Getting Started

The Jenkins integration requires fossa-cli our open source dependency analysis client, to be installed on your CI machine. The client supports all 3 major operating systems (Unix, Darwin/OSX and Windows).

To test the CLI, you can install it in your local environment using the command below or download it directly from our Github Releases page.

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
# view `fossa` help text
fossa --help

Configure your Jenkins Environment

First, grab a FOSSA API Key from your FOSSA account under your Integration Settings.

NOTE: If you are the maintainer of a public repository you should consider making your API key a Push Only Token.

Then, add it to your Jenkins environment variables as FOSSA_API_KEY:

Add FOSSA steps to your Jenkins Pipeline

Add FOSSA Analyze step. This typically follows the “Build Code” step as all dependencies should be present for FOSSA Analyze.

Pipeline Example:

node {   def registry = 'registry.hub.docker.com/xxxxxx/test'
   def registryCredential = 'dockerhub'
    
    stage('Git') {
        git 'https://github.com/xxxxx/jenkins_neuvector.git'
    }
    stage('Build Code') {
        
        sh 'npm install'
    }
    stage('Fossa Analyze') {
        sh 'curl -H \'Cache-Control: no-cache\' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash'
        sh 'FOSSA_API_KEY=XXXXXXXXXXXXXXXXXXXX fossa analyze'
    }
    stage('Building image') {
       docker.withRegistry( 'https://' + registry, registryCredential ) {
            def buildName = registry + ":$BUILD_NUMBER"
            newApp = docker.build buildName
            newApp.push()
       }
    }
    stage('Registering image') {
       docker.withRegistry( 'https://' + registry, registryCredential ) {
           newApp.push 'latest2'
       }
    }
   stage('Removing Local image') {
       sh "docker rmi $registry:$BUILD_NUMBER"   }}
   }
}

Now with every CI build, you will be uploading dependency data for analysis back to FOSSA.
Blocking CI Builds w/ FOSSA Issue Status
You can also create a step in Jenkins that will allow you to pass/fail a build based off your scan status in FOSSA.
To accomplish this, simply add a call to fossa test into your test section.

stage(FOSSA Test') {
       sh 'FOSSA_API_KEY=XXXXXXXXXXXXXXXXXXXX fossa test –debug 2>$ARTIFACTS/fossa-test-stderr'   }

The fossa test command will poll app.fossa.io or your local FOSSA appliance for updates on your scan status until it gets a response. Then, it will report a relevant exit status to the CI step (to block a failing build) and render rich details about issues directly inline your Jenkins test results.
You can customize a timeout on this step using the fossa test --timeout {seconds} flag documented here.
The default timeout is set to 600 seconds (10 minutes), but will only be hit in exceptional cases -- most scans should return well under the timeout window.