Jenkins
Configure variables
Before getting started, you need to configure your Jenkins instance with the required credentials. Make sure the following values are added under Dashboard → Manage Jenkins → Credentials as credentials of type Secret text:
ANCHORECTL_USERNAME
ANCHORECTL_PASSWORD
ANCHORECTL_URL
These are necessary for the integration to access your Anchore Enterprise deployment. The ANCHORECTL_PASSWORD value should be created as a repository secret to prevent exposure of the value in job logs, while ANCHORECTL_URL and ANCHORECTL_USERNAME can be created as repository variables.
Configure scanning mode
Below are examples of the two types of image scans. For a detailed explanation of their differences, refer to the documentation
a) Distributed
This is the most easily scalable method for scanning images. Distributed scanning uses the anchorectl utility to build the SBOM directly on the build runner and then pushes the SBOM to Anchore Enterprise through the API. The example below demonstrates how to automate distributed analysis within a pipeline.
pipeline {
// Define parameters for user input
parameters {
string(name: 'REGISTRY', defaultValue: 'docker.io', description: 'The container registry to use.', trim: true)
string(name: 'REPOSITORY', defaultValue: 'library/nginx', description: 'The image repository path.', trim: true)
string(name: 'TAG', defaultValue: 'latest', description: 'The image tag to analyze.', trim: true)
choice(name: 'ANCHORECTL_QUIET', choices: ['true', 'false'], description: 'Suppress anchorectl informational messages.')
choice(name: 'ANCHORECTL_FORMAT', choices: ['json', 'csv'], description: 'The output format for anchorectl (e.g., json, csv).')
choice(name: 'ANCHORECTL_FAIL_BASED_ON_RESULTS', choices: ['true', 'false'], description: 'How to handle fail signals (e.g., policy check outcomes)')
}
stages {
stage('Anchore Image Scan') {
environment {
// This is the AnchoreCTL service endpoint (fetched securely from Jenkins credentials)
ANCHORECTL_URL = credentials('ANCHORECTL_URL')
// Define the Anchore account username
ANCHORECTL_USERNAME = credentials('ANCHORECTL_USERNAME')
// Define the Anchore account password
ANCHORECTL_PASSWORD = credentials('ANCHORECTL_PASSWORD')
// Whether to fail the pipeline based on AnchoreCTL scan results (controlled by Jenkins parameter)
ANCHORECTL_FAIL_BASED_ON_RESULTS = "${params.ANCHORECTL_FAIL_BASED_ON_RESULTS}"
// You can also choose to Suppress unnecessary output logs
ANCHORECTL_QUIET = "${params.ANCHORECTL_QUIET}"
// Define the Output format for AnchoreCTL results
ANCHORECTL_FORMAT = "${params.ANCHORECTL_FORMAT}"
}
steps {
script {
echo 'Starting image analysis pipeline.'
// Download and configure the Anchore CLI
sh '''
mkdir -p $HOME/.local/bin
curl -sSfL "${ANCHORECTL_URL}v2/system/anchorectl?operating_system=linux&architecture=amd64" \\
-H "accept: /" | tar -zx -C $HOME/.local/bin anchorectl
export PATH="$HOME/.local/bin:$PATH"
'''
// Add the image to Anchore and wait for analysis to complete
sh "anchorectl image add --wait --from registry ${params.REGISTRY}/${params.REPOSITORY}:${params.TAG}"
// Retrieve and archive vulnerability report
sh "anchorectl image vulnerabilities ${params.REGISTRY}/${params.REPOSITORY}:${params.TAG} | tee vulnerabilities.${ANCHORECTL_FORMAT}"
archiveArtifacts artifacts: "vulnerabilities.${env.ANCHORECTL_FORMAT}"
// Run and archive the policy check
sh """#!/bin/bash
set -o pipefail
anchorectl image check --detail ${params.REGISTRY}/${params.REPOSITORY}:${params.TAG} | tee policy-check.${ANCHORECTL_FORMAT}
"""
archiveArtifacts artifacts: "policy-check.${env.ANCHORECTL_FORMAT}"
// Post-build action to handle policy failure, if configured
if (env.ANCHORECTL_FAIL_BASED_ON_RESULTS == 'true') {
def policyCheckResult = sh(script: "grep -q 'Policy Evaluation: PASS' policy-check.${ANCHORECTL_FORMAT}", returnStatus: true)
if (policyCheckResult != 0) {
error('Policy check failed based on results.')
