Certified Jenkins Engineer

Shared Libraries in Jenkins

Demo Create Shared Library for Trivy Scan

In this tutorial, you’ll build a reusable Jenkins Shared Library to run Trivy scans in your CI/CD pipelines. By isolating scanning logic in a library, you’ll eliminate duplication and enable versioned updates via Git feature branches.

Prerequisites

RequirementDescription
Jenkins Shared Library RepoA Git repository to host your vars/ functions
Trivy CLIInstalled on your Jenkins agents or build environment

1. Clone the Shared Library Repository

Start by cloning your existing shared-library project:

git clone http://64.227.187.25:5555/dasher-org/shared-libraries.git
cd shared-libraries
ls
# You should see:
# vars

2. Create a Feature Branch

Work on a dedicated branch to isolate your changes:

git checkout -b feature/trivy-scan

3. Review the Hardcoded Trivy Stage

In many pipelines, you’ll find a stage like this in the application’s Jenkinsfile:

stage('Trivy Vulnerability Scanner') {
  steps {
    sh '''
      trivy image my-org/app:$GIT_COMMIT \
        --severity LOW,MEDIUM,HIGH \
        --exit-code 0 \
        --quiet \
        --format json -o trivy-medium.json

      trivy image my-org/app:$GIT_COMMIT \
        --severity CRITICAL \
        --exit-code 1 \
        --quiet \
        --format json -o trivy-critical.json
    '''
  }
  post {
    always {
      // report conversion steps...
    }
  }
}

Warning

Hardcoding scanner commands in every Jenkinsfile is hard to maintain. Any change in flags or output formats would need updates in all pipelines.

4. Create the TrivyScan.groovy in vars/

Inside your shared-library’s vars/ folder, add a new file:

cd vars
touch TrivyScan.groovy

5. Define the vulnerability Function

Open vars/TrivyScan.groovy and add a method that accepts the Docker image name:

def vulnerability(String imageName) {
    sh """
      echo "🔒 Scanning image: ${imageName}"
      trivy image ${imageName} \
        --severity LOW,MEDIUM,HIGH \
        --exit-code 0 \
        --quiet \
        --format json -o trivy-medium.json

      trivy image ${imageName} \
        --severity CRITICAL \
        --exit-code 1 \
        --quiet \
        --format json -o trivy-critical.json
    """
}

Note

We use triple-double-quotes ("""…""") in Groovy to allow ${imageName} interpolation inside the shell script block.

6. Add the reportsConverter Function

Extend the same file with report conversion logic:

def reportsConverter() {
    sh '''
      trivy convert \
        --format template --template "@usr/local/share/trivy/templates/html.tpl" \
        --output trivy-medium.html trivy-medium.json

      trivy convert \
        --format template --template "@usr/local/share/trivy/templates/html.tpl" \
        --output trivy-critical.html trivy-critical.json

      trivy convert \
        --format template --template "@usr/local/share/trivy/templates/junit.tpl" \
        --output trivy-medium.xml trivy-medium.json

      trivy convert \
        --format template --template "@usr/local/share/trivy/templates/junit.tpl" \
        --output trivy-critical.xml trivy-critical.json
    '''
}

7. Commit and Push Your Changes

Save, commit, and push the new shared-library logic:

git add vars/TrivyScan.groovy
git commit -m "feat: add TrivyScan shared library (vulnerability + reportsConverter)"
git push --set-upstream origin feature/trivy-scan

8. Consume the Shared Library in a Pipeline

In your application’s Jenkinsfile, load the library and call the functions:

@Library('shared-libraries@feature/trivy-scan') _

pipeline {
  agent any
  stages {
    stage('Security Checks') {
      steps {
        TrivyScan.vulnerability("my-org/app:${env.GIT_COMMIT}")
        TrivyScan.reportsConverter()
      }
    }
  }
}

Now your security scan is centralized, versioned, and easy to update!

References

Watch Video

Watch video content

Previous
Demo Loading the Shared Library in Pipeline