We are using Sonatype Nexus Repository Manager of Version OSS 3.30.0-01 and we are looking for an option to scan the packages being downloaded from the repositories whenever team perform build on their application repos.
Teams should be able to build their application repos only when the package being downloaded have zero vulnerabilities. Is there anything at the nexus side that performs the scanning of the packages and maintain the scanned results and whenever app team request those packages have vulnerabilities and should fail their build immediately saying packages have vulnerabilities.
We are looking for Open source for this kind of feature. please let me know if there is an such option available with nexus.
Sonatype Lift is a free tool you can add to your github repository to check your code quality and I believe it includes checking dependencies.
Local format-specific tools like those found at Integrations - Sonatype OSS Index can be used to scan your application for security vulnerabilities.
Nexus Lifecycle is our enterprise offering which provides the highest quality data and allows you to set policies to prevent vulnerabilities from being released. Something you get with our paid solution that you don’t with other solutions is continuous monitoring of the dependencies in a released application so that you know a new vulnerability in one of the dependencies is discovered and can hopefully fix it before someone starts exploiting.
Instead of checking when releasing, Is there anything that checks for vulnerabilities when the dependencies are being downloaded when team is building the application. (while pulling, pull only when no vulnerabilities found).
Nexus Firewall is designed to prevent components not matching policy from coming into your Repository Manager instance. If you’d like more information on Firewall I highly recommend asking for a demo (Nexus Firewall - Application Security | Sonatype) as our sales team will be able to explain exactly how it works, as well as pricing and can help you figure out if it will meet your requirements.
Looking at your question again, I should note that we have several separate features under the lifecycle umbrella (in which Firewall is included) to allow you to detect and block vulnerabilities at all levels of the development lifecycle - first download through a repo proxy (blocks things for development if they are new), builds on CI systems (can be used to block before merge or before deployment), as well as the option of telling you after deployment if new vulnerabilities are reported. Our sales engineers would know much more detail than I do.