Five products are in scope. Sonatype Nexus One Platform unifies the portfolio. Nexus Repository handles artifact management. Lifecycle delivers SCA and policy enforcement. Guide intercepts AI code-assistant package recommendations. SBOM Manager handles SBOM lifecycle and compliance. Merito sells every product and operates the deployment, policy authoring, repository firewall configuration, and SBOM workflow.
Sonatype portfolio
Software supply-chain governance, sold and operated by Merito.
Nexus One Platform unifying Sonatype's portfolio, Nexus Repository for artifact management, Lifecycle for SCA and policy enforcement, Guide for AI code-assistant governance, and SBOM Manager for SBOM lifecycle. Backed by Sonatype's 15+ years of OSS intelligence and 140M+ component database.
Why Merito for Sonatype
A Sonatype engagement is policy authoring, repository firewall configuration, SBOM workflow design, and AI code-assistant integration. Merito is the team that does the work after the licenses are signed.
Sonatype is the supply-chain governance vendor with the deepest open-source intelligence dataset in the AppSec category. The component intelligence database catalogs more than 140 million open-source components and the vendor publishes that it sees 70% more open-source vulnerabilities than alternative sources, delivers 10x faster insights than the National Vulnerability Database, and achieves 30% faster mean time to remediate compared to industry averages. Programs that adopt Sonatype get the dataset depth as the practical asset.
Nexus Repository is the artifact management foundation. Universal repository covers Maven, npm, PyPI, NuGet, Docker, Helm, RubyGems, Go modules, and the long tail of package formats. Nexus Repository Pro adds high availability, replication, SAML SSO, staging and build promotion, and enterprise support on top of the open-source community edition. Lifecycle provides Software Composition Analysis and policy enforcement across the SDLC, with repository firewall blocking malicious or non-compliant components at the registry-fetch boundary before they reach the build.
Sonatype Guide (announced December 2025) extends supply-chain governance into AI code-assistant workflows. Guide operates as a Model Context Protocol (MCP) server that intercepts AI tool package recommendations in real time and steers developers toward secure and reliable component versions before code is committed. SBOM Manager handles the SBOM lifecycle (generate, validate, store, distribute) with NIST SSDF, EO 14028, DORA, and NIS2 compliance alignment.
Nexus One Platform (announced November 2025) is the AI-native DevSecOps platform that unifies Nexus Repository, Lifecycle, Guide, and SBOM Manager under one console with shared intelligence and automation. Programs running multiple Sonatype products consolidate under Nexus One. Sonatype Maven Central is the public open-source repository service the company operates, available to the entire open-source ecosystem and not licensed separately.
Merito sells Sonatype and operates the program around it. We deploy Nexus Repository or Nexus One, author Lifecycle policies against the customer's risk tolerance, configure repository-firewall rules at the registry boundary, set up SBOM Manager workflows aligned to the customer's compliance scope, and integrate Guide into the customer's AI code-assistant adoption.
The Sonatype toolchain
The Sonatype supply-chain governance portfolio Merito sells and operates
Unified platform
Nexus One Platform consolidates the Sonatype portfolio under one AI-native console.
Artifact management and SCA
Nexus Repository as the artifact foundation; Lifecycle as the SCA and policy enforcement layer that enforces against the artifact pipeline.
Artifact management
Sonatype Nexus Repository
Universal artifact repository covering Maven, npm, PyPI, NuGet, Docker, Helm, RubyGems, Go, and the long tail of package formats. Pro edition adds HA, SSO, replication, and enterprise support.
See product pageSCA
Sonatype Lifecycle
Software Composition Analysis with 18 default policies, custom policy authoring, repository firewall enforcement at registry-fetch boundary, and AI-powered remediation suggestions.
See product pageAI governance and SBOM
Guide for AI code-assistant package recommendations; SBOM Manager for SBOM lifecycle and compliance.
AI governance
Sonatype Guide
MCP server that intercepts AI code-assistant package recommendations in real time and steers Copilot, Claude Code, Cursor, and other tools toward secure component versions before commit.
See product pageSBOM lifecycle
Sonatype SBOM Manager
SBOM lifecycle management for SPDX and CycloneDX formats with expanded license detection, integrated container scanning, legal review workflow, and NIST SSDF / EO 14028 / DORA / NIS2 compliance alignment.
See product pageMerito services
Merito services across the Sonatype portfolio
01
Implementation
Nexus Repository or Nexus One deployment, Lifecycle policy authoring, repository firewall configuration, SBOM Manager workflow setup, and Guide MCP integration with AI code assistants.
02MAPS Assessment
Supply-chain program scoping for Sonatype adoption alongside Black Duck SCA, Snyk Open Source, JFrog Artifactory, and Semgrep Supply Chain.
03DevOps Consulting
PR-time SCA gates, repository firewall enforcement, build-gate policy in Jenkins, GitHub Actions, GitLab, Azure DevOps, and Bitbucket.
04CRAFT Enablement
Developer-facing OSS approval workflows, Guide MCP rollout for AI code assistants, and AppSec champion programs.
05Premium Support
Named engineer, priority SLAs, and release-window coverage for Sonatype programs Merito implements.
06Managed Services
Long-term run support including ongoing policy tuning, repository firewall maintenance, SBOM workflow operations, and Guide AI code-assistant compliance reporting.
07Training and Enablement
Role-based training for AppSec architects, developers, security engineers, and compliance leaders using Sonatype output.
08Staff Augmentation
Merito-placed AppSec engineers and Sonatype specialists embedded on long-running supply-chain programs.
Sonatype licensing
Buy Sonatype from the partner that authors the policies and configures the firewall.
Supply-chain governance is policy authoring, repository firewall configuration, and SBOM workflow design. Buy Sonatype through Merito and get the policies, the firewall rules, and the SBOM workflow together.
Related solutions
Where Sonatype connects to the rest of the Merito program
Frequently Asked Questions
Sonatype FAQs
Consultation request
Talk to Merito about Sonatype
Share your supply-chain governance maturity, current artifact platform, and AI code-assistant adoption posture. A Merito Sonatype specialist follows up within one business day.
Component intelligence depth
140M+ components and 15+ years of data
Sonatype publishes 70% more open-source vulnerability visibility than alternative sources, 10x faster insights than NVD.
Maven Central
Free public OSS repository
Sonatype operates Maven Central as the public open-source repository service, available to the entire OSS ecosystem. Not licensed separately.
Next step
Pick the Sonatype products that close the supply-chain governance gap.
A Sonatype conversation with Merito starts with the supply-chain maturity assessment. We recommend the products that fit the gap rather than pitching the full catalog.