Skip to main content

Lifecycle Foundation

A Lifecycle Foundation license provides a subset of the Lifecycle functionality designed to support a focus on identifying and reporting security risks. Upgrade to a full Lifecycle license when ready for policy enforcement in the DevOps pipeline.

  • Create customized policies for security, license, and quality standards.

  • Integrate with existing CI/CD tools.

  • Automatically create an application composition report, or a software bill of materials, to visualize risk and policy violations.

  • Leverage the Sonatype Intelligence engine to provide remediation guidance including the use of waivers and license overrides.

Lifecycle Foundation does not let you:

  • Integrate policy information and remediation guidance in a developer’s IDE.

  • Include support for any automatic enforcement of policy like failing a build, or sending alerts, or automatically creating Jira tickets.

  • Provide continuous monitoring of applications that are in production, to identify new risks in existing preapproved components.

  • Establish legacy violations to baseline any existing violations when onboarding new applications.

  • Run in High Availability deployments

  • Connect to Nexus Repository or Sonatype Repository Firewall

Use Lifecycle Foundation to be More Secure

The goal of Lifecycle Foundation is to provide open-source risk analysis by leveraging superior Sonatype intelligence. Knowing what’s in your applications empowers you to make them more secure.


Lifecycle Foundation provides access to the Lifecycle policy engine. Policy is used to identify risk associated with open-source existing in your applications.

With Lifecycle Foundation, you can use the provided reference policies, and/or create your own organizational policies. You will not have access to policy actions, use of legacy violations, or automatic notifications through email or JIRA.

Bill of Materials

Lifecycle Foundation can produce a bill of materials (BOM) via the Application Composition Report. This report serves as a point-in-time output of risk associated with components in a specific application.

The Lifecycle Dashboard searches for violations found within a specific stage or policy type. Using filters to focus on specific risks to prioritize your remediation.


Remediating risk starts with improving your process of open-source selection. This data is found in the Component Information Panel and displays remediation suggestions with Sonatype’s enriched data and guidance.

Licensing and Features

The following table outlines the features, and limitations, of a Sonatype Lifecycle Foundation license: