Sonatype Latest Press Releases & News | Sonatype

DepShield App to Democratize Open Source Governance | Sonatype

Written by Brian Fox | August 30, 2018

DepShield empowers GitHub’s 28 million developers to automatically identify open source security vulnerabilities within their GitHub repositories, for free

Fulton, MD – August 14, 2018 -- Sonatype, the leader in automated open source governance, today announced Sonatype DepShield, a new GitHub application that enables developers to experience basic open source governance, free of charge. Powered by Sonatype’s OSS Index, DepShield integrates directly into GitHub repositories and allows developers to easily identify and avoid using open source components with known vulnerabilities.


“The need for more secure coding practices has never been greater,” said Wayne Jackson, CEO of Sonatype.  “Developers live, eat, and breathe in GitHub. While developers find value in GitHub’s native dependency graph, they need, and are demanding, more self-help security.  With DepShield, we’re enabling 28 million developers to add an initial layer of defense, to not only help protect their software projects, but the millions of enterprises, organizations and individuals who will use their code down the road.”

Sonatype DepShield features and benefits include:

  • Continuously monitors projects and auto-creates issues for security vulnerabilities
  • Available for Apache Maven today with JavaScript and Python coming soon
  • Ability to view a list of known security vulnerabilities within GitHub’s Issue Tracker and click on an issue to view vulnerability details including CVE and CVSS
  • Determine vulnerable version ranges on each given vulnerability
  • Available for free, serving both private and public GitHub repositories

Sonatype’s 2018 DevSecOps Community survey revealed just how important open source governance is, with 1 in 3 organizations noting they suspected or verified breaches due to OSS vulnerabilities -- a 55 percent increase since 2017. The need to empower developers is further underscored by the IDC FutureScape: Worldwide Developers & DevOps 2018 Predictions in which analysts note that “development without integrated security compliance will fail. Security-led development will be a priority for 90% of orgs by 2020.” In the wake of the Equifax breach, as more companies prioritize enterprise-wide open source governance, empowering developers with real-time component intelligence is imperative.

Additional Resources:

About Sonatype

More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source.  Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.  Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Hummer Winblad Venture Partners, and Goldman Sachs. Learn more at www.sonatype.com.