Jenkins Integration

Integrate Cloudgeni security scanning into your Jenkins pipelines to automatically check Infrastructure as Code for security issues during your build process.

What You'll Get

Automated security scanning in your CI/CD pipeline
Build quality gates that block insecure code
Pipeline integration with declarative and scripted syntax
Detailed reports published as build artifacts
Webhook triggers for automated scanning

Prerequisites

Before You Start

Jenkins server with Pipeline plugin installed
Cloudgeni account and API key
Repository containing IaC files (.tf, .bicep, .hcl, .yaml, etc.)

Quick Start

Step 1: Create API Key

Go to Settings → API Keys in Cloudgeni
Click Create API Key
Name it jenkins
Copy the generated key

Step 2: Add Jenkins Credential

Go to Manage Jenkins → Manage Credentials
Select appropriate domain (or Global)
Click Add Credentials
Configure:
- Kind: Secret text
- Secret: Your Cloudgeni API key
- ID: cloudgeni-api-key
- Description: Cloudgeni API Key
Click OK

Step 3: Create Pipeline

Create a Jenkinsfile in your repository:

pipeline {
    agent any

    environment {
        CLOUDGENI_API_KEY = credentials('cloudgeni-api-key')
    }

    stages {
        stage('Security Scan') {
            steps {
                sh '''
                    curl -sSL https://get.cloudgeni.ai/install.sh | bash
                    cloudgeni scan --api-key $CLOUDGENI_API_KEY
                '''
            }
        }
    }
}

Configuration Options

Scanner Options

Option	Description	Default
`--api-key`	Cloudgeni API key	Required
`--fail-on-critical`	Exit 1 on critical findings	`false`
`--fail-on-high`	Exit 1 on high findings	`false`
`--path`	Directory to scan	`.`
`--exclude`	Paths to exclude	None
`--output`	Output format (text, json, junit)	`text`

Basic Stage

stage('Security Scan') {
    steps {
        sh 'cloudgeni scan --api-key $CLOUDGENI_API_KEY'
    }
}

Strict Mode

stage('Security Scan') {
    steps {
        sh '''
            cloudgeni scan \
                --api-key $CLOUDGENI_API_KEY \
                --fail-on-critical \
                --fail-on-high
        '''
    }
}

Pipeline Examples

Declarative Pipeline

pipeline {
    agent any

    environment {
        CLOUDGENI_API_KEY = credentials('cloudgeni-api-key')
    }

    stages {
        stage('Checkout') {
            steps {
                checkout scm
            }
        }

        stage('Security Scan') {
            steps {
                sh '''
                    curl -sSL https://get.cloudgeni.ai/install.sh | bash
                    cloudgeni scan --api-key $CLOUDGENI_API_KEY --fail-on-critical
                '''
            }
        }

        stage('Terraform Plan') {
            steps {
                sh '''
                    terraform init
                    terraform plan -out=tfplan
                '''
            }
        }
    }

    post {
        always {
            archiveArtifacts artifacts: '**/cloudgeni-report.*', allowEmptyArchive: true
        }
    }
}

Scripted Pipeline

node {
    def cloudgeniKey = credentials('cloudgeni-api-key')

    stage('Checkout') {
        checkout scm
    }

    stage('Install Cloudgeni') {
        sh 'curl -sSL https://get.cloudgeni.ai/install.sh | bash'
    }

    stage('Security Scan') {
        try {
            sh "cloudgeni scan --api-key ${cloudgeniKey} --fail-on-critical --output json > cloudgeni-report.json"
        } catch (err) {
            currentBuild.result = 'UNSTABLE'
            echo "Security findings detected: ${err}"
        } finally {
            archiveArtifacts 'cloudgeni-report.json'
        }
    }

    stage('Plan') {
        if (currentBuild.result != 'UNSTABLE') {
            sh 'terraform plan'
        }
    }
}

Production Pipeline

pipeline {
    agent any

    environment {
        CLOUDGENI_API_KEY = credentials('cloudgeni-api-key')
        TF_ROOT = 'infrastructure'
    }

    options {
        timeout(time: 30, unit: 'MINUTES')
        disableConcurrentBuilds()
    }

    stages {
        stage('Checkout') {
            steps {
                checkout scm
            }
        }

        stage('Install Tools') {
            steps {
                sh '''
                    # Install Cloudgeni
                    curl -sSL https://get.cloudgeni.ai/install.sh | bash

                    # Verify installation
                    cloudgeni --version
                '''
            }
        }

        stage('Security Scan') {
            steps {
                dir("${TF_ROOT}") {
                    sh '''
                        cloudgeni scan \
                            --api-key $CLOUDGENI_API_KEY \
                            --fail-on-critical \
                            --fail-on-high \
                            --output json > ../cloudgeni-report.json
                    '''
                }
            }
            post {
                always {
                    archiveArtifacts artifacts: 'cloudgeni-report.json', allowEmptyArchive: true
                }
            }
        }

        stage('Terraform Init') {
            steps {
                dir("${TF_ROOT}") {
                    sh 'terraform init'
                }
            }
        }

        stage('Terraform Plan') {
            steps {
                dir("${TF_ROOT}") {
                    sh 'terraform plan -out=tfplan'
                }
            }
        }

        stage('Approval') {
            when {
                branch 'main'
            }
            steps {
                input message: 'Deploy to production?', ok: 'Deploy'
            }
        }

        stage('Terraform Apply') {
            when {
                branch 'main'
            }
            steps {
                dir("${TF_ROOT}") {
                    sh 'terraform apply -auto-approve tfplan'
                }
            }
        }
    }

    post {
        failure {
            emailext(
                subject: "Security Scan Failed: ${currentBuild.fullDisplayName}",
                body: "Security issues detected. Check build: ${env.BUILD_URL}",
                recipientProviders: [requestor()]
            )
        }
    }
}

