Demo Setup and Run Dependency Scanning

In this tutorial, you’ll configure Jenkins to scan project dependencies using two methods:

NPM Audit (critical-level checks)
OWASP Dependency-Check (via Jenkins plugin)

These scans help you catch vulnerabilities early and enforce quality gates in your CI pipeline.

1. NPM Dependency Audit
2. OWASP Dependency-Check Plugin
3. Running the Pipeline
4. Enforcing Quality Gates
Conclusion

1. NPM Dependency Audit

Add an NPM audit stage to your Jenkinsfile:

pipeline {
  tools {
    nodejs 'nodejs-22-6-0'
  }
  stages {
    stage('Install Dependencies') {
      steps {
        sh 'npm install --no-audit'
      }
    }
    stage('NPM Dependency Audit') {
      steps {
        sh '''
          npm audit --audit-level=critical
          echo $?
        '''
      }
    }
  }
}

What happens:

npm install --no-audit installs dependencies without auditing.
npm audit --audit-level=critical checks for critical vulnerabilities and exits 1 if found.

Sample package.json

{
  "scripts": {
    "start": "node app.js",
    "test": "mocha app-test.js --timeout 10000 --reporter mocha-junit-reporter --exit",
    "coverage": "nyc --reporter cobertura --reporter lcov --reporter text --reporter json-summary mocha app-test.js"
  },
  "nyc": {
    "check-coverage": true,
    "lines": 90
  },
  "dependencies": {
    "cors": "^2.8.5",
    "express": "^4.18.2",
    "mocha-junit-reporter": "^2.2.1",
    "mongoose": "^5.13.20",
    "nyc": "^15.1.0",
    "serverless-http": "^3.2.0"
  },
  "devDependencies": {
    "chai": "*",
    "chai-http": "*"
  }
}

CLI Output Example

# npm audit --audit-level=critical
@babel/traverse <7.23.2
Severity: critical
...

Note

NPM Audit supports four severity levels: low, moderate, high, and critical.
Adjust --audit-level based on your policy.

2. OWASP Dependency-Check Plugin

The OWASP Dependency-Check plugin scans multiple formats (HTML, XML, JSON, CSV) and supports quality gates.

2.1 Install the Plugin

Manage Jenkins > Manage Plugins > Available
Search OWASP Dependency-Check, install, and restart.

The image shows a Jenkins interface displaying a list of available plugins related to OWASP, with options to install them. The interface includes details about each plugin, such as name, version, and description.

2.2 Global Tool Configuration

After restarting, go to Manage Jenkins > Global Tool Configuration.
Add a Dependency-Check installation (e.g., version 10.0.3) and enable auto-install from GitHub.

The image shows a webpage from the Jenkins website detailing the usage and configuration of the OWASP Dependency-Check plugin, including a section on global tool configuration with a form interface.

The image shows a Jenkins configuration page for managing tools, specifically focusing on NodeJS and OWASP Dependency-Check installations. The OWASP Dependency-Check is set to install automatically.

2.3 Generate Pipeline Snippet

In Pipeline Syntax > Snippet Generator:

Step: Invoke Dependency-Check
Installation: OWASP-DepCheck-10

Arguments:

--scan ./
--out ./
--format 'ALL'
--prettyPrint

The image shows a Jenkins interface with a "Snippet Generator" for creating pipeline scripts. It includes a dropdown menu with various sample steps like "archiveArtifacts" and "dependencyCheckPublisher."

The image shows a Jenkins interface with a "Snippet Generator" for creating pipeline scripts, specifically focusing on invoking a dependency check using OWASP-DepCheck-10. The interface includes options for selecting dependency-check installations and adding arguments.

Insert into your Jenkinsfile:

stage('OWASP Dependency Check') {
  steps {
    dependencyCheck additionalArguments: '''
      --scan ./
      --out ./
      --format 'ALL'
      --prettyPrint
    ''', odcInstallation: 'OWASP-DepCheck-10'
  }
}

3. Running the Pipeline

Commit and push your Jenkinsfile. The first run downloads the NVD database (~263 000 records), taking about 20–30 minutes. Look for logs like:

[INFO] Checking for updates
[WARNING] An NVD API Key has not been provided ...
[INFO] NVD API has 263,560 records in this update
...
[INFO] Writing report to /workspace/.../dependency-check-report.html

The image shows a Jenkins pipeline interface for a project named "solar-system" under "Gitea-Organization." It displays the progress of a build process, highlighting a failed NPM dependency audit and a successful OWASP dependency check.

Reports generated in the workspace:

Format	File Name
HTML	`dependency-check-report.html`
XML	`dependency-check-report.xml`
JSON	`dependency-check-report.json`
CSV	`dependency-check-report.csv`

The image shows a dependency-check report with a summary of vulnerabilities in various packages, listing their highest severity levels and other details.

By default, findings don’t fail the build:

The image shows a Jenkins build status page for "Build #6" with a pipeline view, indicating stages like "Checkout SCM" and "Tool Install," and a failed "NPM Dependency Audit" step. It includes details about the build duration and changes.

4. Enforcing Quality Gates

Fail builds if thresholds are exceeded:

In Snippet Generator, select Publish Dependency-Check results
Configure:
- XML report pattern: dependency-check-report.xml
- Stop build on threshold violation
- Failed total critical: 1

The image shows a Jenkins interface with a "Snippet Generator" for creating pipeline scripts, specifically focusing on invoking a dependency check. Various configuration options are visible, such as selecting a dependency-check installation and adding arguments.

The image shows a Jenkins Pipeline Syntax configuration page for publishing Dependency-Check results, with options for setting XML report patterns and risk gate thresholds.

Generated snippet:

dependencyCheckPublisher failedTotalCritical: 1,
                       pattern: 'dependency-check-report.xml',
                       stopBuild: true

Combine both scans in parallel:

pipeline {
  stages {
    stage('Dependency Scanning') {
      parallel {
        stage('NPM Dependency Audit') {
          steps {
            sh '''
              npm audit --audit-level=critical
              echo $?
            '''
          }
        }
        stage('OWASP Dependency Check') {
          steps {
            dependencyCheck additionalArguments: '''
              --scan ./
              --out ./
              --format 'ALL'
              --prettyPrint
            ''', odcInstallation: 'OWASP-DepCheck-10'
            dependencyCheckPublisher failedTotalCritical: 1,
                                  pattern: 'dependency-check-report.xml',
                                  stopBuild: true
          }
        }
      }
    }
  }
}

On the next build you’ll see:

[INFO] Skipping the NVD API Update as it was completed within the last 240 minutes
...
Findings exceed configured thresholds

The image shows a Jenkins dashboard displaying the build status of various commits in a project named "solar-system" under the "Gitea-Organization." It lists the status, commit ID, branch, message, duration, and completion time for each build.

The image shows a Jenkins interface displaying Dependency-Check results, highlighting a critical vulnerability in a specific file with details such as severity, file path, and description.

Warning

Builds will now fail if critical vulnerabilities exceed your defined threshold.
Review detailed results in the Jenkins UI to remediate issues.

Conclusion

In this guide, we have:

Integrated NPM Audit to catch critical Node.js vulnerabilities.
Configured OWASP Dependency-Check for comprehensive scanning.
Parallelized both stages to reduce build time.
Enforced quality gates to automatically fail on critical findings.

Address the flagged vulnerabilities to keep your application secure.

Watch Video

Watch video content

Table of Contents