}
}
}
}
}
}
}
b ) Centralized
Centralized Scanning uses analyzer pods in Anchore Enterprise to generate the SBOM. This method is ideal when the operator does not control the image build process, supports asynchronous scanning, and is required for malware detection through ClamAV. After your container image is built, you can trigger a scan by adding the provided stage to your pipeline, which will instruct Anchore Enterprise to analyze the image and display vulnerability and policy results in the build log. Below is an example of how to achieve centralized scanning in your pipeline
pipeline {
// Define parameters for user input
parameters {
string(name: 'REGISTRY', defaultValue: 'docker.io', description: 'The container registry to use.', trim: true)
string(name: 'REPOSITORY', defaultValue: 'library/nginx', description: 'The image repository path.', trim: true)
string(name: 'TAG', defaultValue: 'latest', description: 'The image tag to analyze.', trim: true)
choice(name: 'ANCHORECTL_QUIET', choices: ['true', 'false'], description: 'Suppress anchorectl informational messages.')
choice(name: 'ANCHORECTL_FORMAT', choices: ['json', 'csv'], description: 'The output format for anchorectl (e.g., json, csv).')
choice(name: 'ANCHORECTL_FAIL_BASED_ON_RESULTS', choices: ['true', 'false'], description: 'How to handle fail signals (e.g., policy check outcomes)')
}
stages {
stage('Anchore Image Scan') {
environment {
// This is the AnchoreCTL service endpoint (fetched securely from Jenkins credentials)
ANCHORECTL_URL = credentials('ANCHORECTL_URL')
// Define the Anchore account username
ANCHORECTL_USERNAME = credentials('ANCHORECTL_USERNAME')
// Define the Anchore account password
ANCHORECTL_PASSWORD = credentials('ANCHORECTL_PASSWORD')
// Whether to fail the pipeline based on AnchoreCTL scan results (controlled by Jenkins parameter)
ANCHORECTL_FAIL_BASED_ON_RESULTS = "${params.ANCHORECTL_FAIL_BASED_ON_RESULTS}"
// You can also choose to Suppress unnecessary output logs
ANCHORECTL_QUIET = "${params.ANCHORECTL_QUIET}"
// Define the Output format for AnchoreCTL results
ANCHORECTL_FORMAT = "${params.ANCHORECTL_FORMAT}"
}
steps {
script {
echo "Starting image analysis for: ${params.REGISTRY}/${params.REPOSITORY}:${params.TAG}"
// Download and configure the Anchore CLI
sh '''
mkdir -p $HOME/.local/bin
curl -sSfL "${ANCHORECTL_URL}v2/system/anchorectl?operating_system=linux&architecture=amd64" \\
-H "accept: /" | tar -zx -C $HOME/.local/bin anchorectl
export PATH="$HOME/.local/bin:$PATH"
'''
// Add the image to Anchore and wait for analysis to complete
sh "anchorectl image add --wait ${params.REGISTRY}/${params.REPOSITORY}:${params.TAG}"
// Retrieve and archive vulnerability report
sh "anchorectl image vulnerabilities ${params.REGISTRY}/${params.REPOSITORY}:${params.TAG} | tee vulnerabilities.${ANCHORECTL_FORMAT}"
archiveArtifacts artifacts: "vulnerabilities.${env.ANCHORECTL_FORMAT}"
// Run and archive the policy check
sh """#!/bin/bash
set -o pipefail
anchorectl image check --detail ${params.REGISTRY}/${params.REPOSITORY}:${params.TAG} | tee policy-check.${ANCHORECTL_FORMAT}
"""
archiveArtifacts artifacts: "policy-check.${env.ANCHORECTL_FORMAT}"
// Post-build action to handle policy failure, if configured
if (env.ANCHORECTL_FAIL_BASED_ON_RESULTS == 'true') {
def policyCheckResult = sh(script: "grep -q 'Policy Evaluation: PASS' policy-check.${ANCHORECTL_FORMAT}", returnStatus: true)
if (policyCheckResult != 0) {
error('Policy check failed based on results.')
}
}
}
}
}
}
}
Last modified September 19, 2025