Explores Jenkins pipelines, running builds, dependency and image vulnerability scans, unit tests, coverage, Docker image build and push, and poll SCM trigger difference
In this lesson we explore the remaining two Jenkins projects, run builds, and inspect the results. Both pipelines reference the same repository and Jenkinsfile; the only functional difference is that the CI Pipeline (poll SCM) has a cron trigger configured.Pipelines covered
Solar System CI Pipeline
CI Pipeline (poll SCM)
Both jobs use the same repository and pipeline script. The poll-SCM job adds a cron polling trigger to periodically check for changes.I’ll sign in to Jenkins and show the pipeline configuration.The Solar System job is configured to obtain its Pipeline script from SCM (Git). The repository and branch are set in the Pipeline configuration:
Avoid placing secrets in Dockerfile via ENV for production images. Store sensitive values in a secrets manager or inject them at runtime (e.g., via Jenkins credentials or container runtime secrets).
Jenkinsfile — pipeline summary
The project’s declarative Jenkinsfile defines an end-to-end CI pipeline that runs inside Docker agents and uses Jenkins tools/credentials. Main stages include installing dependencies, dependency scanning, unit testing, code coverage, building & publishing a Docker image, and a Trivy image scan.Representative (cleaned) Jenkinsfile excerpt:
Node.js tool is managed by Jenkins and the pipeline runs Node steps inside Docker agents.
Credentials for MongoDB, Docker Hub, and NVD API key are stored in Jenkins and referenced via credentials() and plugin parameters.
Dependency-Check and Trivy produce XML/HTML/JSON reports; the repository includes commented publishHTML/junit lines — uncomment to publish artifacts in Jenkins.
Obtain an NVD API key and store it in Jenkins credentials. Using the API key reduces the time Dependency-Check spends downloading the NVD feed and improves scan reliability.
How to request an NVD API key (registration form)
Request the API key at: https://nvd.nist.gov/developers/request-an-api-key
After receiving the API key, create a Jenkins credential (Secret text) and reference that credential id in the Dependency-Check plugin configuration (nvdCredentialsId).
Triggering builds and inspecting results
I triggered the pipeline manually (this job does not leverage webhooks). Blue Ocean shows each stage and the step-by-step progress.
Dependency scanning behavior
Installing Dependencies stage runs npm install inside a Docker container.
Dependency Scanning runs:
npm audit --audit-level=critical
OWASP Dependency-Check via the plugin which writes XML/HTML/JSON/SARIF/JUnit reports into the workspace.
When OWASP Dependency-Check finds vulnerabilities above configured thresholds, the dependencyCheckPublisher step will fail the build. In this project the publisher was initially set to fail on medium/low severities, which caused builds to fail. I adjusted the publisher to fail only on critical vulnerabilities by setting failedTotalCritical: 1 and removing medium/low thresholds.Dependency-Check update output (first run example):
[INFO] Checking for updates[INFO] NVD API has 1,304 records in this update[INFO] Downloaded 1,304/1,304 (100%)[INFO] Begin database defrag[INFO] End database defrag[INFO] Check for updates complete
Dependency-Check analysis output (example):
[INFO] Analysis Started[WARN] Analyzing `/home/jenkins-agent/workspace/ci-pipeline-poll-scm/package-lock.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check[INFO] Analysis Complete[INFO] Writing XML report to: /home/jenkins-agent/workspace/ci-pipeline-poll-scm/dependency-check-report.xml[INFO] Writing HTML report to: /home/jenkins-agent/workspace/ci-pipeline-poll-scm/dependency-check-report.html...Collecting Dependency-Check artifactParsing file /home/jenkins-agent/workspace/ci-pipeline-poll-scm/dependency-check-report.xmlFindings exceed configured thresholds
The UI showed one Medium vulnerability (example: formidable:2.1.2 CVE-2025-46653). Because the publisher was originally configured to stop builds on medium/low findings, the pipeline failed until thresholds were relaxed.
Unit tests and coverage
Unit Testing runs npm test inside the Docker agent and uses retry(2) to handle transient failures.
Code Coverage runs npm run coverage (nyc). Coverage did not meet the global threshold in this run (~79% vs expected 90%), so the coverage stage failed its threshold check. Because coverage was wrapped with catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE', ...), the overall build remained successful while the coverage stage was marked unstable.
Unit test output (truncated):
+ npm test> Solar System@6.7.6 test> mocha app-test.js --timeout 10000 --reporter mocha-junit-reporter --exitServer successfully running on port - 3000
Coverage failure output (example):
+ npm run coverage> Solar System@6.7.6 coverage> nyc --reporter cobertura --reporter lcov --reporter text --reporter json-summary mocha app-test.js --timeout 10000 --exit 11 passing (6s)ERROR: Coverage for lines (79.06%) does not meet global threshold (90%)---------------------------------------------------------------------------File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s---------------------------------------------------------------------------All files | 79.54 | 33.33 | 70 | 79.06 |app.js | 79.54 | 33.33 | 70 | 79.06 | 23,49-50,58,62-67---------------------------------------------------------------------------script returned exit code 1
Docker image build, push and Trivy scan
The Build & Publish Image stage builds a Docker image tagged with the Git commit and pushes it to Docker Hub using stored Docker Hub credentials:
In this run, Trivy did not find CRITICAL vulnerabilities and returned successfully. The JSON/HTML output can be published with publishHTML to surface results in Jenkins.Wrapping up
Both pipelines use the same Jenkinsfile from jenkins-demo-org/solar-system; the poll-SCM job adds a cron trigger.
OWASP Dependency-Check and Trivy are integrated for dependency and container-image vulnerability checks. Provide an NVD API key to speed Dependency-Check database updates.
Tests and coverage execute inside Docker agents. Use catchError in the coverage stage to surface coverage issues without failing the entire build.
Artifacts produced (Dependency-Check HTML, Trivy HTML, JUnit XML, coverage reports) are present but publishing calls are commented out — uncomment publishHTML or junit lines in the Jenkinsfile to show these reports in Jenkins.
Next steps: migrate this pipeline to GitHub Actions and enable publishing of test, coverage, and security reports from the CI workflow. See GitHub Actions course for guidance.