We are using Sonatype Nexus Repository Manager of Version OSS 3.30.0-01 and we are looking for an option to scan the packages being downloaded from the repositories whenever team perform build on their application repos.
Teams should be able to build their application repos only when the package being downloaded have zero vulnerabilities. Is there anything at the nexus side that performs the scanning of the packages and maintain the scanned results and whenever app team request those packages have vulnerabilities and should fail their build immediately saying packages have vulnerabilities.
We are looking for Open source for this kind of feature. please let me know if there is an such option available with nexus.
Thanks for your reply.
Instead of checking when releasing, Is there anything that checks for vulnerabilities when the dependencies are being downloaded when team is building the application. (while pulling, pull only when no vulnerabilities found).
Could you give some info on Nexus Firewall?
Nexus Firewall is designed to prevent components not matching policy from coming into your Repository Manager instance. If you’d like more information on Firewall I highly recommend asking for a demo (Nexus Firewall - Application Security | Sonatype) as our sales team will be able to explain exactly how it works, as well as pricing and can help you figure out if it will meet your requirements.
Looking at your question again, I should note that we have several separate features under the lifecycle umbrella (in which Firewall is included) to allow you to detect and block vulnerabilities at all levels of the development lifecycle - first download through a repo proxy (blocks things for development if they are new), builds on CI systems (can be used to block before merge or before deployment), as well as the option of telling you after deployment if new vulnerabilities are reported. Our sales engineers would know much more detail than I do.