Jenkins

There are two ways to integrate Gerion into Jenkins. Choose whichever fits your setup:

Option A — Declarative Pipeline: copy the Jenkinsfile directly into your repository.
Option B — Shared Library (JSL): register the library in Jenkins and use gerionScan() in any pipeline with a single line.

Prerequisites

Add the following credentials in Manage Jenkins → Credentials:

ID	Type	Description
`gerion-api-url`	Secret text	Gerion API Gateway URL
`gerion-api-key`	Secret text	M2M API key for your organization

The Jenkins agent running the pipeline must have Docker available.

Option A — Declarative Pipeline

Copy this Jenkinsfile to the root of your repository:

pipeline {
    agent {
        label 'docker'
    }

    options {
        timeout(time: 30, unit: 'MINUTES')
        buildDiscarder(logRotator(numToKeepStr: '30'))
        disableConcurrentBuilds()
    }

    triggers {
        cron('0 2 * * *')  // Nightly run at 02:00
    }

    environment {
        GERION_IMAGE   = 'ghcr.io/gerion-appsec/gerion-cli:latest'
        GERION_API_URL = credentials('gerion-api-url')
        GERION_API_KEY = credentials('gerion-api-key')
    }

    stages {
        stage('Gerion — Secrets') {
            steps {
                sh '''
                    docker run --rm \
                        -v "${WORKSPACE}:/code" \
                        -e GERION_API_URL -e GERION_API_KEY \
                        -e JENKINS_URL -e GIT_URL -e GIT_BRANCH \
                        -e BUILD_NUMBER -e GIT_COMMIT -e GIT_COMMITTER_NAME \
                        "${GERION_IMAGE}" gerion secrets-scan /code
                '''
            }
        }
        stage('Gerion — SCA') {
            steps {
                sh '''
                    docker run --rm \
                        -v "${WORKSPACE}:/code" \
                        -e GERION_API_URL -e GERION_API_KEY \
                        -e JENKINS_URL -e GIT_URL -e GIT_BRANCH \
                        -e BUILD_NUMBER -e GIT_COMMIT -e GIT_COMMITTER_NAME \
                        "${GERION_IMAGE}" gerion sca-scan /code
                '''
            }
        }
        stage('Gerion — IaC') {
            steps {
                sh '''
                    docker run --rm \
                        -v "${WORKSPACE}:/code" \
                        -e GERION_API_URL -e GERION_API_KEY \
                        -e JENKINS_URL -e GIT_URL -e GIT_BRANCH \
                        -e BUILD_NUMBER -e GIT_COMMIT -e GIT_COMMITTER_NAME \
                        "${GERION_IMAGE}" gerion iac-scan /code
                '''
            }
        }
        stage('Gerion — SAST') {
            steps {
                sh '''
                    docker run --rm \
                        -v "${WORKSPACE}:/code" \
                        -e GERION_API_URL -e GERION_API_KEY \
                        -e JENKINS_URL -e GIT_URL -e GIT_BRANCH \
                        -e BUILD_NUMBER -e GIT_COMMIT -e GIT_COMMITTER_NAME \
                        "${GERION_IMAGE}" gerion sast-scan /code
                '''
            }
        }
    }

    post {
        always {
            withCredentials([
                string(credentialsId: 'gerion-api-url', variable: 'GERION_API_URL'),
                string(credentialsId: 'gerion-api-key', variable: 'GERION_API_KEY')
            ]) {
                sh '''
                    docker run --rm \
                        -v "${WORKSPACE}:/code" \
                        -e GERION_API_URL -e GERION_API_KEY \
                        -e JENKINS_URL -e GIT_URL -e GIT_BRANCH -e BUILD_NUMBER -e GIT_COMMIT \
                        "${GERION_IMAGE}" \
                        gerion report \
                            --format pdf \
                            --output-file /code/gerion-report.pdf \
                            --severity HIGH --active-only || true
                '''
            }
            archiveArtifacts(artifacts: 'gerion-report.pdf', allowEmptyArchive: true)
        }
    }
}

Option B — Shared Library (JSL)

The Shared Library lets you call gerionScan() from any Jenkinsfile in your organization without copying the full pipeline.

1. Register the library

Go to Manage Jenkins → System → Global Pipeline Libraries and add:

Field	Value
Name	`gerion`
Default version	`main`
Retrieval method	Modern SCM
SCM	Git
Repository URL	`https://github.com/gerion-appsec/gerion-jenkins-library`

2. Use in a Jenkinsfile

@Library('gerion') _

pipeline {
    agent { label 'docker' }
    stages {
        stage('Security Scan') {
            steps {
                gerionScan()
            }
        }
    }
}

3. `gerionScan()` parameters

Parameter	Default	Description
`scanType`	`'all'`	`all` \| `secrets` \| `sca` \| `iac` \| `sast`
`codePath`	`'.'`	Path relative to workspace
`outputFormat`	`''`	`json` \| `markdown` \| `sarif` \| empty
`outputFile`	`''`	Output file relative to workspace
`logLevel`	`'info'`	`debug` \| `info` \| `warning` \| `error`
`timeout`	`180`	Timeout per scanner in seconds
`apiUrlCredId`	`'gerion-api-url'`	Jenkins credential ID for the URL
`apiKeyCredId`	`'gerion-api-key'`	Jenkins credential ID for the API key
`archiveArtifacts`	`true`	Archives the output file if `outputFile` was set

// Example with all parameters
gerionScan(
    scanType:        'sast',
    outputFormat:    'sarif',
    outputFile:      'gerion-sast.sarif',
    logLevel:        'debug',
    timeout:         300,
    archiveArtifacts: true
)

Notes

Gerion CLI automatically detects Jenkins variables (JENKINS_URL, GIT_URL, GIT_BRANCH, BUILD_NUMBER, GIT_COMMIT, GIT_COMMITTER_NAME).
The withCredentials block in the JSL ensures the API key appears masked in logs.