Skip to main content

Jenkins Integration

Run Plexicus security scans inside your Jenkins pipelines using the Plexalyzer CLI Docker image. The pipeline posts scan results to the Plexicus backend in real time, where findings appear in the dashboard alongside remediation recommendations.

Prerequisites

Before you begin, make sure you have:

  • A Jenkins instance with Docker available on the build agent (Docker socket mounted or Docker-in-Docker configured).
  • A Plexicus account (SaaS at https://app.plexicus.ai, or a self-hosted deployment).
  • The optional AnsiColor Jenkins plugin for coloured console output (Manage Jenkins → Plugins → Available → AnsiColor).

Step 1 — Generate a Plexalyzer token

The pipeline authenticates with the Plexicus backend using a dedicated Plexalyzer Token.

  1. Log in to the Plexicus dashboard.
  2. Navigate to Settings → Plexalyzer Token.
  3. Click Create token, enter a name and an optional expiry date.
  4. Click Copy token next to the new entry.

Keep the token value — you will add it to Jenkins credentials in the next step.

Step 2 — Add the credential in Jenkins

  1. Go to Manage Jenkins → Credentials → (Global) → Add Credentials.
  2. Kind: Secret text.
  3. Secret: paste the Plexalyzer token.
  4. ID: plexalyzer-token (the pipeline looks for this exact ID).
  5. Description: Plexalyzer API Token.
  6. Click Save.

Step 3 — Add pipeline files to your repository

Copy the following files from the plexicus/jenkins-cli-pipeline repository into your project:

.plexalyzer/
├── jenkins-plexalyzer-cli.groovy # canonical pipeline script
└── custom_config.yml # scan tool configuration
Jenkinsfile # root convenience entry point

The root Jenkinsfile loads .plexalyzer/jenkins-plexalyzer-cli.groovy automatically. You can also configure Script Path to point directly to the canonical script if your repository already has a root Jenkinsfile.

Scan configuration — custom_config.yml

Edit .plexalyzer/custom_config.yml to control which security tools run. The valid tool names are:

CategoryTool names
SASTopengrep, bandit
SCAgrype
Secretsgitleaks, trufflehog
Containertrivy-container
IaCcheckov-iac, checkov-configuration, checkov-container, checkov-ci/cd
Cloudcloudsploit
DASTnuclei
Penteststrix
SBOMsyft
Licensetrivy-license
AI BOMcdxgen-mlbom
Crypto BOMcdxgen-cbom, opengrep-crypto
SCMchainbench
Registrytrivy-registry

Example configuration:

# .plexalyzer/custom_config.yml

# Skip tools that are not relevant to this repository type.
excluded_tools:
- strix # pentest engine — slow, requires network access
- cloudsploit # cloud scanner — only useful for cloud-config repos

# Alternatively, restrict the scan to a specific set of tools:
# included_tools:
# - opengrep
# - bandit
# - grype
# - gitleaks
# - trivy-license

Step 4 — Create the Jenkins Pipeline job

  1. Jenkins Dashboard → New Item → enter a name → PipelineOK.
  2. Scroll to the Pipeline section.
  3. Definition: Pipeline script from SCM.
  4. SCM: Git — enter your repository URL and credentials.
  5. Script Path: Jenkinsfile (or .plexalyzer/jenkins-plexalyzer-cli.groovy).
  6. Click Save.

Pipeline parameters

When you click Build with Parameters, the following options are available:

ParameterDefaultDescription
PROJECT_NAMEmy-projectRepository name shown in the Plexicus dashboard
BRANCH_NAMEmainBranch label attached to findings
OUTPUT_FORMATprettypretty (coloured console), json, or sarif
DEFAULT_OWNERplexicusDefault owner label for findings
REPOSITORY_ID(empty)Existing repository ID; leave blank on the first scan
AUTONOMOUS_SCANfalseEnable autonomous AI remediation mode
ONLY_GIT_CHANGESfalseScan only files changed since the last commit
PROGRESS_BARtrueShow a progress bar in the console
PLEXICUS_URLhttps://app.plexicus.aiBase URL of your Plexicus instance

Set PLEXICUS_URL to your own hostname if you are running a self-hosted deployment.

Understanding results

Build status

Exit codeBuild statusMeaning
0SuccessScan completed — no findings
1SuccessScan completed — findings detected
500FailureFatal: wrong token or backend unreachable
OtherFailureUnexpected error — check the console log

Both exit codes 0 and 1 indicate a completed scan. Exit 1 means the scanner found security issues, but the build is still marked Success so that findings never block delivery by default. To fail the build on findings, edit handleExitCode() in the pipeline script and change case 1 to set currentBuild.result = 'FAILURE'.

Dashboard

Full findings — including severity, file location, remediation guidance, and AI-generated fixes — are available in the Plexicus dashboard at:

https://app.plexicus.ai/repositories

Archived artefacts

When OUTPUT_FORMAT is set to json or sarif, the scan output is saved as a build artefact (plexalyzer-results.json or plexalyzer-results.sarif) and is also echoed to the console log.

Incremental scans

Set ONLY_GIT_CHANGES = true to limit the scan to files changed since the previous commit. The pipeline runs git diff HEAD~1 HEAD and passes the resulting file list to the CLI via --files. On shallow clones (common when SCM checkout depth is 1) the pipeline falls back to git diff HEAD automatically.

Troubleshooting

Exit code 500 — failed to create task

The CLI could not reach the Plexicus backend or the token was rejected.

  • Verify the plexalyzer-token credential exists and is not expired.
  • Test connectivity from the agent: curl -I <PLEXICUS_URL>/plexalyzer-message-receipts.
  • Regenerate the token from Settings → Plexalyzer Token if needed.

Docker not available on the agent

  • Confirm Docker is installed: docker --version.
  • Confirm the Docker socket is mounted or DinD is configured.
  • Test with: docker info.

Shallow clone — ONLY_GIT_CHANGES shows no files

Configure your Jenkins SCM checkout with depth: 2 or higher so HEAD~1 resolves. The pipeline falls back gracefully but may show an empty file list on depth-1 clones.

ANSI escape codes appear as raw characters

Install the AnsiColor plugin and enable it for the job: Job configuration → Build Environment → Color ANSI Console Output.

Tool name not recognised in custom_config.yml

Use only the tool names listed in the table above. The following legacy names are no longer valid and will be silently ignored: trivy-sbom (use syft), trivy-sca (use grype), kics-container (use checkov-container).

Next steps

After your first successful scan, navigate to the Plexicus dashboard to:

  • Review findings grouped by severity and category.
  • Assign owners and track remediation status.
  • Set up notifications for new critical findings.
  • Configure policy rules to enforce security standards across repositories.