absolute : absolute
Skip Navigation
Book a Demo
Book a Demo

Sonatype + GitLab
Accelerating DevOps Together

The GitLab experience enhanced by best-in-class vulnerability insights from Sonatype. 

Proactive Malicious Protection

Get Sonatype vulnerability findings within your GitLab reporting for a comprehensive view of risk across projects.

Enhanced Developer Efficiency

Smarter recommendations to accelerate development beyond dependency scanning or Renovate bot.

Proven Binary Artifact Repository

Work where and how you want with world-class security that runs with any binary artifact repository or without one.

New Enhanced Security for GitLab Ultimate

The integration between Sonatype Lifecycle and GitLab Ultimate just got better with new security workflows that deliver Sonatype vulnerability insights directly into GitLab reporting. 

  • Access Sonatype Lifecycle scan results without leaving GitLab.
  • Address policy violations directly in the GitLab environment. 
  • Remediate issues in your software with vulnerabilities flagged within your GitLab Dependency List. 
Learn more

The GitLab experience + industry-leading software supply chain security

Malware Firewall

Defend your DevOps infrastructure with the world's only enterprise class malicious OSS protection
Sonatype Hex logomark

Repository

Manage artifacts and proxy OSS components as the nexus of your GitLab
Sonatype hex logomark

License Obligations

Scan and understand the components in your GitLab repos for Legal and IP leakage risk
Sonatype hex logomark

Source Control

Seamlessly onboard Source Control repositories with deep GitLab integration
Sonatype hex logomark GitLab logomark

Build

Scans integrated with builds orchestrated and executed by GitLab
Sonatype hex logomark GitLab logomark

Developers

Merge Request automation to accelerate dependency management
Sonatype hex logomark GitLab logomark

Operate

Integrated into your DevOps and Release processes to ensure released software is secure via automation including GitLab Pipelines
Sonatype hex logomark

Code with confidence when you have Sonatype data

704,102

malicious components identified to date

0.01%

false positive rate, saving developers time

56 Million

vulnerabilities in our proprietary open source intelligence

The only enterprise-class software supply chain security that integrates into the GitLab workflow

repo-screen-1@2x

Proactive OSS malware and vulnerability protection

  • Intercept known and zero-day threats from infiltrating your software supply chain.
  • Continuously scan your code base for security vulnerabilities.
  • Shift left by addressing security issues during the earliest stages of development.

Software security that doesn't slow down development 

  • Use only secure and approved components for comprehensive dependency management.
  • Scale without compromise and control the lifecycle of staged builds directly from your CI/CD server.
  • Drive developer productivity while reducing build failures and security risks. 
repo-screen-2@2x-trimmed

Why Sonatype + GitLab are better together

When used together, Sonatype and GitLab accelerate DevSecOps and enhance security to foster a culture of continuous innovation. Sonatype makes GitLab work better by using the industry's best data source to identify and fix more vulnerabilities. 

dev-efficiency

DEVELOPER EFFICIENCY

Accelerate development with upgrade recommendations that are smarter than 'latest version.'

increase-roi

COMPREHENSIVE REPORTING

Get a holistic view of risk across all your projects Sonatype Platform reporting capabilities.
ai-assistant

SECURITY INSIGHTS

Gain robust security insights within your GitLab workflows to manage vulnerabilities more effectively. 

Enhance your GitLab security with Sonatype to accelerate DevOps

Features

GitLab + Sonatype

GitLab
Malicious OSS Protection The only enterprise malicious OSS protection No protection
OSS Security Data World's deepest, broadest and most accurate OSS data set Vulnerabilities from public sources
Central Policy Engine Policy engine with robust rules set alongside application and stage context to determine notification and enforcement Project based
Source Control Enterprise class source control based on git Enterprise class source control based on git
Legal License Risk Reduction and Compliance Open source component legal review in less than 10 minutes License approval policies
Binary Artifact Repository Strong repository offering with light integration at the Repo level Basic offering with limited support, per project based
Source Control / Repository Metadata Integration Source control metadata storage (SBOMs can be stored in Sonatype Nexus Repository) Basic offering with limited support
Single Sign On Integration Supported in Sonatype Lifecycle and Sonatype Cloud offerings All GitLab capabilities are behind one login
OSS Reporting and Management Real-time visibility to OSS usage throughout your application landscape and enterprise reporting Project based searching and listing
IDE Plugins Full and robust IDE integration and plugins Limited OSS management capabilities
DevOps Pipelines Automation Fully supported GitLab CI with Sonatype Plugin All GitLab capabilities are behind one login
Dependency Management Automation Smart suggestions with Merge Request automation based on world's best data system. Dependency Management Automation (coming H2 2024) Renovate-GitLab-Bot, requires complex configurations, opening new MRs for every security violation

