absolute : absolute
Skip Navigation

Sonatype + GitLab
Accelerating DevOps Together

The GitLab experience enhanced by best-in-class vulnerability insights from Sonatype. 

New Enhanced Security for GitLab Ultimate

The integration between Sonatype Lifecycle and GitLab Ultimate just got better with new security workflows that deliver Sonatype vulnerability insights directly into GitLab reporting. 

  • Access Sonatype Lifecycle scan results without leaving GitLab.
  • Address policy violations directly in the GitLab environment. 
  • Remediate issues in your software with vulnerabilities flagged within your GitLab Dependency List. 

The GitLab experience + industry-leading software supply chain security

Malware Firewall

Defend your DevOps infrastructure with the world's only enterprise class malicious OSS protection
Sonatype Hex logomark

Repository

Manage artifacts and proxy OSS components as the nexus of your GitLab
Sonatype hex logomark

License Obligations

Scan and understand the components in your GitLab repos for Legal and IP leakage risk
Sonatype hex logomark

Source Control

Seamlessly onboard Source Control repositories with deep GitLab integration
Sonatype hex logomark GitLab logomark

Build

Scans integrated with builds orchestrated and executed by GitLab
Sonatype hex logomark GitLab logomark

Developers

Merge Request automation to accelerate dependency management
Sonatype hex logomark GitLab logomark

Operate

Integrated into your DevOps and Release processes to ensure released software is secure via automation including GitLab Pipelines
Sonatype hex logomark

Code with confidence when you have Sonatype data

704,102

malicious components identified to date

0.01%

false positive rate, saving developers time

56 Million

vulnerabilities in our proprietary open source intelligence

The only enterprise-class software supply chain security that integrates into the GitLab workflow

repo-screen-1@2x

Proactive OSS malware and vulnerability protection

  • Intercept known and zero-day threats from infiltrating your software supply chain.
  • Continuously scan your code base for security vulnerabilities.
  • Shift left by addressing security issues during the earliest stages of development.

Software security that doesn't slow down development 

  • Use only secure and approved components for comprehensive dependency management.
  • Scale without compromise and control the lifecycle of staged builds directly from your CI/CD server.
  • Drive developer productivity while reducing build failures and security risks. 
repo-screen-2@2x-trimmed

Why Sonatype + GitLab are better together

When used together, Sonatype and GitLab accelerate DevSecOps and enhance security to foster a culture of continuous innovation. Sonatype makes GitLab work better by using the industry's best data source to identify and fix more vulnerabilities. 

dev-efficiency

DEVELOPER EFFICIENCY

Accelerate development with upgrade recommendations that are smarter than 'latest version.'

increase-roi

COMPREHENSIVE REPORTING

Get a holistic view of risk across all your projects Sonatype Platform reporting capabilities.
ai-assistant

SECURITY INSIGHTS

Gain robust security insights within your GitLab workflows to manage vulnerabilities more effectively. 

Enhance your GitLab security with Sonatype to accelerate DevOps

Features

GitLab + Sonatype

GitLab

Malicious OSS Protection pie The only enterprise malicious OSS protection pie No protection
OSS Security Data pie World's deepest, broadest and most accurate OSS data set pie Vulnerabilities from public sources
Central Policy Engine pie Policy engine with robust rules set alongside application and stage context to determine notification and enforcement pie Project based
Source Control pie Enterprise class source control based on git pie Enterprise class source control based on git
Legal License Risk Reduction and Compliance pie Open source component legal review in less than 10 minutes pie License approval policies
Binary Artifact Repository pie Strong repository offering with light integration at the Repo level pie Basic offering with limited support, per project based
Source Control / Repository Metadata Integration pie Source control metadata storage (SBOMs can be stored in Sonatype Nexus Repository) pie Basic offering with limited support
Single Sign On Integration pie Supported in Sonatype Lifecycle and Sonatype Cloud offerings pie All GitLab capabilities are behind one login
OSS Reporting and Management pie Real-time visibility to OSS usage throughout your application landscape and enterprise reporting pie Project based searching and listing
IDE Plugins pie Full and robust IDE integration and plugins pie Limited OSS management capabilities
DevOps Pipelines Automation pie Fully supported GitLab CI with Sonatype Plugin pie All GitLab capabilities are behind one login
Dependency Management Automation pie Smart suggestions with Merge Request automation based on world's best data system. Dependency Management Automation (coming H2 2024) pie Renovate-GitLab-Bot, requires complex configurations, opening new MRs for every security violation

