The scalability of the Fortify Static Code Analyzer is a ten out of ten.

It is scalable, can handle large codebases, and is suitable for projects of varying sizes, from small applications to complex enterprise-level software.

I've never had issues with scaling.

It is being used at multiple locations and in multiple buildings. The security requirements are very high in our environment, so not everything will work as you expect it because not everything is open. We struggle a bit, but it is required. We have around 60 people who use Fortify SAST.

We have not tested it yet, but they have something called ScanCentral. Currently, developers scan the code on their machines, and then they push it to Fortify Software Security Center. ScanCentral is a feature that we will start to experiment with soon where we offload the scan to a server. It will not utilize developers' resources. It will just initiate a scan, and it will use another system to scan. I have heard that you can have many of them implemented. I have not experienced it yet, but it seems like a cool feature to free the resources for developers because they need to deploy, compile, and fix. If it frees up their resources, it will be good.

It is being used at multiple locations and in multiple buildings. The security requirements are very high in our environment, so not everything will work as you expect it because not everything is open. We struggle a bit, but it is required. We have around 60 people who use Fortify SAST.

We have not tested it yet, but they have something called ScanCentral. Currently, developers scan the code on their machines, and then they push it to Fortify Software Security Center. ScanCentral is a feature that we will start to experiment with soon where we offload the scan to a server. It will not utilize developers' resources. It will just initiate a scan, and it will use another system to scan. I have heard that you can have many of them implemented. I have not experienced it yet, but it seems like a cool feature to free the resources for developers because they need to deploy, compile, and fix. If it frees up their resources, it will be good.

Fortify SAST perfectly fits our organization's size.

We don't need to scale it. At this moment, it is right-sized for us. So, I don't see any scalability going on right now. We do self-hosting on our own internal platform. The resources that are available are not scalable, so to say. They are right-sized.

We have between 750 and 1,250 users. The developers are the biggest part. We also have our operations support team that deals with upgrades, patch management, installation, and the Infra stuff. There are about 10 people. They don't only work on Nexus IQ, of course, but that's part of their job. There is also the security team, which is my team. It has about 10 people. We use Nexus IQ for all kinds of security review activities. We also have five metrics people who use these tools to gather metrics. They also use Nexus IQ.

Even though we don't employ it in a high-availability mode, looking at the documentation, it's very easy to scale out. You can put up multiple servers and point them at the same shared file system. Sonatype also has a cloud offering if you want to go completely hands-off. But it seems to scale very well. We haven't had to scale it yet, but it seems very straightforward to do so.

We haven't had an instance where we have run into such high volume that we needed to scale. The only change we made was to increase memory, because we started utilizing the API. In terms of redundancy, all the data is sitting in the database. We have backed up the folder structure, and the worst case is we just restore that folder structure onto any server. You could run it in Docker if you wanted to, as well so that is immutable. It's been made to be a lift-and-shift type of product.

We have 100 users actively using it at the moment. They are developers, mostly.

They're really good with scalability. We have an implementation that spans production use plus a disaster recovery area. The synchronization between those two and the high-availability are awesome.

We're at 100 or 150 licenses, maybe more. Developers are the main role as well as DevOps. The plan is to use it across every single application where we do development. We have a lot of applications, on the order of 500.

We have plans to expand usage, as far as the user base and the number of teams utilizing it go. 

The scalability, currently, is fine, because the performance is fine. It was important to have a structure at the beginning, a way to set up different departments and groups. Now, if we have a new group that will use IQ Server or Nexus Lifecycle, we can just add it and it will be managed by the department. That makes it really good and scalable.

Nexus was a pilot, where some of my colleagues were using it but now it has spread to our whole organization and more colleagues are using it.

It's probably not that scalable in its current state. That has to do with the way that the applications are designed. I think they're working on that when they start working on the HA solutions. For Nexus and Nexus IQ I think that will change. But right now, it's not very scalable.

I rate the scalability an eight out of ten.

There are two aspects to the solution's scalability. The infrastructure scalability is the first part, and that is good. The second part is the developer and the licensing front. When we started the program, we had 60 developers but we now have double that number. There's flexibility on both the infra and the licensing. That is good, as of now.

We are still trying to get an impression of the scalability. We have scaled it on all of our products and it seems to be good. I would rate the scalability an eight out of ten.

I haven't faced any challenges in the scalability of Nexus solutions. We have gone from pretty minimal usage to pretty high usage, and I haven't seen any challenges. It is good. It is not similar to some of the other tools that I have where scalability has been an issue.

We have around 3,000 to 4,000 engineers who use Repo daily. We have around 1,000 to 2,000 users who use IQ Server. Our usage is moderate. It is not extremely heavy. As compared to the other tools that are being used by around 30,000 engineers, the usage of Nexus is not heavy. It is moderate.

We have a relatively small number of people using IQ Server, consisting mostly of a few developers and project managers. Under those conditions it is performing very well. We have plenty of room to grow with it. We don't have any huge plans to expand use of the solution because it's fulfilling our current needs.

I don't know about the scalability yet because we are small and we don't have that many applications or packages yet. I haven't had to scale it. I designed, from the beginning, the storage architecture of my Repository Manager to be scalable because I knew a lot of the large data will sit there. I designed that upfront to be scalable to other storage volumes or even other servers. I know there are features for having multiple IQ servers or Repository manager servers and load balancing or having automatic failover and things, but I haven't done those things yet.

