Community Updates: Nancy Has a New Ship, and Found oysteRs

The community team at Sonatype has been working hard on upgrading docker-nancy from a Post Panamax cargo ship to a new and improved Triple E vessel. (See the diagram below). As a result, the docker-nancy project on github that we announced earlier is being archived. Now, docker-nancy has moved to the main repository.


The Triple E is the largest container ship to-date. (Image Source)

Who is Nancy?

Nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index. docker-nancy wraps the nancy executable in a Docker image.

Nancy checks for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index and Nexus IQ Server. This gives you a smooth sailing experience as a Golang developer, using the best tools in the market!

Nancy currently works for projects that use dep or go mod for dependencies.

To see how Nancy will output when finding vulnerabilities, use our intentionally vulnerable repo. Check out this build on Travis-CI or this build on CircleCI.

Bon Voyage, docker-nancy!

Ahoy! oysteR

Also new to the community is the ability to create purls from the filtered sands of your dependencies, powered by Sonatype OSS Index.

If this project is run independently, one can run:

Rscript R/main.R

main.R has a call to audit_deps_with_oss_index() by default, as a convenience.

If installed, you can do:


This will accomplish the same behavior as running main.R.

Reminder: Neither Are Officially Supported by Sonatype (And More Contributions Are Available)

It is worth noting that oysteR and Nancy are NOT SUPPORTED by Sonatype. Both are contributions to the open source community (read: you!).


  • Use these contribution at the risk tolerance that you have
  • Do NOT file Sonatype support tickets (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by DJ Schleen. Read the original post at:

Avatar photo

DJ Schleen

DJ is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He comes from a practitioner background and specializes in architecting DevSecOps pipelines, automating security in DevOps environments, and breaking down organizational silos that inhibit the delivery of safer software. DJ has worked to streamline development pipelines and practices for many Fortune 100 organizations by focusing on culture and technique. He uses this expertise to surface the right technology to serve business goals and support outcomes. He is an international speaker, blogger, instructor and author in the DevSecOps community where he encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey.

dj-schleen has 10 posts and counting.See all posts by dj-schleen

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)