Jenkins Shared Library

Last modified by Boris Folgmann on 2025/11/03 09:41

DevOps-as-a-Service Open Source Pipeline Library

DevOps-as-a-Service Open Source Pipeline Library

DevOps-as-a-Service provides a standardized Jenkins Shared Library to be used for all your builds. See https://prd.sdc.t-systems.net/bitbucket/projects/DEVOPSAAS/repos/sdcloud-caas-jenkins-libs/browse for the source code and additional documentation like e.g. release notes.

Getting Started

Since the Shared Library is globally configured on all Jenkins instances managed by DevOps-as-a-Service you just need to place the following very short Jenkinsfile in the root folder of your git repository to automatically build your maven, node or go project or simply build a container using a Dockerfile.

@Library('sdcloud') _

sdcPipeline()

Calling sdcPipeline() starts an automatically configured, standardized build and deployment pipeline.
The pipeline requires a node labeled with 'docker' to execute successfully. To run on other types of Jenkins agents set the useNode argument as described below.

Pipeline features

What the pipeline currently does is visualised in the following image which shows an example for a maven-based Java project.

sdcPipeline prints some valuable information about this shared Jenkinslib. Allocates a node (Jenkins Agent) to start executing the pipeline.
Checkout: checking out the source code from git.
JDK: If a pom.xml is found, your favorite JDK or the current default is selected .
Maven Build: If a pom.xml is found, a maven build is done.
If there's no pom.xml, but a package.json is found a nodejs build is done.
If there is no pom.xml or package.json but a go.mod file, a go build is done.
Then the following stages are executed in parallel
1. Analysis: For maven projects the Java source code is checked by checkstyle, pmd and spotbugs. Furthermore the job output will be checked for any warnings generated by maven, javac or javadoc.
  If Python modules (.py files) exist in the git repository they will be analyzed using pylint and flake8. If pylint or flake8 are not available on the Jenkins agent the steps will be skipped. Python files that are generated or downloaded into the workspace will not be checked. The results will be displayed on the classical Jenkins build page after the build. For Go projects, the Go test tool is used to run all tests and produce a coverage output file for SonarQube. Additionally, the gotestsum tool is used to produce a report which is picked up by Jenkins.
  If SonarQube is configured fore this Jenkins instance, a Sonar Scan is performed on the agent and the result is pushed to SonarQube for further processing.
2. Security:
  1. If it's not a feature or bugfix branch, a dependency check is done which checks if e.g. libraries are used which have known vulnerabilities. The results will be displayed in Jenkins after the build.
  2. If Dependency Track is enabled for the current project, an SBOM file is created and archived in the build. In addition it's pushed to Dependency Track. Jenkins will wait for DepTrack to process the SBOM and display information about found potential vulnerabilities in the build.
3. Docker: this will also work for projects which are neither maven, nodejs or go. A Dockerfile is enough to trigger this part of the pipeline.
  1. Build Container Image: If a Dockerfile is found a docker image is built.
  2. Test Container Image: The image is started as an isolated container on the Jenkins agent. Any loglines written to stdout or stderr by the container will be displayed.A smoke test is performed which is a simple query for a valid answer on the exposed port of the container.
  3. Push Container Image: If the smoke test was successful the container image will be pushed to the image registry.
    For easy identification of the image 3 image tags are defined:
    1. BRANCH_NAME-BUILD_NUMBER (e.g. 'production-1014')
    2. BRANCH_NAME-GIT_HASH (e.g. 'develop-8a7c4f2')
    3. BRANCH_NAME-latest (e.g. 'feature-PKEY-42-latest')
    4. (If BRANCH_NAME is defaultBranch the prefix 'BRANCH_NAME-' will not be included.)
  4. Create Helm Chart: When a chart/Chart.yaml is found and it's not a pull-request, a Helm Chart will be created and pushed to the Helm Chart repository.
Yamllint will check all YAML files in the workspace for errors and warnings. This is done at this place since the Create Helm Chart stage modifies or creates YAML files which should be also checked before the pipeline proceeds.
Deploy application: when depolyHelmChart is set to true the Helm chart will be deployed to the Kubernestes cluster and namespace of your choice. Not done in the example diagram.
Trivy Results: if a container image was pushed to Harbor as the container registry, the results of the Trivy security scan are fetched from Harbor
Sonar Results: finally the pipeline waits for the result of the Sonar Quality Gate to decide on the success of the build.

