Sonatype Guide

Sonatype Guide connects Claude Code to Sonatype's intelligence so your editor can scan project dependencies for known supply-chain risk. It reads manifests and lockfiles (package.json, pom.xml, go.mod, etc.), pulls vulnerability and policy data, and highlights packages with known CVEs, problematic licenses, or low quality scores. It shows the vulnerable version, the vulnerability ID, and the risk score so you can decide what to change.

From inside the editor you can run a full dependency scan or a quick check on a single file. The plugin recommends safer versions, lists the delta between your version and a suggested upgrade, and maps transitive dependency chains so you see the true source of risk. It also checks licensing flags and quality indicators so you can assess non-security issues before they hit production.

Scan results include actionable items: package names, vulnerable ranges, suggested fixes, and links to the Sonatype intelligence entry for each issue. You can copy a suggested version bump, open the advisory page, or record findings to your issue tracker. The plugin keeps results local to your workspace and updates as you edit files so you get immediate feedback while you code.

In a real project you can run a scan when you open a pull request, see a flagged dependency, apply the suggested version, and push a tiny follow-up commit without leaving the editor — avoiding trips to a web console or separate scanner and saving the time of context switching during a release fix.