Migrating from Sonatype to ProGet
Migration Overview
ProGet and Sonatype both provide centralized package management, governance, and software supply chain security. Many core concepts will already be familiar, including repositories, permissions, package distribution, and policy enforcement. However, the platforms differ in how these capabilities are structured and implemented.
This chapter introduces the key concepts you’ll need when working with ProGet, including:
- feeds and repositories
- users, roles, and permissions
- API keys and authentication software composition analysis (SCA) and policies
- vulnerability and license enforcement
- SBOM management
- backup, retention, and replication
It also provides a mapping of how common Sonatype concepts translate into ProGet.
Platform Structure
Sonatype distributes functionality across multiple products, including Nexus Repository for package storage, Lifecycle for software composition analysis (SCA) and policy enforcement, and Firewall for blocking or quarantining risky packages.
ProGet consolidates these capabilities into a single platform. It manages package storage, governance, scanning, and automation within one system.
In ProGet:
- Feeds replace repositories
- Feeds support multiple package formats (NuGet, npm, PyPI, Docker, and more)
- SCA and license scanning are built in
- Policies can be applied globally or per feed
- Governance and automation are managed centrally
Feeds in ProGet serve a similar purpose to repositories in Sonatype Nexus but use a more unified configuration model. Instead of separating hosted, proxy, and group repositories, ProGet uses configurable feeds that can handle multiple roles depending on setup.
👉🏻 See “Feeds and Package Repositories” to learn more
Installing and Managing ProGet
ProGet can be deployed on Windows, Linux, or in High Availability configurations. Most installations are managed through Inedo Hub, which provides tooling for installation, updates, configuration, and service management.

Once installed, the typical setup process includes:
- creating and configuring feeds
- connecting directory services (e.g., Active Directory or LDAP)
- defining users, roles, and permissions
- enabling security scanning and policy enforcement
- preparing for package migration from existing systems

👉🏻 See “Installing and Managing ProGet” to learn more
Core Concepts
Users, Roles, and Permissions
ProGet uses roles and granular permissions to control access to feeds and platform features. This allows fine-grained control over how teams interact with packages and infrastructure.
ProGet can integrate with external directory services such as Active Directory and LDAP, enabling existing users and groups to be imported without reconfiguration. Once connected, access control is managed through role assignments at the feed level.
👉🏻 See “Managing Users, Permissions, & API Keys” to learn more
API Keys
ProGet supports API keys for authentication and automation. Keys can be created and managed through the web UI, API, or command-line tools.
API keys can be scoped for:
- system-wide access
- feed-specific operations
- individual user or automation workflows
This enables integration with CI/CD systems, build tools, and deployment pipelines.
👉🏻 See “Managing Users, Permissions, & API Keys” to learn more
Security and Governance
Software Composition Analysis (SCA) and Policies
ProGet includes built-in software composition analysis and policy enforcement. Unlike Sonatype Lifecycle, which is a separate product, SCA is integrated directly into the platform.

ProGet evaluates dependencies during build and ingestion processes, including transitive dependencies. Policies can be defined globally or at the feed level to support different governance requirements across teams.
👉🏻 See “Policies & Software Composition Analysis (SCA)” to learn more
Vulnerability and License Enforcement
ProGet enforces security and license policies using granular rules rather than broad package blocking.
Instead of blocking entire packages, ProGet evaluates specific risks such as:
- known vulnerabilities
- license compliance issues
- contextual usage within your environment

Enforcement can be applied at the feed level or through global policies. This allows organizations to control risk with more precision across development and production environments.
ProGet also uses the Package Vulnerability Rating Scale (PVRS) to help determine how vulnerabilities should be handled based on their severity and context.
👉🏻 See “Package Management: Vulnerabilities and Licenses” to learn more
SBOM Management
ProGet includes built-in Software Bill of Materials (SBOM) management. SBOMs are automatically synchronized with packages, builds, and policy data.
You can:
- import existing SBOMs
- generate SBOMs during build and release processes
- track components, dependencies, licenses, and vulnerabilities
This ensures consistent compliance and simplifies audit workflows.
👉🏻 See “Managing Software Bills of Materials (SBOMs)” to learn more
Maintenance and Operations
Backups and Restore
ProGet includes built-in backup and restore functionality to protect against data loss, system failure, and infrastructure issues.
While the overall concept is similar to Sonatype Nexus, ProGet’s storage model differs in implementation. A defined backup and restore strategy should be established during setup to ensure system reliability.
👉🏻 See “Storage, Backing Up & Restoring in ProGet” to learn more
Retention Policies
ProGet supports retention policies to manage storage usage and remove outdated or unused packages.
Unlike simple age- or count-based cleanup, ProGet supports more advanced rules, including pipeline-based retention. This allows organizations to control what is preserved or removed across:
- builds
- feeds
- SCA data and reports
👉🏻 See “Retention Policies for Packages and Builds” to learn more
Replication Across Instances
ProGet supports replication to synchronize packages across multiple environments or locations.
Common models include:
- hub-and-spoke replication
- bi-directional synchronization

Replication can be configured at the feed level and includes monitoring to support operational visibility across distributed environments.
👉🏻 See “Replication in ProGet” to learn more
Moving Forward
Migrating from Sonatype to ProGet involves understanding how core concepts map between platforms and how ProGet consolidates functionality into a single system.
While many concepts are familiar, ProGet’s unified approach to feeds, security, governance, and automation introduces structural differences that are important to understand early in the migration process.
The following chapters in this guide provide detailed coverage of repositories, security, SBOMs, backups, replication, and operational practices to support a complete migration workflow.
The next chapter begins the practical implementation phase with Installing and Managing ProGet, covering deployment options for single-server and High Availability environments, along with maintenance workflows.
