Jenkins Setup for Local Code Scanning

Jenkins is a widely used CI/CD tool that you can host on-prem or in the cloud. By installing the CybeDefend CLI on your Jenkins agent, you can securely run scans locally and upload the results to CybeDefend.

Requirements

API Key
Follow Introduction & API Key Creation to generate and store a key in Jenkins credentials.
Operating System
Jenkins agent must be on a supported OS (Linux x86_64, Windows, macOS). For Linux, ensure glibc >= 2.27.
Sufficient Resources
At least 2–4 GB RAM, plus the recommended disk space for your repo.

By default, we recommend scanning the main (or master) branch to avoid mixing partial results across multiple branches.

Option 1: Docker-Based Scanning

If your Jenkins agent supports Docker, run the CybeDefend scanner image:

Create a New Jenkins Project
- Choose Pipeline or Freestyle with a Docker step.
Configure Docker
Make sure your agent can run containers.
Build Step:

docker run --rm \
  -v $WORKSPACE:/app \
  -w /app \
  cybedefend/local-scanner:latest \
  cybedefend scan . --api-key $CYBEDEFEND_API_KEY --project-id $CYBEDEFEND_PROJECT_ID --ci

Explanation

-v $WORKSPACE:/app: Mount your code from Jenkins into /app.
cybedefend/local-scanner:latest: Our Docker image containing the CLI.
—ci: Outputs minimal logs for a clean pipeline.

Tagging the main branch only

Option 2: Installing the Binary Directly

Download the Binary
In a shell build step:

curl -L https://github.com/CybeDefend/cybedefend-cli/releases/download/v1.0.0/cybedefend-linux-amd64 -o cybedefend
chmod +x cybedefend
sudo mv cybedefend /usr/local/bin/

Run the Scan

cybedefend scan . \
  --api-key $CYBEDEFEND_API_KEY \
  --project-id $CYBEDEFEND_PROJECT_ID \
  --ci

If this is your first time scanning the repo, a new project is created in CybeDefend. On subsequent scans, results are appended under the same Project ID.

Checking Results

Jenkins Console Output: Quick summary of discovered vulnerabilities.
CybeDefend “results” command: Add a new step to fetch more detailed results in JSON, HTML, or SARIF.
CybeDefend Dashboard: Provides an in-depth view, charts, and historical vulnerability data.

For large repos, scanning may take a few minutes. Adjust Timeout settings accordingly.

Consider gating a release by parsing CLI output or exit codes, failing the build if high-severity issues remain.

On this page

Requirements
Option 1: Docker-Based Scanning
Explanation
Option 2: Installing the Binary Directly
Checking Results

Requirements

API Key
Follow Introduction & API Key Creation to generate and store a key in Jenkins credentials.
Operating System
Jenkins agent must be on a supported OS (Linux x86_64, Windows, macOS). For Linux, ensure glibc >= 2.27.
Sufficient Resources
At least 2–4 GB RAM, plus the recommended disk space for your repo.

By default, we recommend scanning the main (or master) branch to avoid mixing partial results across multiple branches.

Option 1: Docker-Based Scanning

If your Jenkins agent supports Docker, run the CybeDefend scanner image:

Create a New Jenkins Project
- Choose Pipeline or Freestyle with a Docker step.
Configure Docker
Make sure your agent can run containers.
Build Step:

docker run --rm \
  -v $WORKSPACE:/app \
  -w /app \
  cybedefend/local-scanner:latest \
  cybedefend scan . --api-key $CYBEDEFEND_API_KEY --project-id $CYBEDEFEND_PROJECT_ID --ci

Explanation

-v $WORKSPACE:/app: Mount your code from Jenkins into /app.
cybedefend/local-scanner:latest: Our Docker image containing the CLI.
—ci: Outputs minimal logs for a clean pipeline.

Tagging the main branch only

Option 2: Installing the Binary Directly

Download the Binary
In a shell build step:

curl -L https://github.com/CybeDefend/cybedefend-cli/releases/download/v1.0.0/cybedefend-linux-amd64 -o cybedefend
chmod +x cybedefend
sudo mv cybedefend /usr/local/bin/

Run the Scan

cybedefend scan . \
  --api-key $CYBEDEFEND_API_KEY \
  --project-id $CYBEDEFEND_PROJECT_ID \
  --ci

If this is your first time scanning the repo, a new project is created in CybeDefend. On subsequent scans, results are appended under the same Project ID.

Checking Results

Jenkins Console Output: Quick summary of discovered vulnerabilities.
CybeDefend “results” command: Add a new step to fetch more detailed results in JSON, HTML, or SARIF.
CybeDefend Dashboard: Provides an in-depth view, charts, and historical vulnerability data.

For large repos, scanning may take a few minutes. Adjust Timeout settings accordingly.

Consider gating a release by parsing CLI output or exit codes, failing the build if high-severity issues remain.

On this page

Requirements
Option 1: Docker-Based Scanning
Explanation
Option 2: Installing the Binary Directly
Checking Results

Requirements

Option 1: Docker-Based Scanning

Explanation

Option 2: Installing the Binary Directly

Checking Results

API Documentation

Endpoints

Jenkins Setup for Local Code Scanning

Requirements

Option 1: Docker-Based Scanning

Explanation

Option 2: Installing the Binary Directly

Checking Results

​Requirements

​Option 1: Docker-Based Scanning

​Explanation

​Option 2: Installing the Binary Directly

​Checking Results

API Documentation

Endpoints

​Requirements

​Option 1: Docker-Based Scanning

​Explanation

​Option 2: Installing the Binary Directly

​Checking Results

Requirements

Option 1: Docker-Based Scanning

Explanation

Option 2: Installing the Binary Directly

Checking Results

Requirements

Option 1: Docker-Based Scanning

Explanation

Option 2: Installing the Binary Directly

Checking Results