability scanning, prioritization, and allows me to focus on risk assessment and remediation, saving me about 40% in time and effort.

    What other advice do I have?

    If you are working in a DevSecOps or application security project and want to prioritize vulnerabilities early, implementing Sonatype Lifecycle in your project will be helpful in addressing risks before they escalate. I provided this review with a rating of 8.

    @RahulVerma

    Compliance used to slow us down. Sonatype Lifecycle turned it into an automated, streamlined step that accelerates delivery instead of blocking it.

    Reviewed on Dec 07, 2025
    Review provided by PeerSpot

    What is our primary use case?

    My main use case for Sonatype Lifecycle  is open-source scanning for SCA . We pair it with Fortify (our SAST /DAST platform), and together they give us a more complete security picture within the CI/CD pipeline.

    A recent example: we integrated Sonatype Lifecycle  with its Nexus SCA  Manager into our Jenkins  workflow. Our code already went through SAST /DAST, but some smaller open-source packages and sub-libraries were not primary focus —especially those with licensing or legal considerations. Lifecycle fills that gap by checking every component for vulnerabilities, version risks, and license obligations, so we’re confident the entire codebase is covered.

    We also use Lifecycle’s JSON mapping to share vulnerability and application data across Jenkins , Fortify, and other tools. What used to be a bit scattered is now clean, automated, and easy to maintain. This brings better visibility on all components across applications and versions.

    How has it helped my organization?

    sonatype lifecycle has helps us get clearer visibility into open-source risk, improve compliance, and catch issues earlier in the development process. By automating checks in our CI/CD pipeline, it has reduced manual effort needed by teams to deliver secure, reliable software with more confidence.

    What is most valuable?

    One of the best things about Sonatype Lifecycle, in my experience, is how easy it is to set up and start using. You don’t need to be a core developer to get started with it. Anyone with basic technical knowledge can create an application, assign it to an org, connect the code, and within just a few clicks generate a CycloneDX(SBOM report) or a PDF. Even integrating it with Jenkins was straightforward, and with clear and simple instruction, we had everything up and running in just a couple of days.

    Sonatype Lifecycle has also made a clear positive impact on our organization. It helps us stay streamlined with  open-source risks (security, license, quality). Customer in the financial, manufactoring, government and technology sectors appreciate and do value. The tool is easy to integrate, well-documented, and lightweight, which made adoption simple and required minimal resource overhead. Overall, it strengthened our software supply chain and gave management confidence in our open-source security process.

    What needs improvement?

    Sonatype Lifecycle already does a nice job, but as you use it, you can’t help but notice a few spots where it could feel even smoother. Imagine opening it and immediately seeing a clearer, friendlier dashboard that tells you exactly what deserves your attention without digging around. As you move through your workflow, it would be great if the tool connected more naturally with what you’re already using, so everything just flows. And when an issue pops up, instead of leaving you guessing, it could guide you through what to do next in a way that feels simple and supportive. 

    Even having a bit more visibility into anything happening behind the scenes would make the experience feel more complete. It’s already strong, but with touches like these, it could feel even more helpful and intuitive in everyday use.

    For how long have I used the solution?

    I've been using Sonatype Lifecycle for a little over two years.

    What do I think about the stability of the solution?

    Solution is fairly stable in terms of core functionality, and with minimal technical issues. Aside for minor resolves all goes well.

    What do I think about the scalability of the solution?

    Sonatype Lifecycle scales really well. Whether you are using it on-prem or the SaaS version, it is pretty easy to add more resources and handle bigger workloads as you grow. It adjusts smoothly without much hassle, so you don’t really feel limited as your team or projects get larger.

    How are customer service and support?

    Customer support has been quite responsive, usually getting back to us within a couple of hours. Teams are flexible to connect on criticality of issue and the assistance needed.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We previously tried using an open-source scanner from Fortify, but eventually shifted to Sonatype Lifecycle because it offered a more complete and dependable approach for our SCA needs. There are other options in the market like Snyk  and JFrog, but Lifecycle aligned better with what we were looking for in terms of accuracy, ease of use, and overall coverage.

    How was the initial setup?

    The initial setup was straightforward overall, and with the technical know-how and a clear understanding of the environment, the whole process moves smoothly and rather quickly.

    What about the implementation team?

    We have specialized consultants who are fully trained on Sonatype products and available for consultation, architecture design, and integration or deployment support. They take the time to understand each customer’s environment, which allows them to deliver solutions that truly fit the need rather than just dropping in technology.

    What was our ROI?

    Customer have seen a clear return on investment with Sonatype Lifecycle. Compliance scores improved, vulnerabilities dropped, and the overall workload became much lighter because we now get clear visibility into everything being built. Need for fewer people to manage the process, developers get quicker feedback, and testing team has far less manual work. Cost of running infra for the same needs went down since we’re able to run things efficiently on a single VM. All of this has saved us both time and effort in a noticeable way.

    What's my experience with pricing, setup cost, and licensing?

