Skip to main content

Application & Policy Configuration Checklist

A common strategy is to baseline the total open source risk for all your applications. Before jumping ahead to scan everything, you will want to make sure to configure policies that align with your organization's requirements. The default Sonatype Reference Policy set is designed to meet most organizations' needs for Application Security, OSS Legal, and Application Architecture governance.

This section instructs you on how to modify the Sonatype Reference Policy set to meet your organization's current risk standards. It's very likely that different applications and teams will have different tolerances for risk. You'll likely need input from legal, development, and application security teams throughout this process.


  • Plan your application categories and organization structure.

  • Understand how Sonatype Lifecycle policies work.

  • Create your organizations.

  • Adjust policies to fit your risk tolerance.

  • Configure proprietary components.

  • Set up policy labels.

  • Test your configuration by scanning an application in the sandbox organization.

Action Items

  1. Onboarding Applications

  2. Define Application Categories - scoping policies to the correct applications.

  3. Adjust Policies

    • Understanding the parts of a policy

    • Defining risk tolerance

    • Configuring policies

      • Manage Legacy Violation Risk

    • Configure Continuous Monitoring of Applications for violations once released

  4. Set up proprietary components (the list below offers multiple strategies for managing internal components)

  5. Ensure that your license threat groups are appropriate

  6. Enhance your policies using component labels

  7. Run a test scan in sandbox organization/application

Questions to answer when onboarding applications:

  • If Yes, is your application a hosted web service or a distributed application?

  • If No, is this application for internal use only?

  • What is the primary language(s) of your application?

  • What types of binaries do you build?

  • What vendor libraries are included?

  • How does your project pull in dependencies currently?

  • Have you modified the open-source components?

  • Will this project be open-sourced back to the community?

  • How many developers contribute to your project?

  • How do you build your application outside of the IDE?

  • Does your company have an internal identification number for each application?

  • What is the primary function of this application?

  • Does your application provide a customer-facing business function?