New Policy Grandfathering: Automating Open Source Governance at Your Own Pace

August 29, 2018 By Michelle Dufty

2 minute read time

So you just purchased and installed Nexus Lifecycle because it’s time to automate your open source policies at scale - great news! Next, you onboard your existing apps, and immediately see a report with a ton of policy violations. These violations are for open source components that have been in your apps for some time, so what do you do next? How do you prioritize what to fix? And how do you deal with the frustration from developers when all of your builds start to break because you have integrated policy enforcement across the SDLC?

This is a problem we have seen at some of our clients who want to do the right thing, but also know that you can’t go from manual whitelists/blacklists to automatic policy enforcement overnight. Nexus Lifecycle automatically enforces open source policies across your DevOps pipeline, but we know you need time to go back and fix years of manual processes and policy review.

That is why we just released a new feature in Nexus Lifecycle called policy grandfathering. Grandfathering works on newly onboarded applications and when enabled, it will ignore or “grandfather” existing non-critical policy violations. That way, you can focus on fixing any critical policy violations and create a backlog for the other non-critical ones. Grandfathering makes it easy to prioritize what you need to fix without losing sight of what is still left to do.

grandfather image

Grandfathering also makes it a lot easier to turn on automatic enforcement without feeling overwhelmed - easing you into it at a pace that works for you. But it does not ignore newly added components after the app has been onboarded. If a new component is added after the initial scan, it will highlight all of the policy violations for the new component - ensuring that only the highest quality open source components make it into your applications.

Check out this new video from Jamie Whitehouse, Product Owner for Nexus Lifecycle, to see how it works:


And let us know what you think about this new feature at the Sonatype Community site. We are excited to hear how policy grandfathering helps you automate open source governance at scale.

Tags: Nexus Lifecycle, policy violations, grandfathering, Product

Written by Michelle Dufty

Michelle Dufty is the Senior Director of Product Marketing at Sonatype where she brings solutions to market that unite development, security, and operations teams to accelerate software innovation while minimizing open source risk.