GitLab + Sonatype

Features
Malicious OSS Protection pie The only enterprise malicious OSS protection
OSS Security Data pie World's deepest, broadest and most accurate OSS data set
Central Policy Engine pie Policy engine with robust rules set alongside application and stage context to determine notification and enforcement
Source Control pie Enterprise class source control based on git
Legal License Risk Reduction and Compliance pie Open source component legal review in less than 10 minutes
Binary Artifact Repository pie Strong repository offering with light integration at the Repo level
Source Control / Repository Metadata Integration pie Source control metadata storage (SBOMs can be stored in Sonatype Nexus Repository)
Single Sign On Integration pie Supported in Sonatype Lifecycle and Sonatype Cloud offerings
OSS Reporting and Management pie Real-time visibility to OSS usage throughout your application landscape and enterprise reporting
IDE Plugins pie Full and robust IDE integration and plugins
DevOps Pipelines Automation pie Fully supported GitLab CI with Sonatype Plugin
Dependency Management Automation pie Smart suggestions with Merge Request automation based on world's best data system. Dependency Management Automation (coming H2 2024)

GitLab

Features
Malicious OSS Protection pie No protection
OSS Security Data pie Vulnerabilities from public sources
Central Policy Engine pie Project based
Source Control pie Enterprise class source control based on git
Legal License Risk Reduction and Compliance pie License approval policies
Binary Artifact Repository pie Basic offering with limited support, per project based
Source Control / Repository Metadata Integration pie Basic offering with limited support
Single Sign On Integration pie All GitLab capabilities are behind one login
OSS Reporting and Management pie Project based searching and listing
IDE Plugins pie Limited OSS management capabilities
DevOps Pipelines Automation pie All GitLab capabilities are behind one login
Dependency Management Automation pie Renovate-GitLab-Bot, requires complex configurations, opening new MRs for every security violation

Frequently Asked Questions

Why is GitLab security not enough?

Good enough is not enough. Sonatype augments GitLab with best-in-class vulnerability data and securing findings. By using both solutions, developers can save time spent fixing security issues. 
How can GitLab and Sonatype users maximize the investments they have already made in DevOps tools? 

Users can maximize the investments they have already made by leveraging best-of-breed technologies for application security and repository managers. The GitLab and Sonatype integration allows users to embed security into the DevOps tools they are already using.  This helps them shift security left in the SDLC, creates better developer experiences, and increases release velocity.

 

How easy is it to integrate Sonatype and GitLab?

Sonatype can be easily integrated with GitLab by following the prescribed documentation guidelines.

We leverage the application permissions as configured in GitLab for access control. The integration of these tools enhances the overall development experience by combining:

  • Repository/Artifactory
  • Security
  • Collaboration
  • Version control
Do you have to replace GitLab to work with Sonatype?

No, Sonatype complements the developer experience with GitLab. The Sonatype GitLab integration allows you to automatically create trustworthy pull requests for accelerating dependency management. Developers can remediate with recommendations context about policy violations in pull requests. This is backed up by Sonatype’s prioritization engine giving developers confidence that they’re being recommended the best version available and removing friction in their GitLab pipeline.
Why do you need a reliable security partner like Sonatype along with your DevOps tool?

The question to ask is how much time you spend fixing false positives or false negatives. The more you automate, the more you also have to automate security. You need a reliable partner to do that, or development speed is impeded and can cause things like delayed release dates, etc.
How can customers enhance their ROI with Sonatype and GitLab combination?

The Sonatype-GitLab integrated experience is not just about innovation; it's about maximizing your ROI by investing in security and efficiency. The integration reduces security risks, streamlines workflows, and ensures compliance. 
How does Sonatype improve collaboration between Development and Security?

Sonatype brings together automation, development, security, and release processes to reduce the risk of security vulnerabilities and time spent developing software.
How Sonatype and GitLab when used together provide a DevSecOps Accelerator?

Sonatype and GitLab, when used together, provide a DevSecOps Accelerator enabling your organization to elevate its development practices, enhance security, and foster a culture of continuous innovation. Sonatype makes GitLab work better by using the industry’s best data source to identify and fix 8x more vulnerabilities than they do, 10x faster than they do.

Resources

Sonatype GitLab integration

Documentation on integration and configuration

Sonatype Community

Details on GitLab Ultimate integration