Sonatype Nexus Repository Manager sits at the center of most enterprise software supply chains. It proxies public registries, hosts private artifacts, and serves as the single source of truth for every dependency your organization consumes. When Nexus is misconfigured, every application that pulls dependencies through it is at risk.
The default Nexus installation prioritizes ease of use over security. The admin account has a default password. Anonymous access is enabled. Proxy repositories fetch from upstream without content validation. For a development environment, this is fine. For anything that touches production software, it needs significant hardening.
Authentication and Authorization
Change Default Credentials Immediately
Nexus ships with an admin account whose initial password is stored in a file on disk. The first login prompts you to change it, but automated deployments sometimes skip this step. Verify that the default password has been changed on every Nexus instance in your environment.
Disable Anonymous Access
Anonymous access allows anyone who can reach Nexus to browse and download artifacts without authentication. Disable it under Security, then Anonymous Access. If you need unauthenticated access for specific use cases, use content selectors and repository-level permissions to restrict what anonymous users can see.
Implement LDAP or SAML Authentication
Integrate Nexus with your corporate directory. LDAP integration enables centralized user management and password policy enforcement. Nexus Pro supports SAML for SSO integration.
Map LDAP groups to Nexus roles to automate permission management. When someone joins a development team, their LDAP group membership automatically grants them the appropriate Nexus permissions.
Create Granular Roles
Nexus's default roles are broad. The nx-admin role grants full administrative access. The nx-anonymous role controls what unauthenticated users see. Between these extremes, create custom roles that match your organizational structure.
A typical role structure includes a read-only role for CI/CD pull operations, a developer role that can push to snapshot repositories, a release manager role that can push to release repositories, and an administrator role limited to specific operational tasks.
Use Service Accounts for Automation
CI/CD pipelines should authenticate with dedicated service accounts, not personal credentials. Create service accounts with the minimum permissions needed. A build pipeline that only pushes Maven artifacts should not have permission to delete Docker images.
Repository Configuration
Separate Snapshot and Release Repositories
Snapshot repositories hold development versions that change frequently. Release repositories hold immutable, versioned artifacts. Different security policies apply to each.
Release repositories should be configured as write-once: once an artifact version is published, it should not be overwritten. Enable the "Disable redeploy" policy on release repositories. This prevents supply chain attacks that replace a known-good artifact version with a malicious one.
Configure Content Selectors
Content selectors control access to specific paths within a repository. Use them to restrict which teams can read or write specific artifact groups. A frontend team should not need access to backend service artifacts, and vice versa.
Validate Proxy Content
When Nexus proxies a public registry, it trusts whatever the upstream returns. Enable content validation on proxy repositories to verify checksums and reject corrupt or tampered artifacts.
For Maven repositories, enable strict content validation in the repository's HTTP settings. For npm, ensure integrity checking is enabled. For Docker, verify image digest validation.
Cleanup and Retention
Configure Cleanup Policies
Without cleanup policies, Nexus accumulates every artifact ever published or proxied. Old artifacts with known vulnerabilities remain available for download indefinitely.
Create cleanup policies that remove artifacts based on age, last download time, or release status. Apply different policies to different repository types: aggressive cleanup for snapshot repositories, conservative cleanup for release repositories.
Run Compact Blob Store Tasks
Cleanup policies mark artifacts for deletion but do not reclaim disk space. Schedule the "Compact blob store" task to actually free storage. Run it during off-peak hours.
Network Security
Enable HTTPS
Configure Nexus to serve all traffic over HTTPS. If Nexus sits behind a reverse proxy that handles TLS termination, ensure the connection between the proxy and Nexus is also encrypted or runs on a trusted network.
Restrict Network Access
Nexus should be accessible only to authorized networks. Use firewall rules or network policies to restrict access to known CI/CD infrastructure, developer networks, and administrative systems.
Configure Outbound Proxy Settings
If Nexus accesses public registries through a corporate proxy, configure the proxy settings under System, then HTTP. Include authentication if your proxy requires it. Do not bypass the proxy for registry access, as it likely provides security monitoring and content filtering.
Monitoring and Alerting
Enable Audit Logging
Nexus logs authentication events, artifact uploads, configuration changes, and security-related operations. Forward these logs to your SIEM and create alerts for suspicious activity: failed authentication attempts, artifact deletions, permission changes, and new repository creation.
Monitor for Known Vulnerabilities
Nexus Pro includes Nexus IQ integration for vulnerability scanning. If you use the open-source edition, integrate external scanning into your pipeline to check artifacts as they pass through Nexus.
Track Repository Health
Monitor proxy repository health to detect upstream failures or connectivity issues. If a proxy repository cannot reach its upstream, it serves cached content that may be outdated. Alert on proxy cache staleness that exceeds your acceptable threshold.
Backup and Recovery
Back Up Configuration
Nexus stores configuration in an OrientDB database (Nexus 3.x) or a PostgreSQL database (newer versions). Back up this database regularly and test restoration. A corrupted or lost configuration database requires rebuilding all repository definitions, permissions, and policies from scratch.
Back Up Blob Stores
Artifact data is stored in blob stores on the filesystem or in cloud storage. Include blob stores in your backup strategy. A Nexus instance without its blob stores is an empty shell.
How Safeguard.sh Helps
Safeguard.sh integrates with Nexus Repository to provide continuous visibility into the security posture of your artifact supply chain. It monitors artifacts flowing through Nexus, generates SBOMs for container images and application dependencies, and identifies vulnerabilities in both proxied and internally published artifacts. When a critical CVE affects a library cached in your Nexus proxy, Safeguard.sh tells you every application that consumed it.