Vulkro on Jenkins
Vulkro ships a Jenkins shared library so adding the scanner to a
Jenkinsfile is two steps {} blocks. The library source lives at
integrations/jenkins/
in the main repository.
Configure the library once per controller
Manage Jenkins -> Configure System -> Global Pipeline Libraries:
- Library name:
vulkro-pipeline - Source: Git, pointing at this repository
- Default version: a tag (
v1.0.0) so a controller doesn't track unreleased changes
Drop into a Jenkinsfile
@Library('vulkro-pipeline') _
pipeline {
agent any
environment { VULKRO_OFFLINE = '1' }
stages {
stage('Scan') {
steps {
vulkroScan(path: '.', formats: ['sarif', 'junit'])
}
post {
always {
archiveArtifacts artifacts: 'vulkro.sarif, vulkro.junit.xml',
allowEmptyArchive: true
junit allowEmptyResults: true, testResults: 'vulkro.junit.xml'
}
}
}
stage('Gate') {
when { changeRequest() }
steps {
vulkroGate(base: env.CHANGE_TARGET, failOn: 'high')
}
}
}
}
The repo ships an example Jenkinsfile at
integrations/jenkins/Jenkinsfile.example.
Library entry points
vulkroScan(...)
Installs the Vulkro CLI on the agent, runs vulkro scan ci, emits
the requested formats next to the workspace root.
vulkroScan(
version: '', // pin a release, or '' for latest
path: '.', // project subdir
formats: ['sarif', 'junit'], // any of sarif, junit, json, ndjson
)
vulkroGate(...)
Runs vulkro gate against a base ref. Sets currentBuild.result = 'FAILURE' on exit code 1 (new findings) or 2 (internal error).
vulkroGate(
base: env.CHANGE_TARGET ?: 'origin/main',
failOn: 'high',
)
Offline by default
The example pipeline sets VULKRO_OFFLINE=1 in the environment {}
block so the scanner never reaches the network from the agent. This
matches the "offline-first" project posture; if a particular pipeline
needs live CVE-feed updates inside the scan, remove the env var.
Exit codes
| Code | Meaning |
|---|---|
0 | Clean: no findings or gate cleared. |
1 | Findings or gate failure. currentBuild.result = 'FAILURE'. |
2 | Internal error. currentBuild.result = 'FAILURE'. |