ProGet vs. SonaType
Learn how to replace Sonatype and save $100,000+
Sonatype and ProGet have very similar solutions: both can host and secure your packages while protecting you from open-source source risks. With Sonatype, you need at least three different products (Nexus Repository, Firewall, and Lifecycle) that costs over $102,600/year for only 75 users.
ProGet Enterprise is only $9,995/year no matter how many users you have. You can use ProGet Free edition for as long as you’d like, or simply go with ProGet Basic for $1,995/year.
A single tool that hosts and secures your artifacts, packages, and containers; easy to install/manage and relatively low cost
Collection of disjointed tools that are complex and very costly… but can eventually host and secure your artifacts, packages, and containers
Does ProGet have all of the same features?
Yes… unless you’re using one of the obscure package types that only Nexus Repository supports, such as ELPA or OBR packages. We may add these add support for these feed types if there’s user demand, but so far no one’s asked.
Not only does ProGet share the same features of Sonatype Nexus, but it improves on several things.
NuGet & Symbol Serving
If you use .NET packages (NuGet), there’s simply no comparison: ProGet has far superior support. Not only from a performance and usability standpoint, but ProGet implements an absolute must-have feature: symbol serving.
Sonatype has an ancient “community” plugin has experimental support for “proxying” symbols from NuGet.org, but it hasn’t been updated since 2019, and Sonatype has no plans to support this on their roadmap.
ProGet has always supported Source and Symbol Serving for NuGet, since day one, right out of the box.
Nexus has an unsupported “community” plugin, but it doesn’t support hosting your own Symbol packages.
Package vs Artifact Mindset
Both products have the same purpose but with different file management approaches.
Nexus Repository takes the artifacts approach. Artifacts can be any type of file such as .jar., .war, .dll, .rpm, .zip, .jpg, etc. While an artifact server understands each individual file type’s properties, you have to configure the rules you want to apply to files uploaded to enforce naming conventions and file scans.
On the other hand, ProGet takes the packages approach. Packages have a standards-defined format like NuGet, PyPi, Helm, and so on. Your NuGet packages can only be in NuGet feeds, for example, segregated from other package types.
Just like a Blu-ray player doesn’t allow you to play a VHS tape, this strict formatting gives organizations more control over the code entering or leaving different feeds.
What Does This Mean for You?
An artifact repository is a collection of files, much like a normal share drive, which also manages your end-to-end artifact lifecycle when building. While this does make it easy to move, copy, and share files, it’s outdated because any and every file type is allowed. More files with less metadata make an auditing nightmare.
ProGet’s modern approach is a better fit for modern development. Because it’s not an open-ended format, package-minded solutions like ProGet help organizations enforce separation while allowing collaboration between teams. And ProGet is far superior for handling NuGet packages, as it was originally developed to support this popular development format.
Can Artifact Servers Handle Packages?
Yes and no. As an artifact server, Nexus Repository can technically handle any file type, like .nupkg. But the problem with handling everything is that you specialize in nothing.
Nexus Repository lags in their support for NuGet. A quick search on their public NuGet issues tracker reveals a plague of NuGet-related bugs. And it takes some time for Nexus Repository to fix these issues, even the critical ones.
Can Package Servers Handle Artifacts?
Yes, they can. Artifacts are just files, after all. It was easy to get ProGet “think in artifacts” to support Maven or any other type of artifact. Both, Maven Feeds and Asset Directories have seen next to no bugs in ProGet for years.
ProGet is a package repository built to manage packages like NuGet, npm, Chocolatey, and more, and Docker containers, all in one place.
Nexus Repository is a universal artifact repository that manages all file types.
Features included in ProGet Basic
ProGet includes multiple features that SonaType sells as plug-ins of Nexus Repository. That not only costs more, but increase complexity of self-managing experience.
ProGet automatically scans packages for license and vulnerabilities
ProGet automatically discovers vulnerabilities, license agreements in packages, and block package usage by automatically assessing vulnerabilities based on the CVE Score or your team’s manual assessment as well as packages with unwanted licenses (such as GPL-3) so that developers don’t accidentally incorporate them into a new project.
Analyze active releases for new vulnernabilities or unwanted licenses
Projects and Releases in ProGet let you track the open-source and third-party components (packages) that your organization uses, and help you identify issues like vulnerabilities, license violations, and missing packages.
Analyze Docker like analyze packages
ProGet scans vulnerability and license in Docker like it does to packages. Manage Docker in Simple GUI
Generate SBOM for traceability and compliance
ProGet makes it easy to generate Software Bills of Material from your projects at build/CI time. ProGet will then continuously scan packages and releases for vulnerability, license, and missing packages even after packages or containers are deployed to production
ProGet is designed to be self-managed
Nexus Repository is designed as a cloud-first solution, and doesn’t have a great support and ease of configuration for self-managed version of them.