Jenkins Setup for Local Code Scanning
Integrate CybeDefend’s local scanning into a Jenkins pipeline without exposing your code externally.
Jenkins is a widely used CI/CD tool that you can host on-prem or in the cloud. By installing the CybeDefend CLI on your Jenkins agent, you can securely run scans locally and upload the results to CybeDefend.
Requirements
- API Key
Follow Introduction & API Key Creation to generate and store a key in Jenkins credentials. - Operating System
Jenkins agent must be on a supported OS (Linux x86_64, Windows, macOS). For Linux, ensureglibc >= 2.27. - Sufficient Resources
At least 2–4 GB RAM, plus the recommended disk space for your repo.
By default, we recommend scanning the main (or master) branch to avoid mixing partial results across multiple branches.
Option 1: Docker-Based Scanning
If your Jenkins agent supports Docker, run the CybeDefend scanner image:
- Create a New Jenkins Project
- Choose Pipeline or Freestyle with a Docker step.
- Configure Docker
Make sure your agent can run containers. - Build Step:
Explanation
- -v $WORKSPACE:/app: Mount your code from Jenkins into
/app. - cybedefend/local-scanner:latest: Our Docker image containing the CLI.
- —ci: Outputs minimal logs for a clean pipeline.
Option 2: Installing the Binary Directly
- Download the Binary
In a shell build step: - Run the Scan
If this is your first time scanning the repo, a new project is created in CybeDefend. On subsequent scans, results are appended under the same Project ID.
Checking Results
- Jenkins Console Output: Quick summary of discovered vulnerabilities.
- CybeDefend “results” command: Add a new step to fetch more detailed results in JSON, HTML, or SARIF.
- CybeDefend Dashboard: Provides an in-depth view, charts, and historical vulnerability data.
For large repos, scanning may take a few minutes. Adjust Timeout settings accordingly.
Consider gating a release by parsing CLI output or exit codes, failing the build if high-severity issues remain.