Sonatype Fully Automates Container Security

Date
11/25/2019

 PDF
Nexus Lifecycle delivers open API for best-in-class policy control for all container layers

Sonatype announced an open API that makes it easy for third-party container scanners to integrate with Nexus Lifecycle and equip engineering teams with a holistic solution to automatically and accurately control risk related to containers traversing the modern software development lifecycle (SDLC).

In addition to the new container scanning API, Sonatype also introduced today an out-of-the-box integration between Nexus Lifecycle and Red Hat Clair, which when used with Red Hat Quay offers a powerful security assessment option for containers.

With these enhancements, Sonatype is streamlining open source governance and developer security into a single value stream that stretches across the entire SDLC - while giving engineering teams the freedom and flexibility to use any container scanning solution of their choice.

According to Sonatype’s 2019 State of the Software Supply Chain Report, there are more than 2.2 million containerized applications housed in Docker Hub— up from 900,000 the previous year. This aligns with the 2019 Container Adoption Survey, developed by Portworx and Aqua Security, which found that 87% of respondents are running container technologies, and 90% of those using containers, are doing so in production. But, just as with any rapidly growing technology, there are risks. In fact, a recent study by Kenna Security found that 20% of all Docker containers have at least one critical vulnerability and the average container has 176 CVEs. 

“There is no denying the rise of container use in the DevOps pipeline and being able to continuously scan and monitor them for security vulnerabilities and licencing risk is vital. Running an untrusted container can lead to numerous attacks,” said Brian Fox, CTO and Co-founder of Sonatype. “We believe in building and working with best-in-breed solutions. By developing an integration with Clair and an API for other container scanning tools, we’re giving our customers the power to choose the capabilities that work best for them, while providing a single platform to easily validate containers and applications across the entire SDLC and innovate faster at scale.”

For more information, please visit Sonatype.com.

RELATED