GitLab + Sonatype

Features
Malicious OSS Protection The only enterprise malicious OSS protection
OSS Security Data World's deepest, broadest and most accurate OSS data set
Central Policy Engine Policy engine with robust rules set alongside application and stage context to determine notification and enforcement
Source Control Enterprise class source control based on git
Legal License Risk Reduction and Compliance Open source component legal review in less than 10 minutes
Binary Artifact Repository Strong repository offering with light integration at the Repo level
Source Control / Repository Metadata Integration Source control metadata storage (SBOMs can be stored in Sonatype Nexus Repository)
Single Sign On Integration Supported in Sonatype Lifecycle and Sonatype Cloud offerings
OSS Reporting and Management Real-time visibility to OSS usage throughout your application landscape and enterprise reporting
IDE Plugins Full and robust IDE integration and plugins
DevOps Pipelines Automation Fully supported GitLab CI with Sonatype Plugin
Dependency Management Automation Smart suggestions with Merge Request automation based on world's best data system. Dependency Management Automation (coming H2 2024)

GitLab

Features
Malicious OSS Protection No protection
OSS Security Data Vulnerabilities from public sources
Central Policy Engine Project based
Source Control Enterprise class source control based on git
Legal License Risk Reduction and Compliance License approval policies
Binary Artifact Repository Basic offering with limited support, per project based
Source Control / Repository Metadata Integration Basic offering with limited support
Single Sign On Integration All GitLab capabilities are behind one login
OSS Reporting and Management Project based searching and listing
IDE Plugins Limited OSS management capabilities
DevOps Pipelines Automation All GitLab capabilities are behind one login
Dependency Management Automation Renovate-GitLab-Bot, requires complex configurations, opening new MRs for every security violation

Frequently Asked Questions

Why is GitLab security not enough?

Good enough is not enough. Sonatype augments GitLab with best-in-class vulnerability data and securing findings. By using both solutions, developers can save time spent fixing security issues. 
How can GitLab and Sonatype users maximize the investments they have already made in DevOps tools? 

Users can maximize the investments they have already made by leveraging best-of-breed technologies for application security and repository managers. The GitLab and Sonatype integration allows users to embed security into the DevOps tools they are already using.  This helps them shift security left in the SDLC, creates better developer experiences, and increases release velocity.

 

How easy is it to integrate Sonatype and GitLab?

Sonatype can be easily integrated with GitLab by following the prescribed documentation guidelines.

We leverage the application permissions as configured in GitLab for access control. The integration of these tools enhances the overall development experience by combining:

  • Repository/Artifactory
  • Security
  • Collaboration
  • Version control
Do you have to replace GitLab to work with Sonatype?

No, Sonatype complements the developer experience with GitLab. The Sonatype GitLab integration allows you to automatically create trustworthy pull requests for accelerating dependency management. Developers can remediate with recommendations context about policy violations in pull requests. This is backed up by Sonatype’s prioritization engine giving developers confidence that they’re being recommended the best version available and removing friction in their GitLab pipeline.
Why do you need a reliable security partner like Sonatype along with your DevOps tool?

The question to ask is how much time you spend fixing false positives or false negatives. The more you automate, the more you also have to automate security. You need a reliable partner to do that, or development speed is impeded and can cause things like delayed release dates, etc.
How can customers enhance their ROI with Sonatype and GitLab combination?

The Sonatype-GitLab integrated experience is not just about innovation; it's about maximizing your ROI by investing in security and efficiency. The integration reduces security risks, streamlines workflows, and ensures compliance. 
How does Sonatype improve collaboration between Development and Security?

Sonatype brings together automation, development, security, and release processes to reduce the risk of security vulnerabilities and time spent developing software.
How Sonatype and GitLab when used together provide a DevSecOps Accelerator?

Sonatype and GitLab, when used together, provide a DevSecOps Accelerator enabling your organization to elevate its development practices, enhance security, and foster a culture of continuous innovation. Sonatype makes GitLab work better by using the industry’s best data source to identify and fix 8x more vulnerabilities than they do, 10x faster than they do.

Resources

Sonatype GitLab integration

Documentation on integration and configuration

Sonatype Community

Details on GitLab Ultimate integration