Sonatype + GitLab
Accelerating DevOps Together
The GitLab experience enhanced by best-in-class vulnerability insights from Sonatype.
Proactive Malicious Protection
Get Sonatype vulnerability findings within your GitLab reporting for a comprehensive view of risk across projects.
Enhanced Developer Efficiency
Smarter recommendations to accelerate development beyond dependency scanning or Renovate bot.
Proven Binary Artifact Repository
Work where and how you want with world-class security that runs with any binary artifact repository or without one.
New Enhanced Security for GitLab Ultimate
The integration between Sonatype Lifecycle and GitLab Ultimate just got better with new security workflows that deliver Sonatype vulnerability insights directly into GitLab reporting.
- Access Sonatype Lifecycle scan results without leaving GitLab.
- Address policy violations directly in the GitLab environment.
- Remediate issues in your software with vulnerabilities flagged within your GitLab Dependency List.
The GitLab experience + industry-leading software supply chain security
Malware Firewall
Repository
License Obligations
Source Control
Build
Developers
Operate
Code with confidence when you have Sonatype data
778,529
0.01%
56 Million
The only enterprise-class software supply chain security that integrates into the GitLab workflow
Proactive OSS malware and vulnerability protection
- Intercept known and zero-day threats from infiltrating your software supply chain.
- Continuously scan your code base for security vulnerabilities.
- Shift left by addressing security issues during the earliest stages of development.
Software security that doesn't slow down development
- Use only secure and approved components for comprehensive dependency management.
- Scale without compromise and control the lifecycle of staged builds directly from your CI/CD server.
- Drive developer productivity while reducing build failures and security risks.
Why Sonatype + GitLab are better together
When used together, Sonatype and GitLab accelerate DevSecOps and enhance security to foster a culture of continuous innovation. Sonatype makes GitLab work better by using the industry's best data source to identify and fix more vulnerabilities.
DEVELOPER EFFICIENCY
Accelerate development with upgrade recommendations that are smarter than 'latest version.'
COMPREHENSIVE REPORTING
SECURITY INSIGHTS
Enhance your GitLab security with Sonatype to accelerate DevOps
Features |
GitLab + Sonatype |
GitLab |
---|---|---|
Malicious OSS Protection | pie The only enterprise malicious OSS protection | pie No protection |
OSS Security Data | pie World's deepest, broadest and most accurate OSS data set | pie Vulnerabilities from public sources |
Central Policy Engine | pie Policy engine with robust rules set alongside application and stage context to determine notification and enforcement | pie Project based |
Source Control | pie Enterprise class source control based on git | pie Enterprise class source control based on git |
Legal License Risk Reduction and Compliance | pie Open source component legal review in less than 10 minutes | pie License approval policies |
Binary Artifact Repository | pie Strong repository offering with light integration at the Repo level | pie Basic offering with limited support, per project based |
Source Control / Repository Metadata Integration | pie Source control metadata storage (SBOMs can be stored in Sonatype Nexus Repository) | pie Basic offering with limited support |
Single Sign On Integration | pie Supported in Sonatype Lifecycle and Sonatype Cloud offerings | pie All GitLab capabilities are behind one login |
OSS Reporting and Management | pie Real-time visibility to OSS usage throughout your application landscape and enterprise reporting | pie Project based searching and listing |
IDE Plugins | pie Full and robust IDE integration and plugins | pie Limited OSS management capabilities |
DevOps Pipelines Automation | pie Fully supported GitLab CI with Sonatype Plugin | pie All GitLab capabilities are behind one login |
Dependency Management Automation | pie Smart suggestions with Merge Request automation based on world's best data system. Dependency Management Automation (coming H2 2024) | pie Renovate-GitLab-Bot, requires complex configurations, opening new MRs for every security violation |
GitLab + Sonatype
Features | |
---|---|
Malicious OSS Protection | pie The only enterprise malicious OSS protection |
OSS Security Data | pie World's deepest, broadest and most accurate OSS data set |
Central Policy Engine | pie Policy engine with robust rules set alongside application and stage context to determine notification and enforcement |
Source Control | pie Enterprise class source control based on git |
Legal License Risk Reduction and Compliance | pie Open source component legal review in less than 10 minutes |
Binary Artifact Repository | pie Strong repository offering with light integration at the Repo level |
Source Control / Repository Metadata Integration | pie Source control metadata storage (SBOMs can be stored in Sonatype Nexus Repository) |
Single Sign On Integration | pie Supported in Sonatype Lifecycle and Sonatype Cloud offerings |
OSS Reporting and Management | pie Real-time visibility to OSS usage throughout your application landscape and enterprise reporting |
IDE Plugins | pie Full and robust IDE integration and plugins |
DevOps Pipelines Automation | pie Fully supported GitLab CI with Sonatype Plugin |
Dependency Management Automation | pie Smart suggestions with Merge Request automation based on world's best data system. Dependency Management Automation (coming H2 2024) |
GitLab
Features | |
---|---|
Malicious OSS Protection | pie No protection |
OSS Security Data | pie Vulnerabilities from public sources |
Central Policy Engine | pie Project based |
Source Control | pie Enterprise class source control based on git |
Legal License Risk Reduction and Compliance | pie License approval policies |
Binary Artifact Repository | pie Basic offering with limited support, per project based |
Source Control / Repository Metadata Integration | pie Basic offering with limited support |
Single Sign On Integration | pie All GitLab capabilities are behind one login |
OSS Reporting and Management | pie Project based searching and listing |
IDE Plugins | pie Limited OSS management capabilities |
DevOps Pipelines Automation | pie All GitLab capabilities are behind one login |
Dependency Management Automation | pie Renovate-GitLab-Bot, requires complex configurations, opening new MRs for every security violation |
Frequently Asked Questions
Why is GitLab security not enough?
How can GitLab and Sonatype users maximize the investments they have already made in DevOps tools?
Users can maximize the investments they have already made by leveraging best-of-breed technologies for application security and repository managers. The GitLab and Sonatype integration allows users to embed security into the DevOps tools they are already using. This helps them shift security left in the SDLC, creates better developer experiences, and increases release velocity.
How easy is it to integrate Sonatype and GitLab?
Sonatype can be easily integrated with GitLab by following the prescribed documentation guidelines.
We leverage the application permissions as configured in GitLab for access control. The integration of these tools enhances the overall development experience by combining:
- Repository/Artifactory
- Security
- Collaboration
- Version control