Sonatype Pioneers AI Software Composition Analysis for Secure AI Integration in Enterprise Software Supply Chains

Sonatype Unveils Industry-First AI Software Composition Analysis (SCA) to Power AI-Driven Innovation

Fulton, Md., March 04, 2025 (GLOBE NEWSWIRE) -- Sonatype®, the leader in software supply chain security, today announced end-to-end AI Software Composition Analysis (AI SCA) capabilities that enable enterprises to harness the full potential of AI. With its unparalleled expertise in open source governance, Sonatype now extends its trusted platform to protect, manage, and optimize AI/ML models across development and deployment. Sonatype is the first and only company providing an end-to-end AI SCA solution, ensuring that enterprises can adopt AI with the same level of safety and productivity as traditional open source. Open source AI/ML adoption is soaring -- over the last 12 months, Sonatype has identified more than 300,000 models within customer software supply chains. As organizations rush to integrate AI-powered software and agentic AI solutions, they face the same security, compliance, and governance challenges that once plagued open-source software adoption. To confidently manage open source AI/ML usage in software supply chains, Sonatype provides: Proactive AI threat detection: Sonatype blocks intentionally malicious AI models from entering enterprise development environments. Centralized AI model governance: With Nexus Repository's Hugging Face proxy support, development teams can efficiently store, manage, and govern AI/ML models within existing DevOps workflows. Automated AI policy management: Sonatype enables organizations to enforce security and compliance policies across AI model usage. Unmatched AI observability and compliance: Sonatype provides full visibility into AI/ML model consumption, strengthening AI/ML security and defense strategies and streamlining first- and third-party software evaluation so enterprises can scale AI safely. "No one knows open source like Sonatype, and AI is the next frontier. Just as we revolutionized open source security, we are now doing the same for AI," said Mitchell Johnson, Chief Product Development Officer at Sonatype. "We are the first company to address the entire AI/ML supply chain -- giving enterprises and developers the confidence to deliver AI-powered solutions without compromising security, compliance, or velocity. By integrating seamlessly into existing DevOps workflows, we ensure developers can innovate freely while staying secure." In The Forrester WaveTM: Software Composition Analysis (SCA) Software, Q4 2024 report, the Forrester analyst noted Sonatype's forthcoming AI capabilities would "catapult Sonatype ahead on both software supply chain and generative AI (genAI) SCA" and awarded Sonatype the highest possible marks in several categories, including AI component analysis. "It has never been easier for organizations to integrate open source AI models into software, but with open source AI consumption comes the same risk facing users of traditional open source. It is imperative that we, as an industry, secure their use now in order to prevent unmanageable security workloads in the future," said Brian Fox, Co-founder and CTO at Sonatype. "We are proud to offer developers and security teams an end-to-end platform that provides the visibility and governance capabilities needed to use AI models safely, setting organizations up for easy and efficient long-term security." AI is transforming software development, but enterprises cannot afford to take shortcuts when it comes to security and compliance. Sonatype makes it possible for organizations to integrate AI models into their development workflows confidently -- just as they do with open source components today. For more information on how Sonatype enables AI-powered development at scale, visit https://www.sonatype.com/solutions/open-source-ai. About Sonatype Sonatype is the software supply chain security company. We provide the world's best end-to-end software supply chain security solution, combining the only proactive protection against malicious open source, the only enterprise grade SBOM management and the leading open source dependency management platform. This empowers enterprises to create and maintain secure, quality, and innovative software at scale. As founders of Nexus Repository and stewards of Maven Central, the world's largest repository of Java open-source software, we are software pioneers and our open source expertise is unmatched. We empower innovation with an unparalleled commitment to build faster, safer software and harness AI and data intelligence to mitigate risk, maximize efficiencies, and drive powerful software development. More than 2,000 organizations, including 70% of the Fortune 100 and 15 million software developers, rely on Sonatype to optimize their software supply chains. To learn more about Sonatype, please visit www.sonatype.com. Megan Schmidt Sonatype [email protected] Market News and Data brought to you by Benzinga APIs

Sonatype adds new tools to secure open-source AI and ML models in software supply chains - SiliconANGLE

Sonatype adds new tools to secure open-source AI and ML models in software supply chains Software supply chain management firm Sonatype Inc. today announced new capabilities to help organizations securely integrate, manage and govern open-source artificial intelligence and machine learning models through the software development lifecycle, as well as data training and deployment processes. The new capabilities seek to address the challenges arising from the growing use of open-source AI and machine learning models within customer software supply chains. Sonatype argues that the same challenges that apply to traditional open-source software consumption, including dependency management and open-source malware, also apply to AI, machine learning and large language models. To manage open-source AI and machine learning usage in software supply chains, Sonatype now provides proactive defense against malicious AI models. The platform blocks harmful models from entering repositories before they can cause damage, helping teams maintain a secure development environment. Sonatype also offers centralized access to AI and machine learning models through Hugging Face proxy repositories to allow development teams to efficiently store and manage models as part of their modern DevOps workflows. On the policy management front, Sonatype now enables organizations to detect AI and machine learning components and scan Hugging Face models while setting usage policies. Doing so gives developers the flexibility to select safe, compliant models with full visibility into how they are used. Additionally, Sonatype now delivers enterprise-grade observability and compliance for AI and machine learning models to strengthen security strategies and help organizations stay aligned with global regulations as AI adoption grows. "It has never been easier for organizations to integrate open-source AI models into software," said Brian Fox, co-founder and chief technology officer at Sonatype. "But with open source, AI consumption comes the same risk facing users of traditional open source." Fox, along with Tyler Warden, senior vice president of product at Sonatype, spoke with theCUBE, SiliconANGLE Media's livestream studio, in March 2024, when they discussed the company's approach to the software lifecycle and bill of materials.