Sonatype helps government agencies build better software, faster. More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source. Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.


  • Nexus Lifecycle

    Continuously remediate open soruce risk across your SDLC

    • Control: Define open source component policies by organization, team, and application type.
    • Automate: Automatically and contextually enforce policies across your entire DevOps pipeline.
    • Integrate: Continuously visualize component intelligence within your favorite tools (including Nexus and Artifactory).
    • Customize: Pair component intelligence with in-house apps using supported REST APIs.
  • Nexus Firewall

    Stop risky open source components from entering the SDLC

    • Automatically block unwanted Java, JavaScript, .Net, PyPi, RubyGems, and RPM components from entering your software supply chain.
    • Improve application hygiene and protect repositories, including staging and release.
    • Automatically prevent risky components from entering your applications.
  • Nexus Auditor

    Monitor production applications for OSS risk

    • Document the parts inside your software or COTS applications with a detailed bill of materials.
    • Automatically pinpoint open source security vulnerabilities, license risk, and quality concerns.
    • Remediate risk in the blink of an eye and gain first mover advantage.
    • Send notifications when unwanted components are identified in evaluated applications.
    • Contextually waive policy violations as appropriate.
  • Nexus Repository

    Expert flow control for binaries, build artifacts, and release candidates.

    • Manage components, build artifacts, and release candidates in one central location.
    • Understand component security, license, and quality issues.
    • Modernize software development with intelligent staging and release functionality.
    • Scale DevOps delivery with high availability and active/active clustering.
    • Sleep comfortably with world-class support and training.


GSA Schedule Contracts

GSA Schedule 70

GSA Schedule 70 GSA Schedule No. GS-35F-0119Y Term: December 20, 2011- December 19, 2021

SEWP Contracts


Contract Number: Group A Small: NNG15SC03B Group D Other Than Small: NNG15SC27B Term: May 1, 2015 - April 30, 2020

State & Local Contracts

City of Seattle Contract

Contract #0000003265 Term: December 19, 2021


Contract # CMAS 3-12-70-2247E Term: through March 31, 2022

Department of General Services PA - Symantec

Contract # 4400004253 Valid through December 19, 2021

Ohio State Contract- 534354

Contract # 534354 Term: December 19, 2021

Pennsylvania COSTARS-3 IT Hardware Contract

Contract: COSTARS-003-451 Contract Period: Through July 18, 2019

State of Indiana Contract

Contract Number: 0000000000000000000021430 Term: August 1, 2017 – July 31, 2019

State of New Mexico Contract

Contract Number: 80-000-18-00002 Contract Period: August 1, 2017 – August 1, 2021

Texas DIR-TSO-3854

DIR-TSO-3854 Contract Period: May 25, 2017 - May 25, 2021 (with 3 option years) Authorized Users: Any Texas state agency, unit of local government, institution of higher education as defined in Section 2054.003, Texas Government Code, and those state agencies purchasing from a DIR contract through an Interagency Agreement, as authorized by Chapter 771, Texas Government Code, any local government as authorized through the Interlocal Cooperation Act, Chapter 791, Texas Government Code, and the state agencies and political subdivisions of other states as authorized by Section 2054.0565, Texas Government Code.


Contract Number: UVA1482501 Term: May 2, 2014– December 19, 2021


Past Events

ATARC DevOps Summit - March 12, 2019

AFCEA Spring Intelligence Symposium - March 19-20, 2019

ATARC Federal RSA - March 26, 2019

International Conference on Cyber Engagement - April 23, 2019

GDIT Emerge 2019 - April 23, 2019

Archived Events


Latest News

Sonatype released a commissioned study conducted by research of organizations using the Nexus Platform and their ROIs and more increased profits.
January 29, 2019
Sonatype, the Nexus company and a continuous delivery leader, today announced that Equifax Inc. has selected Sonatype’s Nexus platform to manage and monitor its application ...
Sonatype, the leader in automated open source governance, announced it has been recognized as one of five “large” SCA Specialists in Forrester Research’s new Now Tech: Software Composition ...
All Day DevOps and Sonatype partnered to host the largest conference of high quality educational content to more than 1 million IT professionals to focus on DevOps.
Sonatype today released its fourth annual State of the Software Supply Chain Report which found that software developers downloaded more than 300 billion open source components in the past 12 months, ...
Today, Sonatype, the leader in automated open source governance and application security, and Micro Focus, creator of Fortify Application Security Portfolio, announced an expanded strategic ...
Today’s guest is Derek Weeks, VP and DevOps Advocate at Sonatype. The discussion today highlights what has happened to software development in the past ten years. Rather than taking a project and ...
On this podcast, Curtis Yanko, Technical Director, Alliances and Partners at Sonatype discusses how the Nexus Platform helps customers automate open source governance so they can build software the ...
In 2010, a 7.0-magnitude earthquake devastated Haiti. The quake killed an estimated 230,000 people and sparked a massive global assistance response. We all remember this tragedy. Yet, six weeks later, ...
The software world is being flooded with open source product. In fact, the federal government has an open-source-first policy. But maybe it's time to stop and think about sources of open source. Where ...
Multiple agencies across the U.S. government are paying closer attention to the software they are buying. More specifically, they want to know what open source and third party components were used to ...
What: The 2016 State of the Software Supply Chain report from Sonatype detailing the use of open source components in software.
Sonatype, the Nexus company and a continuous delivery leader, today announced that its Nexus repository manager usage has doubled in the last 18 months (July 2013 to February 2015.) With five times ...
Responsibility for secure open source software is, well, complicated. Some believe open source is more secure than proprietary software because, as Linus’s Law says, “Given enough eyeballs, ...
Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today released a free Application ...


SELECT Resource_ID, Title, Vendor, Vertical, Type, DateAdded, Path, Linktype, InvisibleBit, FeaturedEnd, FeaturedBit, Description, CustomLogo, LegacyLink, Form FROM Resources WHERE Vendor = ? AND InvisibleBit = 0 ORDER BY FeaturedBit DESC, Type ASC


This year’s report highlights new methods cybercriminals are employing to infiltrate software supply chains, offers expanded analysis across languages and ecosystems, and more deeply explores how government regulations are likely to impact the future of software development.

As consumers increasingly expect organizations to offer expanded value and experiences through software applications, businesses must ensure that they are providing not only a differentiated user-friendly experience but a secure one too.

Solutions Brief

Solutions Brief
Sonatype exists to unite software developers, security professionals, and IT operations. We empower them to continuously identify and remediate open source risk, without slowing down innovation


Sonatype’s Nexus Platform is a DevOps-native solution that uses Advanced Binary Fingerprinting to precisely identify vulnerable components (including partially modified components / matches), enabling agencies to govern and track open source components underpinning mission critical applications...