How to Run a Dependency Security Scan in a Jenkins Pipeline
OWASP Dependency-Check scans your dependencies in a Jenkins stage and can fail the build on high CVSS findings.
Install the OWASP Dependency-Check plugin, run the dependencyCheck step, then publish the report with dependencyCheckPublisher and a failure threshold.
Scan and gate on severity
The scan runs against the workspace; the publisher fails the build when high-severity issues are found.
Jenkinsfile
pipeline {
agent any
stages {
stage('Dependency scan') {
steps {
dependencyCheck(
additionalArguments: '--scan ./ --format XML',
odcInstallation: 'dependency-check'
)
dependencyCheckPublisher(
pattern: 'dependency-check-report.xml',
failedTotalHigh: 1
)
}
}
}
}Gotchas
- Configure an
odcInstallationnamed tool in Global Tool Configuration or the step cannot find the scanner. - The first scan downloads the NVD database and is slow; cache the data directory across builds.
failedTotalHigh/failedTotalCriticalset the gate - without them the scan reports but never fails the build.
Related guides
How to Run a Security Scan (CodeQL + Dependencies) in GitHub ActionsRun a SAST and dependency security scan in GitHub Actions with CodeQL and a dependency audit, uploading SARIF…
How to Run SAST and Dependency Scanning in GitLab CIRun SAST and dependency scanning in GitLab CI by including the built-in security templates, which add scanner…