Jenkins
Flexible security scanning for Jenkins pipelines.
v3.55.2). If a snippet no longer works, open an issue with the CLI version you are on.Before You Start
Credentials come from Jenkins Credentials, bound per-step with withCredentials so the value is masked in the console log and scoped to the block.
| Variable | Value |
|---|---|
VULNETIX_ORG_ID | Organization UUID |
VULNETIX_API_KEY | ApiKey hex digest |
Environment variables authenticate on their own. Do not run vulnetix auth login on an ephemeral runner — see Authentication in CI/CD.
Quick Start
Jenkinsfile:
pipeline {
agent any
environment {
VULNETIX_ORG_ID = credentials('vulnetix-org-id')
}
stages {
stage('Security Scan') {
steps {
sh '''
curl -fsSL https://cli.vulnetix.com/install.sh | sh
export PATH=$PATH:$HOME/.local/bin
vulnetix auth verify
vulnetix scan --severity high
'''
}
}
}
}
vulnetix auth verify on the first line fails the build immediately when the credential is missing or revoked, rather than halfway through a scan.
sh '...'. With double quotes Groovy interpolates the credential before the shell runs, and it lands in the build log.Running Individual Scans
Each subcommand runs standalone and uploads its own findings. Swap vulnetix scan for any of them:
vulnetix sca --severity high -o dist/sbom.cdx.json # dependencies
vulnetix sast --severity high -o dist/sast.sarif # source code
vulnetix secrets -o dist/secrets.sarif # hardcoded credentials
vulnetix license --allow MIT,Apache-2.0 # SPDX policy
vulnetix cbom --output-file dist/cbom.cdx.json # cryptography, PQC posture
vulnetix aibom --output-file dist/aibom.cdx.json # AI agents, SDKs, models
Note the flag split: the scan family takes -o <path>, while cbom, aibom, and malscan take --output-file. license takes neither. The full table is in the Subcommand Reference.
Keeping the Report
archiveArtifacts artifacts: 'dist/**', allowEmptyArchive: true
The SARIF-producing scans write their file only when there are findings, so a clean run leaves nothing behind. Tolerate the missing path rather than failing on it.
Quality Gates
Gates are opt-in; without a gate flag the command reports and exits 0.
vulnetix scan --severity high --block-malware --block-eol --exploits active
To surface a breach without blocking the merge: Wrap the step in catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE').
Full gate list in the Subcommand Reference.
Uploading Third-Party Artifacts
The scans upload themselves. upload is for reports produced by other tools:
vulnetix upload --file reports/semgrep.sarif --format sarif
Accepted formats: cyclonedx, spdx, sarif, openvex, csaf_vex.
See Also
- Subcommand Reference for CI — what each command writes, which output flag it takes
- Authentication in CI/CD — credential choice, masking, rotation
- Scan Command Reference — every flag