Nexus Lifecycle delivers open API for best-in-class policy control for all container layers
Fulton, MD – Monday, Nov. 25 2019 - Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today announced an open API that makes it easy for third-party container scanners to integrate with Nexus Lifecycle and equip engineering teams with a holistic solution to automatically and accurately control risk related to containers traversing the modern software development lifecycle (SDLC).
In addition to the new container scanning API, Sonatype also introduced today an out-of-the-box integration between Nexus Lifecycle and Red Hat Clair, which when used with Red Hat Quay offers a powerful security assessment option for containers.
With these enhancements, Sonatype is streamlining open source governance and developer security into a single value stream that stretches across the entire SDLC - while giving engineering teams the freedom and flexibility to use any container scanning solution of their choice.
According to Sonatype’s 2019 State of the Software Supply Chain Report, there are more than 2.2 million containerized applications housed in Docker Hub— up from 900,000 the previous year. This aligns with the 2019 Container Adoption Survey, developed by Portworx and Aqua Security, which found that 87% of respondents are running container technologies, and 90% of those using containers, are doing so in production. But, just as with any rapidly growing technology, there are risks. In fact, a recent study by Kenna Security found that 20% of all Docker containers have at least one critical vulnerability and the average container has 176 CVEs.
“There is no denying the rise of container use in the DevOps pipeline and being able to continuously scan and monitor them for security vulnerabilities and licencing risk is vital. Running an untrusted container can lead to numerous attacks,” said Brian Fox, CTO and Co-founder of Sonatype. “We believe in building and working with best-in-breed solutions. By developing an integration with Clair and an API for other container scanning tools, we’re giving our customers the power to choose the capabilities that work best for them, while providing a single platform to easily validate containers and applications across the entire SDLC and innovate faster at scale.”
Additional Resources:
- Watch this demo to learn how the integration with Red Hat Clair works
- Read more about how Sonatype is automating container security on our Blog
- See how Sonatype integrates with Red Hat Quay, for continuous container security
About Sonatype
Sonatype is the leader in software supply chain automation technology with more than 300 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers. Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit Sonatype.com, or connect with us on Facebook, X, or LinkedIn.