I don't know how well it's going to scale.

The scalability is good but it can be improved. I think they're working on it, but it needs to be clusterable. The best case is to have a cluster, a native cluster, for IQ Server, to improve the availability.

I would rate the scalability of the solution as a ten out of ten. It is suitable for any business size.

The scalability is fine, as far as I can tell. We only have so many developers, and haven't really grown our development teams at all in the past few years. We have about 200 users of Sonatype who are either developers or application security or myself as senior architect. We haven't had problems with capacity, but we haven't had to scale it.

It does seem to scale okay for adding new software artifacts, because we continue to add more stuff to it.

It's handling a lot of code but if we wanted to roll out more servers and do more build outs, I wouldn't think that it would involve much more than just adding a few servers. So the scalability should be good.

It is being fully utilized in our build process — where our applications are built and deployed. Where we're lacking use is getting the developers to get it plugged into their Eclipse environments and actually using it on a more regular basis. That's where the struggle has been. That's not the tool, that's more an issue with our developer management side. The adoption is just not happening at the pace it should, because of a whole multitude of other things that are going on right now in our company.

The only other thing we might eventually want to do is get it hooked into a ticketing system where it could create tickets if there are libraries that are bad. Outside of that, it's pretty much integrated into our pipeline as far as we're going to integrate it.

We haven't scaled Sonatype Nexus Lifecycle yet.

Our customers include some of the biggest banks in Africa. The number of Lifecycle users ranges from about 25 to 250, depending on the size of the environment.

Scalability is not an issue. We have a microservices architecture and we've got about 150 applications in there and we scan them quite regularly. When we first started, we had a lot fewer applications, we were sending about five gigs of scanning data requests to the Sonatype servers every day. They were able to handle that. We had issues before, but I think they were more networking configuration issues, and they could have been on our side. But that has all been resolved and there are no issues.

We haven't scaled it because we just had this one server running. We have not had a reason to scale it as of yet.

We have 10 people who can use it, and they are developers in DevOps.

We started off using Nexus IQ very sporadically on an ad hoc basis. Now, we have moved into putting it into some of our pipelines, especially for applications that are in the forefront, e.g., digital footprint applications. There is now a high interest to make this mandatory for all data points. We are definitely looking at an increasing usage.

We haven't looked at its scalability at this point. We do have plans to use it more in the future, enforcing the results of the analysis to fail builds and force the developers to fix the issues in there before moving on.

I would rate the scalability at eight out of ten.

Sonatype Nexus Lifecycle 

We have approximately 200 users using Sonatype Nexus Lifecycle in my company using this solution. They are mostly developers and security personnel.

When it comes to scalability, there's a limitation in terms of high-availability. Sonatype recommends you go with high-availability. However, you have to have an Active-Passive solution and we don't use a separate installation for each organization. I know there are ways you can install multiple instances for each organization and proxy between them. Because we are a single organization that uses one installation, we have to set it to Active-Passive and manually switch the Passive on and off.

We haven't actually explored scalability. But in terms of scalability, if there is anything that we need to add, like CPU, memory, or any extra RAM, that can be added dynamically. But we are not sure if Nexus would need downtime for things like that.

We are unable to scale sufficiently because everything needs to be installed on our local premises. This is really a solution for small to medium-sized organizations. Every new server requires the installation of a new database. We currently have around 400 users doing a variety of jobs and scalability is the biggest issue we have.

We have had absolutely no issues with scalability. We built it for a small PoC. We have now scaled it to scan our entire application landscape on the exact same hardware that it was sized on at the beginning and we have had zero issues. So, it's absolutely great.

The solution is only very limited in its current usage. Our current adoption rate is 10 percent. We plan to hopefully introduce it into every application that we build in a language that is supported by Nexus.

At the moment, we have 20 licensed users. These are primarily IT security managers (such as myself), developers, and product owners.

The scalability of the Sonatype Nexus Lifecycle is good. We have not had any issues.

We have 2,000 engineering people using this solution, such as developers, SRE, and QE.

We are using just one instance right now, I don't know how it scales.

Scalability is not applicable to us at the moment.

The solution is pretty much involved in every release that we have. So, it's quite frequently being used. We don't have current plans to increase usage. We are working on our continuous integration process. Once that's done, then there will be a need to increase usage.

Nexus Lifecycle scales to the level we need. It's working fine.

It is currently not scalable. While we haven't encountered a scalability issue regarding Nexus IQ directly, but for maintenance and configuring there is a scalability issue because developers need to make modifications and reports. And those modifications must follow our workflow model, things like a code review and evaluation by a manager. Currently, this is not possible. They cannot make a request for changes in the software. There is no solution to contribute changes and that is a scalability issue. That is with respect to Nexus Lifecycle.

With Nexus Repository, we had a lot of scalability issues with version 2. With the new version 3, we tried to set up a certain type of architecture but it is not available. So scalability is an issue regarding the load, not the amount of data. We have been using Nexus software for 10 years now with very big storage and that is not an issue. But when the number of users increases, that's an issue. We are an open-source company, so we have many consumers of our artifacts, and that means there can be a heavy load on the projects.