Getting Started
This page is an overview of the Sonatype Lifecycle journey. Adopting Sonatype Lifecycle has three phases:
Phase 1: Integrating Lifecycle in your software development lifecycle (SDLC)
Phase 2: Setting expectations while prioritizing risk
Phase 3: Empowering developers to remediate violations
Integrating Lifecycle in your SDLC will take coordination and cooperation from your stakeholders to get right.
Expect the process to take a couple of weeks to deploy Lifecycle and start to integrate scanning into the build pipeline. When working with a large catalog of applications this step may take a while to get right. Consider starting with a pilot team with a few priority applications to work through the challenges while communicating workflows before attempting a larger rollout.
During this time set expectations with the organization well in advance of any changes being implemented and before they begin receiving notifications about policy violations. Lifecycle is a tool to help your teams manage the open-source risk that already exists in their environments. It may be shocking to find out how much risk is there.
Set reasonable expectations and provide a clear path forward with the time to reasonably address the issues before blocking build and banning components.