Sonatype Cloud
Sonatype Cloud is a fully managed solution with Sonatype responsible for the service provisioning, configuration, and maintenance.
Get value faster by skipping the work of provisioning hardware and the costs of managing the self-hosted services. Leverage your organization's existing cloud infrastructure initiatives by applying your service credits directly to your Sonatype Cloud deployment.
Sonatype Cloud ensures your critical infrastructure follows best practices out of the box. The experts who build our products have finely tuned the service so you don't have to.
Receive updates to new features and content as they are first deployed to Sonatype Cloud as soon as they are available; often months before the self-hosted options.
Functionality
Sonatype Cloud delivers all the same functionality required from self-hosted deployments while removing the overhead that's not. Contact the Sonatype sales team for the right deployment option to meet your organizational needs.
Maintenance and upgrades are managed by Sonatype; default configuration (including default credentials) may differ from self-hosted deployments.
Access to logging, file storage, and service configuration are handled through the support ticketing process. Managing the database, upgrading the service, and backing up the system are handled by Sonatype. Server configuration, tasks, and capabilities that interact with this functionality are not exposed through the service.
Connection to Sonatype Cloud is across the public internet. Your IdP and notification tools such as webhooks need to be accessible on the public internet. Anonymous access to the service is not allowed.
Custom integrations are not supported by Sonatype or our support team. Deprecated formats such as Bower and Nuget V2 are not available.
Sonatype Cloud Products
The Sonatype Cloud lineup includes the following managed services:
Lifecycle Cloud
Sonatype Lifecycle Cloud is a full feature Software Composition Analysis (SCA) platform with a dedicated instance of the Sonatype IQ service and developer integrations for your organization in the cloud. Lifecycle Cloud is built for the speed and scale of modern software development.
Intelligent, Contextual Risk Prioritization
Continuous access to Sonatype's proprietary intelligence data, which goes beyond basic CVSS scores. It utilizes advanced features like Reachability Analysis and Golden Pull Requests to prioritize only exploitable or high-impact vulnerabilities and offer automated, non-breaking remediation guidance, dramatically reducing noise and developer friction.
Seamless Integration and Shift-Left Security
The cloud deployment simplifies integration into modern DevSecOps pipelines and cloud platforms. It provides deep developer-first integrations (e.g., in IDEs and Source Control) to "shift left" by finding and fixing security, license, and quality issues at the earliest stages of the SDLC, reducing costly rework.
Built-in, Modern Security and Compliance
Security is baked into every layer of the cloud platform (SOC 2 and ISO 27001 certified), offering enterprise-grade security and ensuring continuous compliance with customizable, policy-driven enforcement across the entire software supply chain. This includes capabilities for accurate Software Bill of Materials (SBOM) generation and governance for both traditional components and open-source AI/ML models.
Enterprise Speed and Scalability
The platform provides instant scalability to meet the demands of any size development team or volume of applications. It ensures high performance and accelerates development velocity by adapting effortlessly to changing priorities without becoming a bottleneck.
Zero Infrastructure and Maintenance Overhead
As a fully managed SaaS offering, Sonatype Lifecycle Cloud eliminates the need for customers to manage, patch, and upgrade the underlying infrastructure or application software. This significantly reduces IT toil, lowers operational costs, and ensures you're always running the latest, most secure version with zero maintenance downtime.
Nexus Repository Cloud
Nexus Repository Cloud is a fully managed, centralized artifact management solution.
Centralized Governance with Universal Format Support
Provides a single, auditable repository for all artifacts, making it easy to enforce security policies, manage access control (RBAC), and maintain a full audit trail of what is deployed where. Nexus Repository supports numerous package formats and modern assets like AI/ML models.
Scalability and High Availability
Cloud-native architecture automatically scales to meet your organization's demands; ensuring fast artifact availability with minimal downtime. Enable your DevOps teams to focus on development not maintenance.
Accelerated Development and Performance
Improve build reliability and speed for both internal and external components; reducing network latency, and reliance on public repositories.
Built-in Security and Malware Protection
Built-in Malware protection alerts you to when malware is found in your Nexus Repository. Automatically block risky artifacts using Repository Firewall.
World Class Support and Customer Success
Expert-led migration support for moving from self-hosted community edition deployments or other platforms.
Repository Firewall Cloud
Sonatype Firewall natively integrates with Nexus Repository Cloud to be the first line of defense for your cloud-native pipelines, automatically enforcing security policy at the point of component download.
Proactive Open Source Malware Protection
Uses proprietary AI-driven behavioral analysis and intelligence to automatically detect and block known and zero-day malicious components (packages, containers, and AI models) before they ever enter your Nexus Repository or development environment.
Automated Policy Enforcement
Enforces custom organizational policies (security, licensing, quality) at the point of ingestion, preventing unsafe components from being downloaded by developers or automated builds, which significantly reduces late-stage rework and remediation costs.
Intelligent Quarantine and Release
Suspicious or non-compliant components are automatically moved to a quarantine for review. The system can auto-release components if confirmed safe, minimizing friction for developers and reducing manual security team review cycles.
Defense-in-Depth for Cloud Environments
Seamlessly integrates with network security tools (like Zscaler) and Docker registries to apply malware and policy protection at the network edge and for comprehensive analysis of container images, securing every entry point to your cloud software supply chain.
Zero-Maintenance SaaS Protection
As a cloud-native, fully managed service, it provides continuous, always-on protection without requiring any infrastructure management, patching, or scaling effort from your DevOps or Security teams.
SBOM Manager
Sonatype SBOM Manager Cloud provides a centralized system of record for all your Software Bills of Materials, ensuring comprehensive compliance and risk visibility for both first-party and third-party software at enterprise scale.
Centralized, Scalable SBOM Management
Provides a single, secure cloud platform for the ingestion, validation, and storage of both internally generated and third-party SBOMs (in CycloneDX and SPDX formats), ensuring audit readiness across your entire software portfolio.
Continuous Risk and Vulnerability Monitoring
Automatically monitors all ingested SBOMs (including those for older or shipped software) against Sonatype's threat intelligence for new vulnerabilities, malware, and policy violations, enabling rapid incident response.
Streamlined VEX and License Management
Simplifies compliance by allowing users to easily add Vulnerability Exploitability eXchange (VEX) annotations to clarify vulnerability status, and provides streamlined workflows for open source license obligations.
Regulatory Compliance at Scale
Automates workflows to simplify adherence to major global regulations and mandates (e.g., NIST SSDF, Executive Order 14028, DORA, NIS2), giving procurement and compliance teams the tools to audit and share release-ready SBOMs with customers and regulators.
Comprehensive Component Coverage
Extends visibility beyond application code to include operating system components within containers and open-source AI/ML models, providing a complete and accurate picture of your software's composition.