Skip to main content

Jenkins Pipeline

Add the following to your Jenkinsfile. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues: 
pipeline {
    agent any
    
    environment {
        ACCESS_TOKEN = credentials('ACCESS_TOKEN')
        API_BASE = 'https://api.codeant.ai'
    }
    
    stages {
        stage('Quality Gate Scan') {
            steps {
                script {
                    echo "�  Setting up environment variables"
                    
                    // Extract repository information
                    def repoUrl = env.GIT_URL
                    def repoName = ""
                    
                    if (repoUrl.contains('github.com')) {
                        repoName = repoUrl.replaceAll(/.*github\.com[\/:]([^\/]+\/[^\/]+)\.git.*/, '$1')
                    } else if (repoUrl.contains('gitlab.com')) {
                        repoName = repoUrl.replaceAll(/.*gitlab\.com[\/:]([^\/]+\/[^\/]+)\.git.*/, '$1')
                    } else {
                        // For other Git providers, extract org/repo from URL
                        repoName = repoUrl.replaceAll(/.*[\/:]([^\/]+\/[^\/]+)\.git.*/, '$1')
                    }
                    
                    echo "=
 Debug Info:"
                    echo "  Repository URL: ${env.GIT_URL}"
                    echo "  Repository: ${repoName}"
                    echo "  Commit: ${env.GIT_COMMIT}"
                    echo "  Branch: ${env.GIT_BRANCH}"
                    echo "  Build Number: ${env.BUILD_NUMBER}"
                    
                    if (!env.ACCESS_TOKEN) {
                        error "L ERROR: ACCESS_TOKEN is not set!"
                    }
                    
                    echo "=� Downloading CodeAnt quality gates script..."
                    sh """
                        curl -sS -X GET "${API_BASE}/analysis/ci/quality-gates/script/get" \\
                            --output quality_gates.sh.b64
                    """
                    
                    echo "�  Decoding and making script executable"
                    sh """
                        base64 -d quality_gates.sh.b64 > quality_gates.sh
                        chmod +x quality_gates.sh
                    """
                    
                    echo "=� Starting quality gate scan..."
                    sh """
                        ./quality_gates.sh \\
                            -a "${ACCESS_TOKEN}" \\
                            -r "${repoName}" \\
                            -c "${env.GIT_COMMIT}" \\
                            -s jenkins \\
                            -o start
                    """
                    echo "Quality gate scan initiated successfully"
                    
                    echo "=
 Polling for quality gate results..."
                    sh """
                        ./quality_gates.sh \\
                            -a "${ACCESS_TOKEN}" \\
                            -r "${repoName}" \\
                            -c "${env.GIT_COMMIT}" \\
                            -s jenkins \\
                            -o results \\
                            -t 300 \\
                            -p 15
                    """
                    
                    echo " Quality Gate PASSED "
                }
            }
            post {
                failure {
                    echo "L Quality Gate FAILED "
                }
                always {
                    // Clean up script files
                    sh """
                        rm -f quality_gates.sh quality_gates.sh.b64
                    """
                }
            }
        }
    }
    
    triggers {
        // Trigger on SCM changes
        scm('H/5 * * * *')
    }
}
Important:
  • In Manage Jenkins � Credentials, add a Secret text credential with ID ACCESS_TOKEN containing your personal access token.
  • Jenkins automatically provides ${env.GIT_URL} (repository URL), ${env.GIT_COMMIT} (commit SHA), and other build variables.

How it works

  1. Setup environment
    Extract repository information from Jenkins built-in environment variables.
  2. Download script
    We fetch the quality gates script (quality_gates.sh) from the CodeAnt API endpoint.
  3. Start scan
    The script initiates a quality gate scan for your commit using the -o start operation.
  4. Poll for results
    The script polls for scan results using the -o results operation with:
    • Timeout: 300 seconds (5 minutes)
    • Poll interval: 15 seconds
  5. Pipeline feedback
    • Success: Quality gate passes if no secrets are detected
    • Failure: Quality gate fails if secrets are found, blocking the build

Script Parameters

The quality_gates.sh script accepts the following parameters:
ParameterDescriptionRequiredExample
-a, --access-tokenPersonal Access Token or repo tokenYes${ACCESS_TOKEN}
-r, --repoRepository in format owner/repositoryYes${repoName}
-c, --commit-idCommit SHA to scanYes${env.GIT_COMMIT}
-s, --serviceVCS providerYesjenkins
-o, --operationOperation to perform (start or results)Yesstart or results
-t, --timeoutTimeout in seconds for polling (default: 300)No300
-p, --poll-intervalPoll interval in seconds (default: 15)No15
-u, --base-urlBase URL for VCS service (optional)Nohttps://github.com

Quality Gate Checks

Currently, the quality gate performs the following checks:

Secret Detection

  • Scans for hardcoded secrets, API keys, passwords, and tokens
  • Analyzes only the changed lines since your merge base commit
  • Uses high-confidence detection to minimize false positives
  • Blocks the build if any secrets are found

Best Practices

  1. Run on all branches: Quality gates should run on every push to catch issues early
  2. Block builds: Configure Jenkins to fail the build when quality gates fail
  3. Review failures: When quality gates fail, review the detected issues immediately
  4. Keep tokens secure: Never commit access tokens directly - always use Jenkins Credentials
  5. Use shared libraries: Create shared pipeline libraries for reusable quality gate steps

Jenkins Built-in Variables

The following Jenkins built-in variables are automatically available and used:
VariableDescriptionExample
${env.GIT_URL}Repository URLhttps://github.com/user/repo.git
${env.GIT_COMMIT}Current commit SHAabc123def456
${env.GIT_BRANCH}Current branch nameorigin/main
${env.BUILD_NUMBER}Build number42
${env.JOB_NAME}Job namemy-project/main
${env.WORKSPACE}Workspace directory/var/jenkins_home/workspace/job

Troubleshooting

Quality gate times out

If the scan takes longer than expected:
  • Increase the timeout using -t 600 (10 minutes)
  • Check if the CodeAnt service is operational
  • Consider optimizing your repository size

Authentication failures

If you see “Access token invalid”:
  • Verify your ACCESS_TOKEN credential is correctly configured in Jenkins Credentials
  • Ensure the token has appropriate repository permissions
  • Check that the credential ID matches exactly

No results returned

If the scan completes but returns no results:
  • Check that quality gates are enabled for your repository in CodeAnt
  • Verify the commit SHA is correct
  • Ensure your Jenkins instance has proper integration with CodeAnt

Repository format issues

If you see “Invalid repository format”:
  • Verify the repository format is extracted correctly from GIT_URL
  • Check that the repository name follows owner/repository format
  • Debug the repository extraction by adding echo statements

Permission issues

If you see permission denied errors:
  • Ensure Jenkins has permission to execute shell scripts
  • Check that the workspace is writable
  • Verify curl is installed on Jenkins agents
With quality gates in place, every push will automatically be scanned for security issues, helping you maintain code security and compliance standards in your Jenkins pipelines.