Skip to main content
Library Resources in a Jenkins Shared Library let you bundle static assets—shell scripts, YAML, templates—under resources/. At runtime, your Pipeline can load and execute these files via libraryResource, decoupling script logic from Groovy and boosting maintainability. In this guide, we’ll replace hardcoded Trivy commands with a parameterized shell script in resources/scripts/, a Groovy loader helper, and a high-level wrapper. You’ll learn how to:
  • Store and version static assets in your shared library
  • Dynamically load and execute scripts at Pipeline runtime
  • Pass custom arguments from your Jenkinsfile without touching library code

1. The Problem: Hardcoded Commands

Our initial vars/TrivyScan.groovy contained two inline sh blocks with fixed severity levels and exit codes: 
def vulnerability(String imageName) {
    sh '''
        echo image = ${imageName}
        trivy image ${imageName} \
            --severity LOW,MEDIUM,HIGH \
            --exit-code 0 \
            --quiet \
            --format json -o trivy-image-MEDIUM-results.json
        trivy image ${imageName} \
            --severity CRITICAL \
            --exit-code 1 \
            --quiet \
            --format json -o trivy-image-CRITICAL-results.json
    '''
}

def reportsConverter() {
    sh '''
        trivy convert \
            --format template --template "@/usr/local/share/trivy/templates/html.tpl"
    '''
}
Hardcoding severity levels and exit codes makes updates error-prone and requires editing Groovy logic for every change.

2. Solution Overview

We’ll break this into four steps:
ComponentLocationPurpose
Parameterized Scriptresources/scripts/trivy.shRun trivy image with custom args
High-Level Wrappervars/TrivyScanScript.groovyInvoke the script from Groovy with a simple API
Generic Loadervars/loadScript.groovyFetch any resources/scripts/* asset at runtime
Pipeline UsageJenkinsfileCall TrivyScanScript.vulnerability(...)
  1. Add a shell script under resources/scripts/.
  2. Create a Groovy wrapper (TrivyScanScript.groovy) that calls the script with parameters.
  3. Build a generic loader (loadScript.groovy) using libraryResource.
  4. Invoke your new API from the Jenkinsfile.

3. Add the Shell Script Resource

File: resources/scripts/trivy.sh 
#!/bin/bash
set -euo pipefail

echo "imageName = $1"
echo "severity  = $2"
echo "exitCode  = $3"

trivy image "$1" \
  --severity "$2" \
  --exit-code "$3" \
  --format json \
  -o "trivy-image-$2-results.json"
This script accepts three arguments:
  1. $1 – Docker image (e.g., my-app:latest)
  2. $2 – Severity levels (e.g., LOW,MEDIUM,HIGH)
  3. $3 – Exit code on vulnerability detection

4. Define the TrivyScanScript Library

File: vars/TrivyScanScript.groovy 
def vulnerability(Map config = [:]) {
    // Load the parameterized script into the workspace
    loadScript(name: 'trivy.sh')
    sh "./trivy.sh ${config.imageName} ${config.severity} ${config.exitCode}"
}

def reportsConverter() {
    sh 'trivy convert --format template --template "@/usr/local/share/trivy/templates/html.tpl"'
}
Usage in Jenkinsfile: 
@Library('your-shared-lib') _
pipeline {
  agent any
  stages {
    stage('Security Scan') {
      steps {
        TrivyScanScript.vulnerability(
          imageName: 'my-app:latest',
          severity: 'CRITICAL',
          exitCode: 1
        )
      }
    }
  }
}

5. Create a Generic Loader: loadScript.groovy

File: vars/loadScript.groovy 
def call(Map config = [:]) {
    // Fetch any script from resources/scripts/
    def scriptData = libraryResource "scripts/${config.name}"
    writeFile file: config.name, text: scriptData
    sh "chmod +x ./${config.name}"
}
This helper lets you load any file under resources/scripts by passing its filename as config.name.

6. How libraryResource Works

libraryResource reads a file from your shared library’s resources directory and returns its content: 
// Example: Load a JSON template from resources/
def jsonData = libraryResource 'com/mycorp/pipeline/config/request.json'
writeFile file: 'request.json', text: jsonData
You can then:
  • Pass it to an HTTP API
  • Write it to disk for local execution

7. Recap

  • Static Script (trivy.sh): Parameterized Trivy invocation
  • TrivyScanScript: Groovy API that loads & executes the script
  • loadScript: Generic loader using libraryResource
This pattern cleanly separates static assets from Groovy logic, making it easy to update scripts without changing code and enabling pipeline authors to provide custom configurations.

Watch Video