At Sonatype, we pride ourselves on arming development and security teams with precise and actionable intelligence to build software faster, with less risk. Which is why I am happy to announce that we recently improved the precision with which we identify and secure PyPI packages in Nexus Lifecycle.
This new release comes at a time when Python is quickly becoming the standard for developers and data scientists according to a
recent survey and as witnessed by our own customer usage. Downloads from the PyPI repository grew significantly in the past year according to
Sonatype’s 2018 State of the Software Supply Chain, averaging between 4.3 and 4.7 billion per month. And with every language, as usage increases, so does potential security vulnerabilities and license risk. In fact, approximately 11% of components housed in PyPI have a known vulnerability.
While we have been able to block undesirable Python packages from entering the software supply chain with Nexus Firewall for some time, this new release of Nexus Lifecycle fully automates PyPI governance across the entire SDLC. Now, development and application security teams can:
-
Define open source component policies by organization, team, and application type across the SDLC
-
Continuously visualize component intelligence within their favorite tools including the Jenkins, Bamboo, and Maven plugins
-
Automatically and contextually enforce policies across the entire DevOps pipeline
Check out this video from Andres Perez, Solutions Consultant to see how it works:
New to Nexus Lifecycle or just want to learn more? Visit us on my.sonatype.com to download new releases, view documentation, and chat with other Lifecycle customers.
