Governance in ProGet: Policies & SCA

Migrating from Sonatype to ProGet
Step-by-Step Guide & Best Practices

Policies & Software Composition Analysis (SCA)

Software Composition Analysis (SCA) is used to identify vulnerabilities, risky licenses, and policy violations across application dependencies.

In Sonatype environments, SCA is typically handled through Lifecycle as a separate service from the package repository. ProGet includes SCA directly within the platform, integrating scanning, policies, reporting, and SBOM management into a single system.

This article covers:

Built-In SCA

In Sonatype environments, SCA is managed separately from repository management through Sonatype Lifecycle. This requires separate infrastructure, configuration, upgrade workflows, and CI/CD integrations.

Because Lifecycle operates independently from Nexus repositories, policies, dependency data, and scan results must remain synchronized across systems.

ProGet integrates SCA directly into the platform. Policies, scanning, reporting, and SBOM management are managed within the same environment as package repositories and feeds.

This reduces the operational overhead associated with maintaining separate SCA infrastructure and synchronization workflows.

Build-Time Dependency Scanning

ProGet focuses on build-time scanning of fully resolved dependencies.

While Lifecycle supports both source-code scanning and build-time scanning, ProGet prioritizes build-time analysis to provide visibility into the packages that are ultimately included in builds and deployments.

This approach captures:

  • direct dependencies
  • transitive dependencies
  • resolved package versions
  • build-generated dependency relationships

Build-time scanning also supports:

  • SBOM generation
  • policy enforcement
  • auditing and reporting workflows
  • dependency remediation analysis

By analyzing fully resolved builds, ProGet provides a single authoritative view of the packages included in production artifacts.

Policies and Enforcement

Both ProGet and Lifecycle support customizable security, licensing, and governance policies.

Policies can be configured globally or at the feed level, allowing organizations to apply different governance requirements across projects and environments.

Exceptions can also be configured for approved packages or organization-specific use cases.

ProGet includes policy enforcement directly within the platform, combining:

  • SCA analysis
  • policy management
  • reporting
  • SBOM workflows

within a single system.

CI/CD Integration and Scanning Workflows

Teams familiar with Lifecycle’s IQ CLI can use ProGet’s pgutil command-line tool for:

  • build scanning
  • policy evaluation
  • SBOM generation
  • CI/CD integration workflows

This allows existing scanning processes to transition gradually without requiring major pipeline redesigns.

Because scanning and policy management are built directly into ProGet, CI/CD integrations can operate without coordinating separate repository and SCA services.

Migrating from Lifecycle to ProGet

A common migration approach is to run IQ CLI and pgutil in parallel during the transition process.

This allows teams to:

  • scan the same builds in both systems
  • compare scan results and policy behavior
  • validate SBOM outputs
  • evaluate reporting and enforcement workflows

Running both tools during migration helps organizations transition policies and scanning workflows incrementally while maintaining existing CI/CD processes.

Over time, policies, scans, and dependency analysis workflows can be consolidated into ProGet’s integrated SCA environment.

Built-In SCA for Reliable Build-Time Scanning

ProGet combines repository management, SCA, policy enforcement, and SBOM workflows within a single platform.

By focusing on build-time dependency analysis, ProGet provides visibility into resolved packages and transitive dependencies while reducing the operational complexity associated with maintaining separate repository and SCA systems.

Build-time analysis also changes how organizations approach vulnerability and license governance after issues are identified. The next article covers how ProGet approaches vulnerability and license management through registry-wide policies, risk assessments, and feed-level enforcement controls.