Agnech

Jenkins

Pipeline Security Integration

Integrate Bloodhound into Jenkins pipelines for automated security scanning with build reports, quality gates, and trend tracking.

Setup

Configure Jenkins to use the Bloodhound CLI.

1. Install Node.js

Ensure Node.js 18+ is available on Jenkins agents or use Docker.

2. Add Credentials

Go to Manage Jenkins → Credentials. Add a Secret Text credential named bloodhound-license.

3. Install Plugins (Optional)

Install HTML Publisher plugin for report viewing and Warnings Next Generation for SARIF parsing.

Declarative Pipeline

Jenkinsfile
Java
1pipeline {
2    agent any
3

4    environment {
5        BLOODHOUND_LICENSE = credentials('bloodhound-license')
6    }
7

8    stages {
9        stage('Checkout') {
10            steps {
11                checkout scm
12            }
13        }
14

15        stage('Setup') {
16            steps {
17                sh 'npm install -g @agnech/cli'
18                sh 'bloodhound license activate $BLOODHOUND_LICENSE'
19            }
20        }
21

22        stage('Security Scan') {
23            steps {
24                sh '''
25                    bloodhound scan \
26                        --mode advanced \
27                        --report html,json,sarif \
28                        --output ./security-reports \
29                        ./src
30                '''
31            }
32            post {
33                always {
34                    archiveArtifacts artifacts: 'security-reports/**/*'
35                    publishHTML(target: [
36                        allowMissing: false,
37                        alwaysLinkToLastBuild: true,
38                        keepAll: true,
39                        reportDir: 'security-reports',
40                        reportFiles: 'report.html',
41                        reportName: 'Security Report'
42                    ])
43                }
44            }
45        }
46

47        stage('Quality Gate') {
48            steps {
49                script {
50                    def results = readJSON file: 'security-reports/results.json'
51                    def criticalCount = results.findings.findAll { it.severity == 'critical' }.size()
52

53                    if (criticalCount > 0) {
54                        error "Found ${criticalCount} critical vulnerabilities. Failing build."
55                    }
56                }
57            }
58        }
59    }
60

61    post {
62        failure {
63            emailext(
64                subject: "Security Scan Failed: ${env.JOB_NAME}",
65                body: "Critical vulnerabilities found. See attached report.",
66                recipientProviders: [developers()],
67                attachmentsPattern: 'security-reports/**/*'
68            )
69        }
70    }
71}

Scripted Pipeline

Jenkinsfile
Java
1node {
2    stage('Checkout') {
3        checkout scm
4    }
5

6    stage('Security Scan') {
7        withCredentials([string(credentialsId: 'bloodhound-license', variable: 'LICENSE')]) {
8            sh '''
9                npm install -g @agnech/cli
10                bloodhound license activate $LICENSE
11                bloodhound scan --mode advanced --report json ./src
12            '''
13        }
14    }
15

16    stage('Process Results') {
17        def results = readJSON file: 'results.json'
18

19        // Create summary
20        def critical = results.findings.findAll { it.severity == 'critical' }.size()
21        def high = results.findings.findAll { it.severity == 'high' }.size()
22

23        currentBuild.description = "Critical: ${critical}, High: ${high}"
24

25        // Fail if critical issues
26        if (critical > 0) {
27            currentBuild.result = 'FAILURE'
28            error "Critical vulnerabilities found"
29        } else if (high > 5) {
30            currentBuild.result = 'UNSTABLE'
31        }
32    }
33}

Build Reports

Configure Jenkins to display security reports and track trends.

Jenkinsfile
Java
1// Using Warnings Next Generation Plugin for SARIF
2pipeline {
3    agent any
4

5    stages {
6        stage('Security Scan') {
7            steps {
8                sh 'bloodhound scan --report sarif --output results.sarif ./src'
9            }
10            post {
11                always {
12                    recordIssues(
13                        tools: [sarif(pattern: 'results.sarif')],
14                        qualityGates: [
15                            [threshold: 1, type: 'TOTAL_ERROR', criticality: 'FAILURE'],
16                            [threshold: 5, type: 'TOTAL_HIGH', criticality: 'UNSTABLE']
17                        ]
18                    )
19                }
20            }
21        }
22    }
23}

Trend Tracking

The Warnings Next Generation plugin automatically tracks vulnerability trends across builds, showing improvement or regression over time.