Overview

Product video
Block Malicious Open Source at the Door
Strengthen your software supply chain security by automatically detecting known and unknown open source malware before it enters development. Sonatype Repository Firewall is the only automated solution that stops open source malware at the source. Powered by next-generation AI behavioral analysis and automated policy enforcement, it evaluates components before they reach your repository, ensuring developers can work with safe, up-to-date OSS components and avoid costly issues later in the development lifecycle.
What Makes Repository Firewall Different:
- Block Open-Source Malware Automatically: Prevent malicious components from entering your software supply chain with AI-driven detection and automated policy enforcement.
- Eliminate Existing Threats: Identify and remove malware already in your repositories, keeping your development environment secure.
- Protect Without Slowing Developers: Seamlessly safeguard your pipeline without disrupting workflows or slowing innovation.
- Sonatype Repository Firewall is your first line of defense against open-source malware, combining automated protection with seamless integration to reduce security burdens and accelerate time to market - all without compromising speed, quality, or innovation. Develop fearlessly. Innovate confidently.
As the industry-leading software supply chain management platform, the Sonatype Platform is the choice of organizations that are currently using or evaluating solutions such as Mend, Jfrog, Snyk, or GitLab. Sonatype provides a comprehensive and integrated solution for all aspects of the software development lifecycle, from secure development to release automation, helping organizations reduce risk and accelerate their time to market.
Highlights
- Start your 30-day Free Trial on AWS Marketplace today!
- Bad actors are constantly evolving their attack vectors. Sonatype has identified and blocked over 143k malicious and suspicious packages.
- Sonatype Repository Firewall has prevented over $1.5 Billion in potential losses from malicious open source attacks.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Trust Center
Buyer guide

Financing for AWS Marketplace purchases
Pricing
Free trial
Dimension | Description | Cost/12 months |
|---|---|---|
Repository Firewall | For One User | $302.00 |
Vendor refund policy
We do not offer a refund policy.
Custom pricing options
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Standard contract
Customer reviews
Centralized repositories have strengthened open-source security and improved vulnerability insight
What is our primary use case?
The major use case for Sonatype Repository is for open-source libraries, third-party libraries, and scanning. It gives you the vulnerabilities and security vulnerabilities of these third-party libraries.
In terms of lifecycle management and integration with CI/CD pipelines, we assess the pipelines with Fortify integrated into part of the pipeline. When you run the pipeline, part of it is the scanning, and you get the vulnerabilities and the issues in this pipeline.
What is most valuable?
The biggest advantage of Sonatype is that you get an idea about the open source or third-party libraries vulnerabilities. You know if there are any fixes for them and if it is utilized in our environment. It gives you an idea of the security posture of your used libraries, third-party libraries, and open source components. It also shows you the vulnerabilities and what is being done. Recently, we acquired Sonatype Repository Firewall , which is very useful for security because you can block things and allow things.
The Health Check feature for repositories is for identifying vulnerabilities, basically. It normally marks something as vulnerable, but it also checks if it is accepted or not.
Health checks contribute to my identification procedure because if we have a vulnerability, some vulnerabilities are in that library, but it does not necessarily mean that the whole library is vulnerable because of one function that might not be in our code. So I check if that is really a vulnerability or not.
The ability of Sonatype to manage NPM , Docker , and Maven helps us with development environments because if someone needs one of these frameworks, we can connect with third-party libraries and have them stored here. We also know the health of it and sometimes receive live checks and feedback.
Hosting, proxying, and grouping repositories have a major benefit by being centralized for our organization. You know what you have and what you do not, and maintain a secure environment, knowing its security posture.
What needs improvement?
For Sonatype, there is a feature for waiving a vulnerable component that cannot be fixed due to limitations. However, I wish Sonatype would improve notifications regarding waivers, so the security team knows to look into it instead of relying on user emails or checking ourselves.
I think the price for the product is on the high side, as some components are very expensive, such as Sonatype Repository Firewall . It is not a cheap product, but security can come at a cost.
Time definitely is saved because security is a requirement, and it provides great value, although everyone likes things to be cheaper. But at the end of the day, you pay for what you have to.
For how long have I used the solution?
I started using this product before 2023, possibly in 2022 or 2019, but I do not have the exact dates because I was not involved in that process when they brought it in.
What do I think about the stability of the solution?
Sonatype Repository is reliable and stable.
How are customer service and support?
My impression of customer support and technical service from Sonatype is positive.
I would give them a nine for support on a scale from zero to ten.
How was the initial setup?
The installation process and deployment procedure for Sonatype is complex because the administration team handles that, and I know they stay after hours to do it, but I did not participate to know the details.
What about the implementation team?
We are customers of Sonatype; we get the product, we use it, and we buy it.
Which other solutions did I evaluate?
I have not worked with any competitors yet, so I cannot compare Sonatype to anything right now, but I know they are one of the top ones in the market.
What other advice do I have?
Sonatype is pretty much a leader and stands out in their field.
We have it on-premises; all is on-prem because sometimes the offerings of the cloud are not here in our country. The cloud area is still evolving, and we are not cloud-based yet.
Automated policy checks have protected builds and now prevent vulnerable dependencies in real time
What is our primary use case?
