Vulkro on Jenkins
Vulkro runs on Jenkins as a couple of sh steps: install the CLI on the
agent, run vulkro scan ci, publish the SARIF and JUnit reports, and gate
pull requests against a base ref. The snippets below are self-contained, so
you can paste them straight into a Jenkinsfile.
Drop into a Jenkinsfile
pipeline {
agent any
environment { VULKRO_OFFLINE = '1' }
stages {
stage('Scan') {
steps {
sh '''
curl -fsSL https://vulkro.com/install.sh | sh
vulkro scan ci . --format sarif --output vulkro.sarif
vulkro scan ci . --format junit --output vulkro.junit.xml
'''
}
post {
always {
archiveArtifacts artifacts: 'vulkro.sarif, vulkro.junit.xml',
allowEmptyArchive: true
junit allowEmptyResults: true, testResults: 'vulkro.junit.xml'
}
}
}
stage('Gate') {
when { changeRequest() }
steps {
sh 'vulkro gate --base "origin/${CHANGE_TARGET}"'
}
}
}
}
vulkro scan ci runs the scan in CI mode and writes the requested format to
the path you pass with --output. Run it once per format you want to publish
(SARIF for code scanning, JUnit for the test-results view).
vulkro gate scans the working tree and the base ref and exits non-zero only
on findings that are new relative to the base, so pre-existing debt never
fails a pull request. See vulkro gate for the full flag list.
Offline by default
The pipeline sets VULKRO_OFFLINE=1 in the environment {} block so the
scanner never reaches the network from the agent, matching the offline-first
project posture. If a particular pipeline needs live CVE-feed updates inside
the scan, remove the env var.
Exit codes
| Code | Meaning |
|---|---|
0 | Clean: no findings or gate cleared. |
1 | Findings or gate failure. Mark the build FAILURE. |
2 | Internal error. Mark the build FAILURE. |