Multi-Branch Pipeline

pipeline {
    agent any

    environment {
        CLOUDGENI_API_KEY = credentials('cloudgeni-api-key')
    }

    stages {
        stage('Security Scan') {
            steps {
                script {
                    def scanArgs = '--api-key $CLOUDGENI_API_KEY --fail-on-critical'

                    // Stricter checks for main branch
                    if (env.BRANCH_NAME == 'main') {
                        scanArgs += ' --fail-on-high'
                    }

                    sh "cloudgeni scan ${scanArgs}"
                }
            }
        }
    }
}

Docker Agent

Using Docker for consistent environments:

pipeline {
    agent {
        docker {
            image 'cloudgeni/scanner:latest'
        }
    }

    environment {
        CLOUDGENI_API_KEY = credentials('cloudgeni-api-key')
    }

    stages {
        stage('Scan') {
            steps {
                sh 'cloudgeni scan --api-key $CLOUDGENI_API_KEY'
            }
        }
    }
}

Reports and Artifacts

JUnit Report

Publish as test results:

stage('Security Scan') {
    steps {
        sh 'cloudgeni scan --api-key $CLOUDGENI_API_KEY --output junit > security-results.xml'
    }
    post {
        always {
            junit 'security-results.xml'
        }
    }
}

HTML Report

Generate HTML report:

stage('Security Scan') {
    steps {
        sh 'cloudgeni scan --api-key $CLOUDGENI_API_KEY --output html > security-report.html'
    }
    post {
        always {
            publishHTML(target: [
                allowMissing: false,
                alwaysLinkToLastBuild: true,
                keepAll: true,
                reportDir: '.',
                reportFiles: 'security-report.html',
                reportName: 'Security Report'
            ])
        }
    }
}

JSON Artifact

Archive JSON report:

post {
    always {
        archiveArtifacts artifacts: '**/cloudgeni-report.json', allowEmptyArchive: true
    }
}

Webhook Triggers

GitHub Webhook

Configure webhook to trigger on push:

In Jenkins, create a new Pipeline job
Configure Build Triggers → GitHub hook trigger for GITScm polling
In GitHub, add webhook pointing to Jenkins

GitLab Webhook

Install GitLab plugin in Jenkins
Configure GitLab connection in Jenkins
Enable Build when a change is pushed to GitLab
Add webhook in GitLab project settings

Shared Libraries

Create reusable scanning function:

// vars/cloudgeniScan.groovy
def call(Map config = [:]) {
    def apiKey = config.apiKey ?: 'cloudgeni-api-key'
    def path = config.path ?: '.'
    def failOnCritical = config.failOnCritical ?: true
    def failOnHigh = config.failOnHigh ?: false

    withCredentials([string(credentialsId: apiKey, variable: 'CLOUDGENI_API_KEY')]) {
        def args = "--api-key ${CLOUDGENI_API_KEY} --path ${path}"
        if (failOnCritical) args += ' --fail-on-critical'
        if (failOnHigh) args += ' --fail-on-high'

        sh "cloudgeni scan ${args}"
    }
}

Use in pipeline:

@Library('my-shared-library') _

pipeline {
    agent any
    stages {
        stage('Security') {
            steps {
                cloudgeniScan(
                    path: './infrastructure',
                    failOnCritical: true,
                    failOnHigh: true
                )
            }
        }
    }
}

Troubleshooting

Common Issues

Credential Not Found:

Verify credential ID matches
Check credential scope includes the job
Ensure credential type is correct (Secret text)

Command Not Found:

Verify installation step completed
Check PATH includes Cloudgeni binary
Try using full path to binary

Permission Denied:

Check workspace permissions
Verify Jenkins user can execute scripts
Review file permissions on IaC files

Build Timeout:

Add timeout to pipeline options
Consider scanning specific paths
Check for large files in repository

No Test Results:

Verify output format is junit
Check file path in junit step
Ensure scan completed successfully

GitHub Setup

Connect GitHub repositories

PR Reviews

Automated security reviews

Static Analysis

Understanding scan results

API Reference

API authentication details

Getting Started

Features

Integrations

CLI

Scanning & Findings

Remediation

Compliance

Examples

Troubleshooting

Support

​Jenkins Integration

What You'll Get

​Prerequisites

​Quick Start

​Step 1: Create API Key

​Step 2: Add Jenkins Credential

​Step 3: Create Pipeline

​Configuration Options

​Scanner Options

​Basic Stage

​Strict Mode

​Pipeline Examples

​Declarative Pipeline

​Scripted Pipeline

​Production Pipeline

​Multi-Branch Pipeline

​Docker Agent

​Reports and Artifacts

​JUnit Report

​HTML Report

​JSON Artifact

​Webhook Triggers

​GitHub Webhook

​GitLab Webhook

​Shared Libraries

​Troubleshooting

​Related Documentation

GitHub Setup

PR Reviews

Static Analysis

API Reference

Jenkins Integration

Prerequisites

Quick Start

Step 1: Create API Key

Step 2: Add Jenkins Credential

Step 3: Create Pipeline

Configuration Options

Scanner Options

Basic Stage

Strict Mode

Pipeline Examples

Declarative Pipeline

Scripted Pipeline

Production Pipeline

Multi-Branch Pipeline

Docker Agent

Reports and Artifacts

JUnit Report

HTML Report

JSON Artifact

Webhook Triggers

GitHub Webhook

GitLab Webhook

Shared Libraries

Troubleshooting

Related Documentation