Sonatype, the leader in developer-friendly tools for software supply chain automation and security, unveils Sonatype Lift (Lift), a first-of-its-kind, cloud-native, deep code analysis platform. Lift installs easily on any source repository in minutes and provides developer-friendly feedback on a wide range of bug types, ranging from lightweight style issues to complex coding errors commonly found in first-party source code and third-party open source libraries.

In the past year cyber attacks have increased exponentially, as bad actors increasingly go after software supply chains to exploit vulnerabilities in commercial and open source code — evidenced in the SolarWinds and Codecov incidents.  Even the world’s largest companies aren’t immune to software quality defects inadvertently reaching production. Apple recently reported critical vulnerabilities in its Webkit browser SDK and its iOS Kernel.  As code quality issues increasingly become security issues, developers and security teams need to work together to ensure code is both reliable and secure.  Further, as the recent Fastly outage demonstrated, innocent coding errors can cause as much damage as cyber attacks intentionally perpetrated by malicious actors.

Deep Code Analysis.  Easy for Developers.  Trusted by Security.

Created to make developers’ and security teams’ lives easier, Lift fosters collaboration between the two, providing a unified code analysis pipeline that brings 26+ tools across 11 languages to catch a wide range of bug types. Because Lift’s results are reported in code review, developers and security engineers can collaborate on how best (or whether) to fix reported issues. With reporting during the peer review window proven to dramatically improve fix rates, Lift’s ability to provide insights at this critical point will be instrumental in improving code quality.

This is the first code quality solution to bring the proven methods and technologies from Facebook (Infer) and Google (ErrorProne), and deliver them as a commercial platform. The unique way in which Lift works overcomes the challenges of conventional code analysis tools by making installation and configuration quick and easy, and leverages developer feedback to continuously improve results over time. By focusing on high-confidence bugs, Lift builds developer trust and ensures that when it does report, developers pay attention and fix the issues.

Lift catches not just issues in the code developers write, but also in the open source libraries they rely upon by pulling software composition analysis data from Sonatype’s OSS Index to report vulnerable open source libraries as comments in code review.

“Developers are increasingly responsible for ensuring their code is both secure and high-quality. Typical code quality tools are limited to per-file analysis and don’t catch bugs that traverse files. While SAST tools do, they are security-focused and run by security teams. We built Lift to provide developers deep code analysis focused on catching performance and reliability bugs that can lead to critical vulnerabilities similar to those increasingly exploited in recent attacks,” said Brian Fox, Sonatype co-Founder and CTO. “And, we have done it in a way that helps developers fix more bugs, without slowing them down or requiring them to switch contexts.”

Strengthening the Developer and Open Source Communities

Lift will be free forever for public repositories and serves open source maintainers by helping secure the software supply chain at its source. Sonatype’s long standing commitment to supporting the world’s open source community began as a core contributor to Apache Maven and continues with its stewardship of the Maven Central Repository, free developers tools including its OSS vulnerability database, and being an active member of the OpenSSF Foundation.

Additional Resources

• Read more about Sonatype Lift on the Sonatype Blog
• Register to attend ELEVATE 2021, Sonatype’s user conference, on June 17 and learn more about Lift and the future of Sonatype
• Try Lift for Free on GitHub today

About Sonatype

Sonatype is the leader in developer-friendly, full-spectrum software supply chain automation providing organizations total control of their cloud-native development lifecycles, including third-party open source code, first-party source code, infrastructure as code, and containerized code. The company supports 70% of the Fortune 100 and its commercial and open source tools are trusted by 15 million developers around the world. With a vision to transform the way the world innovates, Sonatype helps organizations of all sizes build higher quality software that’s more aligned with business needs, more maintainable and more secure.

Sonatype has been recognized by Fast Company as one of the Best Workplaces for Innovators in the world, two years in a row and has been named to the Deloitte Technology Fast 500 and Inc.