    From my experience, the licensing side is pretty straightforward to handle. Most of the cost and pricing considerations really come down to how the solution is deployed. Since we work with partners and other OEMs who help run Sonatype Lifecycle through their services, the final pricing details are usually best explained by the sales teams who manage pricing and licensing more directly.

    Which other solutions did I evaluate?

    I was not the deciding person on evaluating options before selecting Sonatype Lifecycle; however, the ease of adoption with sonatype to connect with existing SAST and DAST solutions was a key factor in the decision to choose Sonatype Lifecycle.

    What other advice do I have?

    I would rate Sonatype Lifecycle a 9/10. It’s a great product, and my main advice for anyone considering it is to take the time to understand your organisation needs get most out of this offering. Once you match the features to your goals, it really strengthens and simplifies your security process.

    Which deployment model are you using for this solution?

    Private Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    AbhilashJain

    Consistently manages artifacts with clear UI and effective cleanup

    Reviewed on Apr 24, 2025
    Review provided by PeerSpot

    What is our primary use case?

    Whenever we have builds, we upload our builds or artifacts to Sonatype Container . This is the basic purpose. Sonatype Container  makes cleanup and uploading artifacts easy with its clear UI for management.

    What is most valuable?

    Sonatype Container is a reliable artifact manager. Although I do not have a comparison at the moment, it has consistently been a good choice for our organization. Its management features are effective, and the UI is clear, making it easy to upload and manage artifacts. Additionally, the use of Sonatype Container ensures efficient cleanup and file handling.

    What needs improvement?

    Sonatype Container can accommodate bigger file sizes for artifacts and improve performance, especially when dealing with large files. Moreover, the RBAC controls could be more simplified in a more human-readable language.

    For how long have I used the solution?

    I have been working with Sonatype Container for more than five years.

    What do I think about the stability of the solution?

    I would rate the stability as eight out of ten.

    How are customer service and support?

    Technical support from Sonatype is not much needed. I had a problem once while creating a repository when the artifacts uploaded were not showing up, but this may have been due to configuration details.

    Which solution did I use previously and why did I switch?

    We have been using Sonatype Container for a long stretch of time and have not tried anything else.

    How was the initial setup?

    The setup is simple; however, if we consider RBAC, the roles we assign to users could be simplified. The response from the roles assigned to the artifacts should be more human-readable.

    What's my experience with pricing, setup cost, and licensing?

    Pricing is out of my context as a developer. This is known by the project managers.

    What other advice do I have?

    I would rate the overall solution as eight out of ten.
    Carlos Leão

    Utilize a reliable BRM tool to manage software artifacts efficiently with outstanding vulnerability identification capabilities

    Reviewed on Mar 24, 2025
    Review provided by PeerSpot

    What is our primary use case?

    We use Sonatype Lifecycle  primarily as a binary repository management solution for managing software artifacts. Our company has a large stack of tools for software development, and Sonatype Lifecycle  is part of these tools. We use it solely for managing software artifacts without utilizing the software composition analysis or the vulnerability checking capabilities. We are expanding our clients and services as part of Digital Service of Brazil.

    What is most valuable?

    The most valuable feature for us is Sonatype Lifecycle's capability in identifying vulnerabilities. It has a large portfolio for vulnerability analysis, making it a leader in vulnerability checking. In comparison, the performance of other products, like JFrog's, does not reach the same level in identifying vulnerabilities. Additionally, Sonatype Lifecycle is very stable, especially in managing binary artifacts for over fifteen years with minimal problems, even with more than 700 developers working on a single node.

    What needs improvement?

    Both JFrog and Sonatype should redesign their products to separate the binary repository management solution from the software composition analysis solutions. We prefer to purchase the binary repository management solution independently, but they offer both together, which increases costs. This integration is good but raises the price, being a significant issue for us. We also noticed a lack of detailed information for configuring Sonatype Lifecycle for high availability and data recovery.

    For how long have I used the solution?

    I have used Sonatype Lifecycle for over fifteen years.

    What do I think about the stability of the solution?

    Sonatype Lifecycle is very stable, especially in the binary repository management use case for managing binary artifacts. We have not experienced any significant issues over the fifteen years of use.

    What do I think about the scalability of the solution?

    Both Sonatype and JFrog have solutions for high availability and data recovery, but Sonatype is more complex to configure. JFrog is easier to configure for high availability as it does not require extra components. It handles high availability at the database level, such as synchronizing JFrog repository servers without complicated configurations.

    How are customer service and support?

    We use Sonatype Lifecycle in its open-source software edition, so we do not have experience with their customer service or technical support.

    What's my experience with pricing, setup cost, and licensing?

    According to my calculations, if you are working with up to 200 developers, Sonatype is cheaper than JFrog. However, for larger numbers like our case with 1,000 user licenses, JFrog becomes much more cost-effective, roughly ten times cheaper than Sonatype. Their licensing models are different, impacting the price depending on the number of developers.

    Which other solutions did I evaluate?

    I compared Sonatype Lifecycle with JFrog Artifactory  and Xray.

    What other advice do I have?

    Overall, I would rate Sonatype Lifecycle a nine out of ten.
    View all reviews