Certified Jenkins Engineer
Shared Libraries in Jenkins
Demo Create Shared Library for Trivy Scan
In this tutorial, you’ll build a reusable Jenkins Shared Library to run Trivy scans in your CI/CD pipelines. By isolating scanning logic in a library, you’ll eliminate duplication and enable versioned updates via Git feature branches.
Prerequisites
Requirement | Description |
---|---|
Jenkins Shared Library Repo | A Git repository to host your vars/ functions |
Trivy CLI | Installed on your Jenkins agents or build environment |
1. Clone the Shared Library Repository
Start by cloning your existing shared-library project:
git clone http://64.227.187.25:5555/dasher-org/shared-libraries.git
cd shared-libraries
ls
# You should see:
# vars
2. Create a Feature Branch
Work on a dedicated branch to isolate your changes:
git checkout -b feature/trivy-scan
3. Review the Hardcoded Trivy Stage
In many pipelines, you’ll find a stage like this in the application’s Jenkinsfile
:
stage('Trivy Vulnerability Scanner') {
steps {
sh '''
trivy image my-org/app:$GIT_COMMIT \
--severity LOW,MEDIUM,HIGH \
--exit-code 0 \
--quiet \
--format json -o trivy-medium.json
trivy image my-org/app:$GIT_COMMIT \
--severity CRITICAL \
--exit-code 1 \
--quiet \
--format json -o trivy-critical.json
'''
}
post {
always {
// report conversion steps...
}
}
}
Warning
Hardcoding scanner commands in every Jenkinsfile
is hard to maintain. Any change in flags or output formats would need updates in all pipelines.
4. Create the TrivyScan.groovy
in vars/
Inside your shared-library’s vars/
folder, add a new file:
cd vars
touch TrivyScan.groovy
5. Define the vulnerability
Function
Open vars/TrivyScan.groovy
and add a method that accepts the Docker image name:
def vulnerability(String imageName) {
sh """
echo "🔒 Scanning image: ${imageName}"
trivy image ${imageName} \
--severity LOW,MEDIUM,HIGH \
--exit-code 0 \
--quiet \
--format json -o trivy-medium.json
trivy image ${imageName} \
--severity CRITICAL \
--exit-code 1 \
--quiet \
--format json -o trivy-critical.json
"""
}
Note
We use triple-double-quotes ("""…"""
) in Groovy to allow ${imageName}
interpolation inside the shell script block.
6. Add the reportsConverter
Function
Extend the same file with report conversion logic:
def reportsConverter() {
sh '''
trivy convert \
--format template --template "@usr/local/share/trivy/templates/html.tpl" \
--output trivy-medium.html trivy-medium.json
trivy convert \
--format template --template "@usr/local/share/trivy/templates/html.tpl" \
--output trivy-critical.html trivy-critical.json
trivy convert \
--format template --template "@usr/local/share/trivy/templates/junit.tpl" \
--output trivy-medium.xml trivy-medium.json
trivy convert \
--format template --template "@usr/local/share/trivy/templates/junit.tpl" \
--output trivy-critical.xml trivy-critical.json
'''
}
7. Commit and Push Your Changes
Save, commit, and push the new shared-library logic:
git add vars/TrivyScan.groovy
git commit -m "feat: add TrivyScan shared library (vulnerability + reportsConverter)"
git push --set-upstream origin feature/trivy-scan
8. Consume the Shared Library in a Pipeline
In your application’s Jenkinsfile
, load the library and call the functions:
@Library('shared-libraries@feature/trivy-scan') _
pipeline {
agent any
stages {
stage('Security Checks') {
steps {
TrivyScan.vulnerability("my-org/app:${env.GIT_COMMIT}")
TrivyScan.reportsConverter()
}
}
}
}
Now your security scan is centralized, versioned, and easy to update!
References
- Jenkins Shared Library Documentation
- Trivy – A Simple and Comprehensive Vulnerability Scanner
- Jenkins Pipeline Syntax
Watch Video
Watch video content