Skip to content
Latchkey

How to Run a Dependency Security Scan in a Jenkins Pipeline

OWASP Dependency-Check scans your dependencies in a Jenkins stage and can fail the build on high CVSS findings.

Install the OWASP Dependency-Check plugin, run the dependencyCheck step, then publish the report with dependencyCheckPublisher and a failure threshold.

Scan and gate on severity

The scan runs against the workspace; the publisher fails the build when high-severity issues are found.

Jenkinsfile
pipeline {
  agent any
  stages {
    stage('Dependency scan') {
      steps {
        dependencyCheck(
          additionalArguments: '--scan ./ --format XML',
          odcInstallation: 'dependency-check'
        )
        dependencyCheckPublisher(
          pattern: 'dependency-check-report.xml',
          failedTotalHigh: 1
        )
      }
    }
  }
}

Gotchas

  • Configure an odcInstallation named tool in Global Tool Configuration or the step cannot find the scanner.
  • The first scan downloads the NVD database and is slow; cache the data directory across builds.
  • failedTotalHigh/failedTotalCritical set the gate - without them the scan reports but never fails the build.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →