This article is the first in a series on Migrating from Sonatype to ProGet, also available as a chapter in our free, downloadable eBook.

If you’re looking to migrate from Sonatype to ProGet and are already familiar with Nexus, Lifecycle, etc, you’ll recognize some similarities. Repositories, security controls, package management, and software composition analysis all exist on both platforms. But the two systems aren’t 1:1. Understanding where they differ will make your transition much smoother. 

Having said that, migrating to ProGet isn’t difficult. Our guide “Migrating from SonaType to ProGet” was written to support you throughout this process. It explains ProGet in terms that are intuitive for anyone who’s used Sonatype’s products, outlining the key steps and preparation you’ll need along the way. 

In this article, we’ll bring you up to speed with the main things you’ll need to know to get started, such as how repositories and security work in ProGet. We’ll also cover how to get your ProGet instance up and running, and how to maintain it going forward.  

Overview of Sonatype and ProGet 

Both Sonatype and ProGet help development teams manage, secure, and distribute software components. The core concept is the same: centralize your packages, enforce governance, and support automation throughout the build and deployment process. However, the way each platform delivers and organizes these capabilities is quite different. 

Sonatype works across separate platforms: Nexus Repository for binaries, Lifecycle for SCA and policy enforcement, and Firewall for quarantining risky packages. ProGet combines these capabilities into a single solution. It manages both internal and external packages, performing in-system vulnerability and license scanning, and supporting automated workflows without relying on multiple products. 

In ProGet, repositories are called “feeds” and serve a similar purpose to repositories in Sonatype Nexus in how they store and distribute packages. The difference is in how they’re structured. Sonatype separates repositories into hosted, proxy, and group types and depends on additional products for advanced security or policy features. ProGet uses highly configurable feeds that can manage various package types such as NuGet, npm, PyPI, and Docker, while also providing built-in governance and scanning capabilities. 

👉 See “How to Manage Repositories in ProGet for Sonatype Users” to learn more

Getting Started with ProGet 

The first step in migrating to ProGet is simply getting your instance up and running. ProGet is designed to be easy to install and maintain, whether you’re deploying it on Windows, Linux, or as part of a High Availability cluster. Most users install and manage ProGet through Inedo Hub, which streamlines updates, configuration, and service management. 

Once the instance is in place, you’ll be ready to begin configuring feeds, permissions, and security features in preparation for migrating your existing Sonatype data.

👉 See “How to Self-Manage Your ProGet Instance for Sonatype Users” to learn more

Migrating Your Environment 

Users, Roles, and Permissions 

If you’ve been using Sonatype tools, you already have users, roles, and permissions defined in your environment. As you migrate, you’ll want to understand how those concepts translate into ProGet. Both platforms use roles and granular privileges to control access, but ProGet organizes these around feed-based permissions, giving you fine-tuned control over how different teams interact with each feed. 

ProGet can also connect directly to your existing directory services, such as Active Directory or LDAP. Among other things, this means you can bring over your users and groups without starting from scratch. Once connected, assigning roles and permissions becomes a straightforward part of the migration process. 

👉 See “How to Manage Users, Security, and API Keys in ProGet for Sonatype Users” to learn more

API Keys 

If you have various API keys created in your Sonatype instances, you’ll be able to take a similar approach in ProGet. ProGet lets you create and manage keys directly in the web UI, through the command-line tool, or via the API. You can generate keys for system-wide privileges, feed-specific actions, or personal use, giving you flexibility in how automation tools and CI/CD pipelines authenticate with the platform. 

👉 See “How to Manage Users, Security, and API Keys in ProGet for Sonatype Users” to learn more

Software Composition Analysis (SCA) and Policies 

ProGet integrates SCA and policy enforcement directly into the platform, unlike Sonatype Lifecycle, which operates as a separate product. This centralizes security alongside your packages and reduces the complexity of managing multiple tools. 

Build-time scanning in ProGet catches transitive dependencies and ensures policies are applied consistently. Policies can be enforced globally or per feed, giving teams flexibility to tailor governance without fragmenting security workflows. 

👉 See “How to Manage Policies and SCA in ProGet for Sonatype Users” to learn more

Blocking Vulnerabilities and Licenses 

Sonatype users often rely on Nexus Firewall to quarantine or block risky packages. ProGet takes a more modern, risk-focused approach. Instead of blocking entire packages outright, ProGet evaluates and blocks the specific risks associated with vulnerabilities or licenses. 

This is enabled through fine-grained rules for vulnerabilities and license types, combined with context-based assessments. Enforcement can be configured at the feed level or through global policies, allowing fully automated and precise controls. 

👉 See “How to Block Packages in ProGet for Sonatype Users” to learn more

SBOM Management and Compliance 

Sonatype provides SBOM capabilities through a separate SBOM Manager, but ProGet includes SBOM management directly within the platform. SBOMs stay automatically synchronized with your packages, builds, and policies, reducing overhead and ensuring consistency across your environment. 

You can import existing SBOMs into ProGet or generate new ones as part of your build and release processes. ProGet-generated SBOMs include component, dependency, license, and vulnerability information, helping teams meet compliance requirements and simplifying audit workflows. 

👉 See “How to Manage SBOMs in ProGet for Sonatype Users” to learn more

Maintaining Your ProGet Instance 

Backing Up and Restoring 

Securely storing your artifacts protects your organization from hardware failures, system errors, and unexpected data loss. Both Sonatype Nexus and ProGet offer built-in backup and restore features, and while the overall processes are similar, each platform handles and stores data in slightly different ways. Understanding these differences will ensure you have a reliable disaster-recovery plan in place.

👉 See “How Storage, Backing Up and Restoring Works in ProGet for Sonatype Users” to learn more  

Retention Policies 

ProGet’s retention policies help automatically clean up old or unused packages, keeping your feeds fast, lightweight, and responsive. While this is conceptually similar to what Sonatype users may be familiar with, ProGet handles build and SCA data differently. Instead of simple age- or count-based cleanup, ProGet offers pipeline-based retention rules, giving you much tighter control over what gets preserved and what is deleted across builds, feeds, and SCA reports. 

👉 See “How to Manage Retention in ProGet for Sonatype Users” to learn more

Replication Across Instances 

If your teams work across multiple locations or if you maintain separate environments for development, staging, and production, replication ensures packages stay synchronized and accessible wherever they’re needed. ProGet includes built-in support for feed-level replication, using either hub-and-spoke or bi-directional synchronization models.

For teams familiar with Sonatype’s approach to replication, ProGet will feel familiar, but with added flexibility and integrated monitoring to make administration easier and more transparent. 

👉 See “How to Manage Replication in ProGet for Sonatype Users” to learn more

Moving Ahead with ProGet 

Migrating from Sonatype to ProGet is a straightforward process. The platforms share many similarities, and if you’re already comfortable with Nexus and its ecosystem, you’ll find much of ProGet familiar. That said, the differences between the tools mean a bit of preparation goes a long way. Understanding how ProGet organizes feeds, security, automation, and governance will help ensure your transition is smooth and successful. 

The articles in this series on Migrating from Sonatype to ProGet cover repositories, SCA, backups, replication, and more. They will provide you with a clear roadmap for every step of your migration. 

You can follow each chapter of our guide through the links throughout this article. Or, to get everything together, why not download our free guide “Migrating from Sonatype to ProGet” to dive deeper into the full process. Download your free guide today!