Skip to main content

Sonatype acquires MuseDev, expands Nexus code analysis platform

Example of how Muse comments on code review
MuseDev's code analysis provides information about bugs found in the code as a comment in code review.
Image Credit: Sonatype

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Sonatype, which provides tools for developers to build better quality software, has acquired code analysis platform MuseDev. The acquisition adds developer-friendly code scanning to Sonatype’s platform to create a “full-spectrum” software supply chain management platform, company CEO Wayne Jackson said.

Modern software development is less about developers writing every single line of code and more about them assembling different components with their own code. This means third-party code is almost always present in an application, and there are multiple ways for bugs to be introduced into the code. Developers have to test their own code to make sure there are no bugs and regularly verify the building blocks don’t contain issues that could affect their applications.

Sonatype makes tools to help developers manage the various building blocks and alerts developers of potential issues that need to be fixed. Historically, Sonatype has focused on scanning open source software for security vulnerabilities and on keeping risky components out of the application, Jackson said. Sonatype’s tools have helped identify security vulnerabilities in code the developers didn’t write, but that could still impact their application.

“As developers take on more responsibility for containers, code, and infrastructure, our mission is to make their lives easier while they make great software,” Jackson said. The way to help “developers optimize the code they write is by delivering directly to the toolchain.”

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

Tools where the developer lives

MuseDev’s code analysis platform scans the source code for more than security vulnerabilities. The static analysis tool emphasizes code quality and can identify critical performance and reliability issues in the code, as well as whether there are style issues the could hamper the code’s maintainability.

Developers don’t want security vulnerabilities in their code, but “they also don’t want to get paged in the middle of the night because the application was failing” due to performance issues, MuseDev CEO Stephen Magill told VentureBeat.

Muse integrates its 24 preconfigured code analyzers into GitHub, GitLab, and Bitbucket. The analyzers automatically assess each developer pull request and report any bugs found as comments in code review. The comments include clear guidance on how to fix the bugs, and the analysis considers information flow and thread safety to give developers deeper insight into the code. Developers see all the feedback — from their teammates and from Muse — in one place and are able to fix the issues as part of their normal workflow. There is no need to wait for the security team to run its own assessment and inform developers of the issues that were uncovered.

“Teams adopting this approach are 70 times more likely to fix code quality and security issues,” Magill said.

Muse is pretuned to minimize false-positive results to ensure developers are receiving information about issues that matter the most, which helps developers work more efficiently and write better quality code. “As enterprises look to push their development teams to work faster, it becomes imperative to find ways to help developers to move more quickly by automating crucial but time-consuming tasks like code analysis,” RedMonk principal analyst Stephen O’Grady told VentureBeat.

Full-spectrum software management

The acquisition of MuseDev expands the breadth and depth of Sonatype’s Nexus platform because the combination of Muse — a cloud-native source code analysis tool — with Sonatype’s existing tools gives developers more control over their code.

Nexus Container is a developer-friendly container security solution that provides continuous visibility into the composition and management of containers from development to run time. The Infrastructure as Code Pack provides guidance to assist developers in configuring cloud infrastructure and ensuring they are compliant with privacy and security standards such as CIS Foundations Benchmarks, GDPR, and HIPAA.

The pack helps developers fix mistakes in configuration before they are applied to production infrastructure. Nexus Repository makes it easier to host and distribute build artifacts such as Docker containers and code components. The recently released Advanced Development Pack delivers a real-time rating system to help developers select the best open source component suppliers and avoid using multiple versions of the same code. The Advanced Legal Pack, which will be released in a few months, will improve visibility into open source licenses.

Developers will be able to use Sonatype’s expanded platform for all application building blocks, which include first-party source code, third-party open source code, infrastructure-as-code, and containerized code.

“With high-profile attacks on software supply chains making headlines the world over, enterprises are moving to harden their development infrastructure against attackers. As important as the task is, however, technology leaders don’t want to solve this problem with a complicated patchwork quilt of services, solutions and providers — they want an integrated, end-to-end solution,” O’Grady said.

This kind of integrated code analysis is something enterprises are asking for as they adopt DevOps practices to build and release better quality code and accelerate their digital transformation efforts to improve speed and efficiency. This acquisition and platform expansion positions Sonatype very well among companies that offer various forms of code analysis and scanning, including Checkmarx, Contrast Security, Micro Focus Fortify, Snyk, Synopsys, Veracode, and WhiteSource.

The company has been growing tremendously over the past year. It now counts 70% of the Fortune 100 as customers, supporting more than 2,000 commercial engineering teams. And 12 out of the 15 of the world’s largest banks use Sonatype’s tools, Jackson said. Other customers include various branches of the United States Armed Forces, credit card companies, and technology companies. There are more than 250,000 instances of Nexus Repositories, which translates to nearly 15 million developers using Sonatype’s commercial and open source tools. Private equity and venture capital firm Vista Equity Partners made a majority investment in Sonatype back in 2019 — acquiring more than 50%. Jackson suggested the company could see a potential IPO with the current pace of growth.

Most of the enterprises using Sonatype’s tools are not technology companies in the traditional sense. There are financial services organizations with more developers in-house working on internal applications and proprietary tools than companies such as Apple and eBay, Jackson said. Those enterprises are looking at the entire software development lifecycle, which means they care about things other than security vulnerabilities when considering the health of their applications, such as project and release hygiene, Jackson said.

“Why should [developers] pick a project that hasn’t been updated in years or has bad commit history?” Jackson said.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.