Skip to main content

Vulkro on Jenkins

Vulkro runs on Jenkins as a couple of sh steps: install the CLI on the agent, run vulkro scan ci, publish the SARIF and JUnit reports, and gate pull requests against a base ref. The snippets below are self-contained, so you can paste them straight into a Jenkinsfile.

Drop into a Jenkinsfile

pipeline {
agent any
environment { VULKRO_OFFLINE = '1' }
stages {
stage('Scan') {
steps {
sh '''
curl -fsSL https://vulkro.com/install.sh | sh
vulkro scan ci . --format sarif --output vulkro.sarif
vulkro scan ci . --format junit --output vulkro.junit.xml
'''
}
post {
always {
archiveArtifacts artifacts: 'vulkro.sarif, vulkro.junit.xml',
allowEmptyArchive: true
junit allowEmptyResults: true, testResults: 'vulkro.junit.xml'
}
}
}
stage('Gate') {
when { changeRequest() }
steps {
sh 'vulkro gate --base "origin/${CHANGE_TARGET}"'
}
}
}
}

vulkro scan ci runs the scan in CI mode and writes the requested format to the path you pass with --output. Run it once per format you want to publish (SARIF for code scanning, JUnit for the test-results view).

vulkro gate scans the working tree and the base ref and exits non-zero only on findings that are new relative to the base, so pre-existing debt never fails a pull request. See vulkro gate for the full flag list.

Offline by default

The pipeline sets VULKRO_OFFLINE=1 in the environment {} block so the scanner never reaches the network from the agent, matching the offline-first project posture. If a particular pipeline needs live CVE-feed updates inside the scan, remove the env var.

Exit codes

CodeMeaning
0Clean: no findings or gate cleared.
1Findings or gate failure. Mark the build FAILURE.
2Internal error. Mark the build FAILURE.