Pipeline Customization

By passing named arguments to sdcPipline() e.g. sdcPipeline(imageName: 'nginx-demo', imageTag: 'v1.4') you can change the default configuration of the pipeline.

Category	Argument	Default	Description
Job execution	decorateOutput	true	Enables timestamps and colorization for the console output when set to true.
	allocateNode	true	Specifies if a node should be allocated for executing the sdcPipeline code. If you set this to false you will need to put your sdcPipeline() call into a node {} block.
	useNode	'docker'	Specifies which node should be allocated and used by the pipeline if allocateNode is true. Pass a label or name of a configured Jenkins agent.
	defaultBranch	'master'	This branch will be the integration branch for work. At some points the pipeline will behave differently, if the default branch or another branch ist currently being built.
Programming language and build tool	jdk	'jdk11'	JDK to use for all Java operations. Refers to a symbolic name of a Java tool configuration in Jenkins.
	mvnCommand	'mvn clean verify'	maven command to execute for building maven projects.
	mavenSettingsConfig	''	Select a maven settings element from File Config Provider. The settings element in the settings.xml file contains elements used to define values which configure Maven execution in various ways, like the pom.xml, but should not be bundled to any specific project, or distributed to an audience. These include values such as the local repository location, alternate remote repository servers, and authentication information. See also Using Maven Artifact Repositories in Jenkins.
	nodejs	'nodejs'	Node.js to use for all node operations like e.g. calling npm. Refers to a symbolic name of a nodejs tool configuration in Jenkins.
	npmCommand	'npm install && npm run build --prod'	npm command to execute for building Node.JS projects.
	go	'go'	Golang version to use. Refers to a symbolic name of a go tool configuration in Jenkins.
	goBuildCommand	'go build -o app cmd/server/main.go'	go build run. Should be overridden for your project.
	goTestCommand	'gotestsum --format pkgname --junitfile report.xml -- -failfast -race -coverprofile=coverage.out -tags=test ./...'	Runs gotestsum tool which in turn calls 'go test' for all packages in the project. Should be overridden for your project. The gotestsum tool is available out-of-the-box and produces a report file which is picked up by Jenkins automatically.
Container build	dockerBuildPath	'.' (current directory)	Path to use for building the Docker container.
	dockerBuildArgs	'' (empty string)	Any additional arguments for Docker build.
	dockerfile	dockerBuildPath/Dockerfile	Dockerfile to use for building the Docker container.
	imageName	artifactId from pom.xml for maven projects name of the build job for all other project types	Name to be used for the built Docker image.
	imagePath	Name of the project folder in Jenkins. That's the PROJECTKEY from the self-service portal	Path to prepend before the imageName.
	imageTag	nothing	Additional tag to set on the container. It will be automatically prefixed with the branch name, except for the defaultBranch.
	gitHashLength	7	Number of digits from the git hash that will be used as an image tag on the container image to label the build.
	gitCredentialsId	'PROJECTKEY-git' (credential which was added to your project folder in Jenkins when the project was set up by the self-service portal)	Name of credentials used to connect to Bitbucket API. May be used to connect to alternative SCM tools in the future.
	pullDockerRegistry	'https://registry-CUSTOMER.devops.t-systems.net' (docker registry of your DOaaS instance)	If you need to pull base images during the Docker build from a docker registry that requires authentication you have to use this to specify it.
	pullDockerRegistryCredentialsId	'doaas-PROJECTKEY+jenkins-push-harbor' or 'PROJECTKEY-jenkins' (which were added to the credentials of your project folder in Jenkins when the project was set up by the DevOps Portal. While the first is added for Harbor, the second is added for Nexus OSS. That means that the library will automatically choose the best default for you. Please note that Harbor will be prefered, if both tools are used in the project.)	Id of the Jenkins Credentials which have to be used to authenticate to the pullDockerRegistry.
Container test	skipSmokeTest	false	Set to true to skip the container smoke test after the build.
	containerArgs	'' (empty string)	Arguments to pass to the container for the smoke test.
	containerPort	80	Exposed port of the container that is used to check for an answer during the smoke test.
	containerProtocol	'http'	Protocol to use when trying to connect to the port of the container. Possible values: 'http', 'tcp', 'udp'. 'http' will be tested with curl, 'tcp' and 'udp' will be tested with ncat.
	containerContextPath	'' (empty string)	contextPath to query for the smoke test if the container protocol is 'http'
