Skip to content

Today, Sonatype and Fugue have partnered to deliver the tools developers and operations need to address every meaningful cloud attack surface and ensure compliance at every stage of the SDLC with a single unified solution. Read the press release here.  


Why This Partnership Matters

The cloud era has turned every aspect of IT on its head from how developers build applications to the nature of the infrastructure that runs them. Applications are largely built using open source components. Infrastructure is 100% software, conjured up in a matter of minutes with a few API calls, often with infrastructure-as-code. Organizations that embrace this digital transformation can innovate faster than their competition. 


But this digital transformation has also upended security. We now need to be concerned with the security and provenance of the open source components our developers use to build applications. And while we’re no longer responsible for securing physical infrastructure, the attack surface of the cloud infrastructure we are responsible for is radically different and mutable. Organizations caught flat-footed here can suffer devastating data breaches, steep fines, and a loss of trust.


Developers are at the heart of digital transformation, and the key to security is developers empowered to build and operate applications and cloud infrastructure securely using tools that work the way they work. But security concerns plague developers at every stage of the software development life cycle (SDLC), from design time to the runtime. Sonatype has led the way with tools to help developers use open source software security across the SDLC, and Fugue has led the way with tools to help engineers use cloud infrastructure securely across the SDLC. 


The combined capabilities of Sonatype and Fugue enable developers to find and fix security vulnerabilities when actively developing cloud applications, while at the same time preventing security vulnerabilities and compliance issues from surfacing in production due to misconfigured cloud infrastructure. The joint solution includes out-of-the-box guidance to assist developers when configuring IaC and automatically foster compliance with privacy and security standards, including CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, SOC 2, and custom rules. 

“Sonatype and Fugue have a strong history of leadership in empowering developers to securely build and operate in order to keep their data safe. We’re proud to partner with them to deliver a single solution to address the full breadth of cloud security and compliance challenges. The mutable nature of cloud APIs brings serious risk of post-deployment misconfiguration, and Sonatype and Fugue are making it possible for the first time to address all relevant cloud vulnerability surfaces from initial development to runtime production environments with a single solution using the same policies.”  

  • Phillip Merrick, CEO of Fugue

“Sonatype has a long and successful history of providing front-line software developers with friendly feedback pertaining to the health of open source libraries, making it easy for them to identify and remediate security risk, without slowing down innovation. In today’s cloud-native world, developers are not just responsible for building secure applications, they’re also responsible for configuring and provisioning secure cloud infrastructure using tools like Terraform. By working with Fugue, we’re equipping developers with the right information at the right time so they can always make healthy decisions when configuring IaC.”

  • Wayne Jackson, CEO of Sonatype.

Providing Full Breadth Cloud Security and Compliance

Together, Sonatype and Fugue deliver a unified cloud security and compliance solution that empowers software developers to address the entire cloud threat landscape with:


  • Open-source governance with Sonatype’s Nexus platform to shift security of software applications left to address open source risk and known vulnerabilities automatically at every phase of the CI/CD pipeline.
  • Infrastructure-as-code governance with Sonatype’s new IaC capabilities, which integrate Fugue’s cloud infrastructure security and compliance technology for Terraform configurations.
  • Continuous cloud compliance with Fugue to ensure cloud environments remain in compliance and free of misconfiguration vulnerabilities post-deployment — and demonstrate it at all times with automated reporting. 


In Q1 2021, Sonatype will offer new Nexus IaC capabilities as an add-on to its Nexus Lifecycle product that incorporates Fugue's cloud infrastructure security and compliance technology. This will make it possible for developers using Nexus Lifecycle to find and easily fix misconfigurations in Terraform plans before being applied to production infrastructure, and use those same policies with Fugue to ensure continuous compliance in production.  

Additionally, Sonatype and Fugue will collaborate to bring the Fugue runtime SaaS continuous compliance solution to Sonatype customers, who can learn more here.

Categorized Under