Project Pilot (first 2 months)
Schedule a Policy Workshop
The Sonatype Lifecycle Policy Workshop introduces the core concepts.
A one-day workshop on defining the rules for component management.
Learning best practices for continuous component governance.
Schedule a policy workshop early as a mandatory part of your deployment.
Decide which governance policies are essential to the organization
Policy Owners will need to formalize policies before adding all of your applications.
Use a few sample applications for testing.
Start with a fresh installation when deploying to production to clean up testing noise.
Changing policies after onboarding applications will create noise and confusion.
Scope the applications to be onboarded and decide on your user-access model
Review the application onboarding guide for details.
Integrate Lifecycle scans into your application build process
Sonatype Lifecycle automates governance decisions during your software development.
Scanning outside of the build will greatly limit the value of your subscription.
High precision comes from the analysis during the application build; when the build tools determine the components going into the application.
Name-based matching alone does not achieve precise results.
Here are some answers to common concerns around scanning during the build.
Concerns | Solutions |
|---|---|
We cannot have long scans slowing down the build |
|
Another team manages the build |
|
We use a standardized build pipeline |
|
What if the server is not available? |
|
We cannot break builds |
|
Baseline your open source risk before sending out notifications and prioritizing remediation efforts
Perform a baseline before interrupting development with notifications and broken builds.
Sonatype Firewall can scan dependencies found in your proxy repositories.
Easy SCM onboarding can import applications from source control.
Grandfather legacy applications to prioritize new risks.