Jenkins Pipeline Workflow
Add the following to yourJenkinsfile. It will trigger on every build and kick off a CodeAnt analysis scan:
Script Parameters
Thestart_scan.sh script accepts the following parameters:
Required Parameters
Optional Parameters
Scanner Options
🔍 Available Scanners: The--scanners flag allows you to customize which security scanners run during analysis:
sast- Static Application Security Testing (code vulnerabilities)sca- Software Composition Analysis (dependency vulnerabilities)secrets- Secret detection (API keys, passwords, tokens)antipatterns- Code quality and duplicate code detectioniac- Infrastructure as Code security (Terraform, CloudFormation, etc.)all- Run all available scanners
sast,sca
Examples:
- Run all scanners:
--scanners "all" - Only SAST:
--scanners "sast" - SAST + Secrets:
--scanners "sast,secrets" - Full security suite:
--scanners "sast,sca,secrets,iac"
Quality Gate Enforcement
🚦 Block the build on the whole-repository posture: Pass--quality-gate (-q) to turn the scan into an enforced gate. After the scan completes, CodeAnt evaluates the entire repository against your thresholds and the script exits non-zero if the gate fails - failing the pipeline. This is the Checkmarx / SonarQube-style whole-repo gate; it is independent of the new-code/PR quality gate.
Configure thresholds in Settings → Code Analysis → Quality Gates using the “(Full Code / CI Pipeline)” metrics. These run only in the pipeline, never on pull requests:
(Full Code / CI Pipeline) SAST Security Rating≤C(Full Code / CI Pipeline) SCA Security Rating≤C(Full Code / CI Pipeline) IaC Security Rating≤C(Full Code / CI Pipeline) Duplicate Code Percentage>30
--scanners to scope the gate (e.g. --scanners "sast,sca").
Reports are written to the workspace and can be published:
codeant.sarif- SARIF 2.1.0 for the code-scanning tabcodeant-qg.xml- JUnit XML (renders as a native test report)results.json- full verdict, per-metric ratings, and findings
Note:--quality-gaterequires a commit SHA (-c) and cannot be combined with--no-wait(the gate needs the scan results).
Execution Time Considerations
⏱️ Performance Options:-
With result waiting (default): ~7 minutes
- Triggers scan and waits for complete analysis results
- Includes both security and SCA (Software Composition Analysis) results
- Best for comprehensive CI/CD pipelines where you need immediate feedback
-
With
--no-waitflag: ~2 minutes- Only triggers the scan and returns immediately
- Results can be fetched later or viewed in the CodeAnt dashboard
- Ideal for faster CI runs or when results can be processed asynchronously
Example Configurations
Fast CI Mode (No Wait)
Comprehensive Analysis (Wait for Results)
Custom File Filtering
Parameterized Pipeline
Tips:
- Create a CodeAnt token under API Tokens in the user menu (your email at the bottom-left) - see API Tokens and add it as a Secret text credential with the ID
codeant-tokenin Jenkins → Credentials → System → Global credentials- Use
--no-waitfor PR checks to keep them fast, and full analysis for main branch merges- Adjust timeout based on your repository size - larger repos may need more time
- File patterns support standard glob syntax for precise control over what gets analyzed
- Customize scanners based on your needs - use
--scanners "all"for comprehensive coverage or specific combinations like--scanners "sast,secrets"for targeted security checks- Default scanners (
sast,sca) provide a good balance between coverage and execution time
How it works
-
Download script
We fetch a small Bash helper (
start_scan.sh) from the CodeAnt CI endpoint. - Make it runnable Mark the script executable so you can invoke it directly.
-
Invoke the scan
The script POSTs your repo, commit, and file-globs to
/analysis/ci/scan, using your token for auth. -
Pipeline feedback
- On success, you’ll see a parsed JSON response in the job log.
- On failure (non-2xx HTTP), the script exits non-zero, failing your pipeline immediately.
cdt_…). If the token is scoped, give it the Codeant CI/CD role - it covers scans, quality gates, and test-coverage upload - scoped to the repositories this pipeline runs on (or All repositories). A token missing the required permission is rejected with an HTTP 403 token_scope_forbidden error that names the permission it needs. See API token permissions.