My main use case for Sonatype Repository Firewall is to check dependencies for vulnerabilities, block any download content that poses a risk, and enforce and adhere to security policies in real-time. I check for any suspicious activity and prevent vulnerable and malicious code from entering the build. When application teams create images, I check for vulnerabilities, block critical and vulnerable-level content, and block packages if someone tries to download unauthorized images or engages in suspicious activities using vulnerability intelligence.
An example would be when a developer is building a Java-based application with Maven. As they write code and add dependencies, the build tool requests a package from Sonatype Repository Firewall , which is integrated with the proxy repository that connects to the internet to download packages. During this process, whenever a request goes to the Nexus repository, Sonatype Repository Firewall checks the component before downloading it. If any vulnerability is detected, such as one related to Log4j, the policies applied at the firewall level help block the component containing critical severity vulnerabilities. The actions taken include blocking the download, putting the component into quarantine, and informing the developer that it was locked due to a critical vulnerability.
What is most valuable?
Sonatype Repository Firewall immediately identifies vulnerable content and helps block it promptly. It stops bad components before they ever enter my environment and helps developers choose correct and safer versions. It detects problems early rather than after accidents happen, and applies automatic enforcement of policies. This protects against threats and helps reduce human errors.
The automatic enforcement happens at different stages. For instance, if an application team requests any dependency to the Nexus Sonatype repository proxy, it first goes to the firewall, which intercepts it before downloading and checks for vulnerabilities, malware signals, and policy rules. If safe, it allows the dependency to be downloaded. If anything risky is found, it blocks it instantly without human intervention. Once a component is downloaded, it gets stored in the cache, allowing faster downloads in the future since the component is already available in the local repository.
Since I started using Sonatype Repository Firewall more than five years ago, it has had a positive impact on security and development speed. It helps prevent security incidents, fixes vulnerabilities early, and enables stable releases for applications. It speeds up development with safer dependencies by eliminating manual security checks and helps reduce human error and knowledge gaps, standardizing my DevOps pipeline and framework according to security guidelines.
What needs improvement?
I recommend integrating artificial intelligence capabilities into Sonatype Repository Firewall for real-time intelligence updates regarding security risks. I also suggest enhancing policy control for improved granular policy settings and better integration with DevOps pipelines, especially in container-based workflows.
I find the documentation very good as I often refer to it for information. The user interface is also very good, but I have noticed some false positives where safe components get blocked, causing unnecessary delays for developers.
For how long have I used the solution?
I have been using Sonatype Repository Firewall for over three years.
What do I think about the stability of the solution?
Sonatype Repository Firewall is stable, and although I explored alternatives like JFrog Artifactory and JFrog X-ray, I did not find them as valuable for my organization.
What do I think about the scalability of the solution?
My product runs on a container-based platform on AWS , utilizing auto-scaling to handle distributed traffic. The policies are enforced in a stateless manner and shared across the system, which helps manage load on the primary nodes effectively during high traffic.
How are customer service and support?
My experience with customer support has been minimal since I have not faced significant issues, and any past support requests during migration were handled well.
Which other solutions did I evaluate?
Sonatype Repository Firewall is stable, and although I explored alternatives like JFrog Artifactory and JFrog X-ray, I did not find them as valuable for my organization.
What other advice do I have?
I advise others considering Sonatype Repository Firewall to ensure they have strong organization-wide policies that comply with security regulations. This product can handle large volumes of data and scale as needed, offering excellent scalability and security features. It is a good product, and I encourage others to use it for large-scale applications if they wish to implement it. I have rated this product 9 out of 10.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Accurate database support blocks malicious code with excellent support
What is our primary use case?
Many companies, including ours, use Nexus Repository due to concerns about malware and critical vulnerabilities. There should be a specific method to prevent malicious packages from entering the internal network, so our company uses Nexus Repository . We usually consider adding the firewall feature on top of the Repository, with the main purpose being to block malicious packages.
What is most valuable?
The firewall is the only solution that supports Nexus Repository. This firewall comes with an accurate database, which can identify most malicious code from entering. It relies on the Sonatype accurate database, so the accuracy is excellent. There is no other option except Sonatype deploy to the firewall.
What needs improvement?
There are several features lacking in the current offering, particularly concerning container support and AI packages, like humming phase support. However, I have heard that it is on the roadmap for 2025.
For how long have I used the solution?
I have been using this solution for four years.
What do I think about the stability of the solution?
It is software, so there is always a possibility of bugs, however, they are quite fast in fixing these bugs. It is quite stable.
What do I think about the scalability of the solution?
There is an option to scale the capacity using an external database, and then you also have support. I do not think there is any issue with scalability.
How are customer service and support?
The customer service is fantastic. They provide the required responses and relevant support, which is the biggest advantage of using Sonatype.
Which solution did I use previously and why did I switch?
I do not have handling experience with another firewall. Sonatype Firewall is the only one I have been using. There is only one other alternative.
How was the initial setup?
The initial setup is quite straightforward and easy. It is not complicated.
What about the implementation team?
Just a couple of staff members can complete the installation and configuration.
What's my experience with pricing, setup cost, and licensing?
Also, I consider it average. Some people might consider it expensive, however, since it supports many beautiful features, I would say it is worth it.
Which other solutions did I evaluate?
We looked at Sonatype or Gather. There are not that many options.
What other advice do I have?
I would give the solution eight out of ten. I would look at the comparison of Sonatype to some other firewalls. There is room for improvement, especially mentioning container support and AI packages.