Jenkins Integration
Run Plexicus security scans inside your Jenkins pipelines using the Plexalyzer CLI Docker image. The pipeline posts scan results to the Plexicus backend in real time, where findings appear in the dashboard alongside remediation recommendations.
Prerequisites
Before you begin, make sure you have:
- A Jenkins instance with Docker available on the build agent (Docker socket mounted or Docker-in-Docker configured).
- A Plexicus account (SaaS at
https://app.plexicus.ai, or a self-hosted deployment). - The optional AnsiColor Jenkins plugin for coloured console output (Manage Jenkins → Plugins → Available → AnsiColor).
Step 1 — Generate a Plexalyzer token
The pipeline authenticates with the Plexicus backend using a dedicated Plexalyzer Token.
- Log in to the Plexicus dashboard.
- Navigate to Settings → Plexalyzer Token.
- Click Create token, enter a name and an optional expiry date.
- Click Copy token next to the new entry.
Keep the token value — you will add it to Jenkins credentials in the next step.
Step 2 — Add the credential in Jenkins
- Go to Manage Jenkins → Credentials → (Global) → Add Credentials.
- Kind: Secret text.
- Secret: paste the Plexalyzer token.
- ID:
plexalyzer-token(the pipeline looks for this exact ID). - Description: Plexalyzer API Token.
- Click Save.
Step 3 — Add pipeline files to your repository
Copy the following files from the plexicus/jenkins-cli-pipeline repository into your project:
.plexalyzer/
├── jenkins-plexalyzer-cli.groovy # canonical pipeline script
└── custom_config.yml # scan tool configuration
Jenkinsfile # root convenience entry point
The root Jenkinsfile loads .plexalyzer/jenkins-plexalyzer-cli.groovy automatically.
You can also configure Script Path to point directly to the canonical script if your
repository already has a root Jenkinsfile.
Scan configuration — custom_config.yml
Edit .plexalyzer/custom_config.yml to control which security tools run.
The valid tool names are:
| Category | Tool names |
|---|---|
| SAST | opengrep, bandit |
| SCA | grype |
| Secrets | gitleaks, trufflehog |
| Container | trivy-container |
| IaC | checkov-iac, checkov-configuration, checkov-container, checkov-ci/cd |
| Cloud | cloudsploit |
| DAST | nuclei |
| Pentest | strix |
| SBOM | syft |
| License | trivy-license |
| AI BOM | cdxgen-mlbom |
| Crypto BOM | cdxgen-cbom, opengrep-crypto |
| SCM | chainbench |
| Registry | trivy-registry |
Example configuration:
# .plexalyzer/custom_config.yml
# Skip tools that are not relevant to this repository type.
excluded_tools:
- strix # pentest engine — slow, requires network access
- cloudsploit # cloud scanner — only useful for cloud-config repos
# Alternatively, restrict the scan to a specific set of tools:
# included_tools:
# - opengrep
# - bandit
# - grype
# - gitleaks
# - trivy-license
Step 4 — Create the Jenkins Pipeline job
- Jenkins Dashboard → New Item → enter a name → Pipeline → OK.
- Scroll to the Pipeline section.
- Definition: Pipeline script from SCM.
- SCM: Git — enter your repository URL and credentials.
- Script Path:
Jenkinsfile(or.plexalyzer/jenkins-plexalyzer-cli.groovy). - Click Save.
Pipeline parameters
When you click Build with Parameters, the following options are available:
| Parameter | Default | Description |
|---|---|---|
PROJECT_NAME | my-project | Repository name shown in the Plexicus dashboard |
BRANCH_NAME | main | Branch label attached to findings |
OUTPUT_FORMAT | pretty | pretty (coloured console), json, or sarif |
DEFAULT_OWNER | plexicus | Default owner label for findings |
REPOSITORY_ID | (empty) | Existing repository ID; leave blank on the first scan |
AUTONOMOUS_SCAN | false | Enable autonomous AI remediation mode |
ONLY_GIT_CHANGES | false | Scan only files changed since the last commit |
PROGRESS_BAR | true | Show a progress bar in the console |
PLEXICUS_URL | https://app.plexicus.ai | Base URL of your Plexicus instance |
Set PLEXICUS_URL to your own hostname if you are running a self-hosted deployment.
Understanding results
Build status
| Exit code | Build status | Meaning |
|---|---|---|
0 | Success | Scan completed — no findings |
1 | Success | Scan completed — findings detected |
500 | Failure | Fatal: wrong token or backend unreachable |
| Other | Failure | Unexpected error — check the console log |
Both exit codes 0 and 1 indicate a completed scan. Exit 1 means the scanner found
security issues, but the build is still marked Success so that findings never block
delivery by default. To fail the build on findings, edit handleExitCode() in the
pipeline script and change case 1 to set currentBuild.result = 'FAILURE'.
Dashboard
Full findings — including severity, file location, remediation guidance, and AI-generated fixes — are available in the Plexicus dashboard at:
https://app.plexicus.ai/repositories
Archived artefacts
When OUTPUT_FORMAT is set to json or sarif, the scan output is saved as a build
artefact (plexalyzer-results.json or plexalyzer-results.sarif) and is also echoed to
the console log.
Incremental scans
Set ONLY_GIT_CHANGES = true to limit the scan to files changed since the previous
commit. The pipeline runs git diff HEAD~1 HEAD and passes the resulting file list to the
CLI via --files. On shallow clones (common when SCM checkout depth is 1) the pipeline
falls back to git diff HEAD automatically.
Troubleshooting
Exit code 500 — failed to create task
The CLI could not reach the Plexicus backend or the token was rejected.
- Verify the
plexalyzer-tokencredential exists and is not expired. - Test connectivity from the agent:
curl -I <PLEXICUS_URL>/plexalyzer-message-receipts. - Regenerate the token from Settings → Plexalyzer Token if needed.
Docker not available on the agent
- Confirm Docker is installed:
docker --version. - Confirm the Docker socket is mounted or DinD is configured.
- Test with:
docker info.
Shallow clone — ONLY_GIT_CHANGES shows no files
Configure your Jenkins SCM checkout with depth: 2 or higher so HEAD~1 resolves. The
pipeline falls back gracefully but may show an empty file list on depth-1 clones.
ANSI escape codes appear as raw characters
Install the AnsiColor plugin and enable it for the job: Job configuration → Build Environment → Color ANSI Console Output.
Tool name not recognised in custom_config.yml
Use only the tool names listed in the table above. The following legacy names are no
longer valid and will be silently ignored: trivy-sbom (use syft),
trivy-sca (use grype), kics-container (use checkov-container).
Next steps
After your first successful scan, navigate to the Plexicus dashboard to:
- Review findings grouped by severity and category.
- Assign owners and track remediation status.
- Set up notifications for new critical findings.
- Configure policy rules to enforce security standards across repositories.