	containerMaxLoglineTime	15	After starting the container the smoke tests monitors stdout of the container for loglines. After containerMaxLoglineTime which is specified in seconds have passed without a new logline found, the container is expected to be up and running and the test query is performed. Increase if your container doesn't write loglines that often and seems to be not ready when the test query is performed.
	containerMaxStartupTime	180 (3 minutes)	Total time in seconds after which the container is expected to be up and running even if it's still writing loglines to stdout. After this time has passed the container will be queried for an answer.
Image push	pushDockerRegistry	'https://registry-CUSTOMER.devops.t-systems.net' (docker registry of your DOaaS instance)	Docker registry to which the built image will be pushed after a successful smoke test.
Image push	pushDockerRegistryCredentialsId	'doaas-PROJECTKEY+jenkins-push-harbor' or 'PROJECTKEY-jenkins' (which were added to the credentials of your project folder in Jenkins when the project was set up by the DevOps Portal. While the first is added for Harbor, the second is added for Nexus OSS. That means that the library will automatically choose the best default for you. Please note that Harbor will be prefered, if both tools are used in the project.)	Id of the Jenkins Credentials which have to be used to authenticate to the pullDockerRegistry.
Helm Chart	helmChartPath	'./chart'	Specifies the path to the YAML files for the helm command.
	appName	artifactId from pom.xml for maven projects name of the build job for all other project types	Name of the application. Used to build the name of the Helm chart.
	appVersion	version from pom.xml for maven projects '1.0.0' for all other project types	Version of the application. Used to set the app version of the Helm chart.
	chartVersion	appVersion with '00' appended	Version of the Helm chart. Used to set the chart version of the Helm chart.
	helmRegistry	Helm registry of your DOaaS instance, which is usally 'https://registry-CUSTOMER.devops.t-systems.net/chartrepo/PROJECTKEY'	Helm registry to which the packaged Helm chart is uploaded.
	helmRegistryCredentialsId	'doaas-PROJECTKEY+jenkins-push-harbor' or 'PROJECTKEY-jenkins' (which were added to the credentials of your project folder in Jenkins when the project was set up by the DevOps Portal. While the first is added for Harbor, the second is added for Nexus OSS. That means that the library will automatically choose the best default for you. Please note that Harbor will be prefered, if both tools are used in the project.)	Id of the Jenkins Credentials which have to be used to authenticate to the Helm registry for acccessing Helm charts.
Container image signature	signImages	false	When set to true, it activates signing of generated Docker images.
	signingNotaryServer	'https://notary.external.otc.telekomcloud.com' (Magenta Trusted Registry)	Specifies the Notary service to be used for signing.
	signingPassphraseCredentialsId	'docker-trust-PROJECTKEY-passphrase'	Id of the Jenkins Credentials for passphrase of signers keyfile.
	signingKeyfileCredentialsId	'docker-trust-PROJECTKEY-keyfile'	Id of the Jenkins Credentials for signers private keyfile.
Static Source Code Analysis	checkstyleConfig	best-practice releaxed configuration	Name of a config file to use for checkstyle. If not set a best-practice relaxed configuration is used which is different from the original Sun Java Style. To get the old behavior simply specify 'sun_checks.xml' to get the original Sun Checks. As an alternative 'google_checks.xml' can be used for the Google Checks which is another ruleset predefined in the checkstyle scanner tool. For a custom configuration specify a filesystem path, a URL, or a classpath resource. This parameter expects that the contents of the location conforms to the xml format (Checkstyle Checker module) configuration of rulesets.
	skipBlames	false	If set to true all recordIssues steps will skip creating the SCM blames. This speeds up the processing of the results of static source code analyis. As a consequence you will not be able to see who introduced a problem into the code.
	yamlConfig	best-practice releaxed configuration	Name of a config file to use for yamllint. If not set a best-practice relaxed configuration is used which is different from the original yamllint config.
	sonarQube	true for the defaultBranch and for pull-requests, if a SonarQube version is detected which supports scanning multiple branches false for all other branches	Set this to true to force a SonarQube scan for the current branch. Usually this makes only sense if you explicitly want to scan feature and bugfix branches. If not set or set to false, the default branch will be scanned automatically as well as pull-requests, if a SonarQube version is detected which supports scanning multiple branches. This is currently the case for SonarQube Developer and Enterprise editions. The free SonarQube Community edition supports just one branch.
