Jenkins Integration

Integrate Code Pathfinder into your Jenkins pipelines using the official Docker image to run security scans on every build or pull request.

Quick Start

Add this to your Jenkinsfile. Jenkins pulls the Docker image and runs the scan inside the container with your workspace mounted:

groovy

pipeline {
    agent {
        docker {
            image 'shivasurya/code-pathfinder:stable-latest'
            args '--entrypoint='
        }
    }

    stages {
        stage('Code Pathfinder SAST') {
            steps {
                sh '''
                    pathfinder ci \
                        --project . \
                        --ruleset python/all \
                        --ruleset docker/all \
                        --ruleset docker-compose/all \
                        --output sarif \
                        --output-file pathfinder-results.sarif \
                        --fail-on critical,high
                '''
            }
            post {
                always {
                    archiveArtifacts artifacts: 'pathfinder-results.sarif', allowEmptyArchive: true
                }
            }
        }
    }
}

Docker agent args

The args '--entrypoint=' option clears the Docker image's default entrypoint so Jenkins can invoke pathfinder directly via sh.

Version Pinning

Pin to a specific image tag like shivasurya/code-pathfinder:v2.0.2 instead of stable-latest for reproducible builds. stable-latest always tracks the latest stable release.

Configuration Options

All pathfinder ci flags are available in the shell step.

Flag	Description	Default
--rules	Path to local Python SDK rules file or directory	—
--ruleset	Remote ruleset(s) from registry. Can be specified multiple times.	—
--project	Path to source code to scan	.
--skip-tests	Skip scanning test files	true
--output	Output format: sarif, json, or csv	sarif
--output-file	Write output to file instead of stdout	—
--fail-on	Fail build on severities: critical, high, medium, low (comma-separated)	—
--no-diff	Scan all files, disabling diff-aware mode	false
--verbose	Show statistics and timing information	false
--debug	Show detailed debug diagnostics with timestamps	false
--refresh-rules	Force refresh of cached rulesets	false
--disable-metrics	Disable anonymous usage metrics	false

Common Use Cases

Scan Python projects

groovy

stage('Python Security Scan') {
    steps {
        sh '''
            pathfinder ci \
                --project . \
                --ruleset python/all \
                --fail-on critical,high \
                --output sarif \
                --output-file results.sarif
        '''
    }
    post {
        always {
            archiveArtifacts artifacts: 'results.sarif', allowEmptyArchive: true
        }
    }
}

Scan Dockerfiles and docker-compose

groovy

stage('Docker Security Scan') {
    steps {
        sh '''
            pathfinder ci \
                --project . \
                --ruleset docker/all \
                --ruleset docker-compose/all \
                --verbose \
                --output sarif \
                --output-file results.sarif
        '''
    }
    post {
        always {
            archiveArtifacts artifacts: 'results.sarif', allowEmptyArchive: true
        }
    }
}

Parallel scans in a monorepo

groovy

stage('Security Scans') {
    parallel {
        stage('Scan Backend') {
            steps {
                sh '''
                    pathfinder ci \
                        --project ./backend \
                        --ruleset python/all \
                        --output sarif \
                        --output-file backend-results.sarif
                '''
            }
            post {
                always {
                    archiveArtifacts artifacts: 'backend-results.sarif', allowEmptyArchive: true
                }
            }
        }
        stage('Scan Infrastructure') {
            steps {
                sh '''
                    pathfinder ci \
                        --project ./infrastructure \
                        --ruleset docker/all \
                        --output sarif \
                        --output-file infra-results.sarif
                '''
            }
            post {
                always {
                    archiveArtifacts artifacts: 'infra-results.sarif', allowEmptyArchive: true
                }
            }
        }
    }
}

Security gate — fail on critical or high

groovy

stage('Security Gate') {
    steps {
        sh '''
            pathfinder ci \
                --project . \
                --ruleset python/all \
                --ruleset docker/all \
                --ruleset docker-compose/all \
                --fail-on critical,high \
                --output sarif \
                --output-file results.sarif
        '''
    }
    post {
        always {
            archiveArtifacts artifacts: 'results.sarif', allowEmptyArchive: true
        }
    }
}

