Hi Team,
As we are going through audit process for Nexus repository manager application(Version: OSS 3.40.1-01), Auditors wants to know how security for the Nexus application is managed.
Does the Nexus application code is scanned periodically.
Which Code Scanning tools are used for this purpose.
How do the team ensure code vulnerabilities are mitigated for Nexus application?
Regards,
Loganathan
Hi Loganathan - thanks for reaching out!
Sonatype evaluates all of the products we create using Nexus Lifecycle. We follow Sonatype Customer Success best practices for managing Software Composition Analysis (SCA) risk.
Nexus Repository Manager OSS and Pro are internally both part of the same project and are managed equally.
Each project also uses GitHub - sonatype/codestyle: The Sonatype Code Style Guide to apply static analysis and linting configuration. Hope this helps!
I think the iso 27001 certification of Sonatype is also relevant here: Sonatype Now ISO 27001 Certified