We performed a comparison between GitHub and Sonatype Lifecycle based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The control is the most valuable feature as developers can work on a single code."
"The product has a very user-friendly interface and user-friendly security."
"The most valuable features are GitHub are the standard features, they are very useful."
"The control is the most valuable feature as developers can work on a single code."
"The features that I have found most valuable are that it can support you for most of the road map and it can automate some tasks which works really well with collaboration with the teams. They are really interested in how they organize the history of the code itself which is good."
"The version control functionality for this solution has been most valuable, especially when managing projects with multiple versions."
"I would rate the stability a ten out of ten."
"The most valuable feature of GitHub is version control and continuous integration."
"Lifecycle lets developers see any vulnerabilities or AGPL license issues associated with code in the early stages of development. The nice thing is that it's built into the ID so that they can see all versions of a specific code."
"The integrations into developer tooling are quite nice. I have the integration for Eclipse and for Visual Studio. Colleagues are using the Javascript IDE from JetBrains called WebStorm and there is an integration for that from Nexus Lifecycle. I have not heard about anything that is not working. It's also quite easy to integrate it. You just need to set up a project or an app and then you just make the connection in all the tools you're using."
"It's helped us free up staff time."
"The application onboarding and policy grandfathering features are good and the solution integrates well with our existing DevOps tools."
"The integration of Lifecycle is really good with Jenkins and GitHub; those work very well. We've been able to get it to work seamlessly with them so that it runs on every build that we have."
"It was very easy to integrate into our build pipeline, with Jenkins and Nexus Repository as the central product."
"The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes."
"We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities."
"We want to incorporate management comments within GitHub, making it more like a product management tool. We haven't done that yet. Another change we're considering is migrating from GitHub to Azure DevOps, especially now that Microsoft has introduced it."
"There is a bit of a learning curve."
"It is difficult to merge a code or restore it to an older version."
"We face issues with synchronization while working with teams."
"The GitHub repository needs an upgraded user interface and overall UI improvements."
"We would like this solution to have a more user-friendly interface."
"GitHub could add more security features. I am not sure how secure it is. If they provide more security features, then it can be used in more official applications."
"GitHub storage is one of the main requirements and it could improve."
"Fortify's software security center needs a design refresh."
"It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level."
"The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet."
"It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier."
"There is room for improvement in the code analysis aspect of Sonatype Lifecycle, specifically in the area of deployment security."
"The price can be improved."
"The reporting could be better."
"We created the Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing."
GitHub is ranked 12th in Application Security Tools with 74 reviews while Sonatype Lifecycle is ranked 6th in Application Security Tools with 43 reviews. GitHub is rated 8.6, while Sonatype Lifecycle is rated 8.4. The top reviewer of GitHub writes "Beneficial version control and continuous integration, but guides would be helpful". On the other hand, the top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". GitHub is most compared with Snyk, AWS CodeCommit, Bitbucket, Fortify on Demand and Atlassian SourceTree, whereas Sonatype Lifecycle is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, GitLab and Checkmarx One. See our GitHub vs. Sonatype Lifecycle report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.