Pull Request Scanning

Use the when directive to run the scan only on pull requests. With a multibranch pipeline or GitHub Branch Source plugin, Jenkins sets the CHANGE_ID environment variable for pull requests:

groovy

pipeline {
    agent {
        docker {
            image 'shivasurya/code-pathfinder:stable-latest'
            args '--entrypoint='
        }
    }

    stages {
        stage('Code Pathfinder SAST') {
            when {
                anyOf {
                    branch 'main'
                    changeRequest()
                }
            }
            steps {
                sh '''
                    pathfinder ci \
                        --project . \
                        --ruleset python/all \
                        --ruleset docker/all \
                        --ruleset docker-compose/all \
                        --output sarif \
                        --output-file pathfinder-results.sarif \
                        --fail-on critical,high
                '''
            }
            post {
                always {
                    archiveArtifacts artifacts: 'pathfinder-results.sarif', allowEmptyArchive: true
                }
            }
        }
    }
}

Scheduled Scans

Use the triggers block with a cron expression to run a weekly security scan on the main branch:

groovy

pipeline {
    agent {
        docker {
            image 'shivasurya/code-pathfinder:stable-latest'
            args '--entrypoint='
        }
    }

    triggers {
        // Run every Monday at 02:00 AM
        cron('0 2 * * 1')
    }

    stages {
        stage('Weekly Security Scan') {
            steps {
                sh '''
                    pathfinder ci \
                        --project . \
                        --ruleset python/all \
                        --ruleset docker/all \
                        --ruleset docker-compose/all \
                        --output sarif \
                        --output-file pathfinder-results.sarif
                '''
            }
            post {
                always {
                    archiveArtifacts artifacts: 'pathfinder-results.sarif', allowEmptyArchive: true
                }
            }
        }
    }
}

Troubleshooting

SARIF reporting with Warnings Next Generation plugin

Install the Warnings Next Generation plugin to parse and display SARIF results in the Jenkins build UI. Use recordIssues in the post block alongside archiveArtifacts:

groovy

stage('Code Pathfinder SAST') {
    steps {
        sh '''
            pathfinder ci \
                --project . \
                --ruleset python/all \
                --ruleset docker/all \
                --output sarif \
                --output-file pathfinder-results.sarif
        '''
    }
    post {
        always {
            archiveArtifacts artifacts: 'pathfinder-results.sarif', allowEmptyArchive: true
            recordIssues(
                aggregatingResults: true,
                tools: [sarif(
                    id: 'code-pathfinder',
                    name: 'Code Pathfinder',
                    pattern: 'pathfinder-results.sarif'
                )]
            )
        }
    }
}

No vulnerabilities detected

Enable debug and verbose output to see detailed scan progress:

groovy

sh '''
    pathfinder ci \
        --project . \
        --ruleset python/all \
        --debug \
        --verbose \
        --output sarif \
        --output-file results.sarif
'''

Scan full codebase instead of changed files

By default, Code Pathfinder uses diff-aware scanning in CI to scan only changed files. Use --no-diff to scan everything:

groovy

sh '''
    pathfinder ci \
        --project . \
        --ruleset python/all \
        --no-diff \
        --output sarif \
        --output-file results.sarif
'''

Large repositories timing out

Jenkins does not impose a default step timeout, but you can set one with the timeout step. Scan a subdirectory to reduce scope if needed:

groovy

stage('Code Pathfinder SAST') {
    options {
        timeout(time: 60, unit: 'MINUTES')
    }
    steps {
        sh '''
            pathfinder ci \
                --project ./src \
                --ruleset python/all \
                --ruleset docker/all \
                --output sarif \
                --output-file results.sarif
        '''
    }
}

Cache issues with remote rulesets

Force refresh cached rulesets:

groovy

sh '''
    pathfinder ci \
        --project . \
        --ruleset python/all \
        --refresh-rules \
        --output sarif \
        --output-file results.sarif
'''

Docker agent not finding pathfinder binary

If Jenkins fails with pathfinder: command not found, the image's default entrypoint is blocking the sh step. Ensure args '--entrypoint=' is set on the Docker agent — this resets the entrypoint to empty so Jenkins can invoke shell commands inside the container:

groovy

agent {
    docker {
        image 'shivasurya/code-pathfinder:stable-latest'
        args '--entrypoint='   // required — clears the image entrypoint
    }
}