Skip to main content

Nudges and Anomalies


The visualizations described on this page have been sunsetted in IQ Server/Lifecycle release 170.

Please refer to Integrated Enterprise Reporting for the latest version of Data Insights, available from release 171 onwards.

The Nudges and Anomalies Insight provides metrics about Sonatype Lifecycle platform usage. The goal is to reveal patterns and trends in your overall remediation efforts through a set of simple and informative data cards. You can reference the cards live or download them into an external report.



The Nudges and Anomalies insight supports a number of outcomes.

  • Executive sponsors need easy-to-read information to ensure that the organization is complying with open-source governance policies.

  • Comparing your existing metrics to Sonatype's recommendations allows you to identify areas for improvement and support good habits you already have.

  • Undesirable results can help you affect change in your organization and track efforts to improve.

What these outcomes have in common is that the closer you align to our best practice recommendations, the more value you'll see from the platform.



This data may change or become unavailable without notice.

To see the Log4j Analysis on your IQ Server, you'll need to be a Lifecycle customer.

Click the cogwheel icon in the top right-hand corner of the browser UI, then click Data Insights at the bottom.

You'll be brought to the Data Insights landing page. Click Nudges and Anomalies on the left.

Reading the Cards

The cards are sized identically and follow the following format:

  • Card title

  • Change in metric

  • Alignment to industry best practice

  • Details behind the measurement

As this insight is developed, the goal is to color-code the cards so that

Use the Print/Download button at the top right to save it as a PDF.

Cards in the Deck

Card title


Best Practice

App Management

Change in the number of new applications during the period

A reduction in the number of new applications could indicate a stalled effort with onboarding teams.

Scanning Rate

Scanning frequency of applications per month

Scan applications regularly to have up-to-date risk information. Exemplars scan their apps 20x or more per month.

Scanning Coverage

Percentage of total apps scanned at least once/week

Exemplars scan at least 90% of their onboarded apps at least once per week. Configure Continuous Monitoring for applications that are not built at least once a week.

Risk Ratio

Average number of applications with critical violations

Exemplars have a risk ratio below 10. A high ratio is a sign that technical debt tickets are not in balance with new development. The budget for an increased focus on reducing technical debt.

Fixing Rate

Change in applications with critical violations

New violations are common, but the average risk should decrease during the period when teams are actively remediating. Deferred violations should be waived until they can be addressed to avoid noise in scan reports.

Backlog Rate

Percentage ratio of fixing rate divided by discovery rate

When the backlog rate is below 100%, violations are discovered faster than they are fixed.

Discovery Rate

Average critical violations discovered per app / month

Chose new components without violations when possible. Upgrade to newer versions without critical violations.

Some or all of these cards may not be visible to you. This is expected behavior. Data for cards is generated through a combination of your scans and scanning behavior and Sonatype's own data ingestion process. If you don't see a card or cards, it's likely that your installation has a combination of data (or lack thereof) that does not allow your IQ Server to display this insight. Usually, the best solution is to continue scanning as normal and check the Insight at a later date.