Skip to main content

Project Pilot (first 2 months)

Schedule a Policy Workshop

  • The Sonatype Lifecycle Policy Workshop introduces the core concepts.

  • A one-day workshop on defining the rules for component management.

  • Learning best practices for continuous component governance.

  • Schedule a policy workshop early as a mandatory part of your deployment.

Decide which governance policies are essential to the organization

  • Policy Owners will need to formalize policies before adding all of your applications.

  • Use a few sample applications for testing.

  • Start with a fresh installation when deploying to production to clean up testing noise.

  • Changing policies after onboarding applications will create noise and confusion.

Scope the applications to be onboarded and decide on your user-access model

Integrate Lifecycle scans into your application build process

  • Sonatype Lifecycle automates governance decisions during your software development.

  • Scanning outside of the build will greatly limit the value of your subscription.

  • High precision comes from the analysis during the application build; when the build tools determine the components going into the application.

  • Name-based matching alone does not achieve precise results.

Here are some answers to common concerns around scanning during the build.



We cannot have long scans slowing down the build

  • 95% of scans take less than 30 seconds

  • 99% under 2 minutes

Another team manages the build

  • Native integrations for most build tools

  • command line scanner (CLI) can be used anywhere

  • using environment variables for scan templates

We use a standardized build pipeline

  • Scans fully support dynamic pipelines

  • Use Sonatype Container for scanning containers

What if the server is not available?

  • Scans fail open by default to limit the impact of an outage

We cannot break builds

  • Enforcement is configured in IQ

  • Actions are tailored to different levels of agility

Baseline your open source risk before sending out notifications and prioritizing remediation efforts

  • Perform a baseline before interrupting development with notifications and broken builds.

  • Sonatype Firewall can scan dependencies found in your proxy repositories.

  • Easy SCM onboarding can import applications from source control.

  • Grandfather legacy applications to prioritize new risks.