	sonarScanMavenOpts	''	For huge source codes it can happen that the sonar scanner aborts with java.lang.OutOfMemoryError. In this case the memory that is availalbe for the sonar scanner needs to be increased. Try something like '-Xmx512m' to set a larger heap space for the JVM that is executing the maven-based sonar scan. '-Xmx3g' should be enough for most source codes, but make sure that your Jenkins agent has enough memory to cope with that.
	sonarScanOpts	''	For huge source codes it can happen that the sonar scanner aborts with java.lang.OutOfMemoryError. In this case the memory that is availalbe for the sonar scanner needs to be increased. Try something like '-Xmx512m' to set a larger heap space for the JVM that is executing the sonar scan. '-Xmx3g' should be enough for most source codes, but make sure that your Jenkins agent has enough memory to cope with that.
	sonarSources	'src/main' for maven projects null for non-maven projects	Comma-separated paths to directories containing main source files to scan with SonarQube. Defaults to 'src/main' and therefore will automatically discover folders like src/main/java, src/main/webapp or src/main/resources. This makes sure to not only scan Java sources, but also for example JSP, CSS and HTML files. Sonar scanning will fail if the configured directory itself is not found at all. This can happen if you have defined an alternative <sourceDirectory> in your pom.xml. If this is the case, you can disable sonar scanning by adding <properties> <sonar.skip>true</sonar.skip> </properties> to the pom.xml. If this is not what you want, set sonarSources to null. This will make sure that sonar.sources are not explicitly passed to the sonar scanner. This will allow you to specify sonar.sources in the pom.xml like in the following example: <properties> <sonar.source>src/main/java,src/main/webapp</sonar.sources> </properties>
	sonarQualityGate		Sets the desired quality gate to use for the scan result in SonarQube. If not specified, the quality gate is not changed. As a default, SonarQube will use the quality gate "Sonar way" for new scan results.
Dependency Check	skipDependencyCheck	false	Set to true to skip the dependency-check.
	dependencyCheckTool	'dependency-check'	Defines which named dependency-check tool should be used.
	dependencyCheckMvnArgs	'-DassemblyAnalyzerEnabled=false'	Additional arguments which are be passed to dependency-check for maven projects. See Dependency Check Maven Configuration for more information.
	dependencyCheckArgs	'--disableAssembly'	Addtional arguments which are be passed to dependency-check. See Dependency Check CLI Arguments for more information.
	dependencyCheckNvdApiKeyCredentialsId	'dependency-check-nvdapikey'	If you have your own NVD API Key, set it as a credential of type text in Jenkins. Then specify the credential id using this argument. It will be automatically passed to dependency-check. There will be no error if no credential is found. Just the NVD download will be slower. Please note, on DevOps-as-a-Service a shared NVD API Key is automatically supplied for the default credential id.
Dependency Track	depTrackCredentialsId	'PROJECTKEY-deptrack-projectcreator'	Id of the Jenkins Credential which has to be used to authenticate to Dependency Track for publishing the SBOM.
Dependency Track	depTrackClassifier	'application'	The component type (e.g. application, library, firmware, ...) that should be set in the SBOM file. Will be later shown as classifier for the project in Dependency Track. See CycloneDX Metadata Component Type for supported values.
Trivy	trivySeverity	'High'	String which sets the minimum severity of Trivy findings that has to be reached to mark the Trivy Results stage as unstable. Possible values are: "None", "Unknown", "Negligible", "Low", "Medium", "High", "Critical".
Trivy	trivyBuildResult	'SUCCESS'	String which sets the overall build result when the result of the Trivy scan reaches trivyServerity. Possible values are: "SUCCESS", "UNSTABLE" or "FAILURE"
Deployment	deployHelmChart	false	Boolean that activates or deactivates the automatic deployment of the Helm-Chart.
	kubeconfigCredentialsId	'kubeconfig-deployer-PROJECTKEY'	Id of the Jenkins credential which contains the kubeconfig file that should be used for deployment. The file is required to authorize access to the Kubernetes cluster.
	kubernetesNamespace	'default'	Name of the namespace in Kubernetes, to which the Chart will be deployed.
	helmValuesOverrideFile	'chart/values.yaml'	Name of the YAML file which contains specific values that should be overridden for the automatic deployment. The location needs to be specified relative to the Jenkinsfile.
	helmSetValues	''	Set values using the format "key1=val1,key2=val2,..." for the automatic deployment. While helmValuesOverrideFile is usally something static you can use this to specify different values depending on e.g. conditions in your Jenkinsfile. Will be ignored if set to null, empty string or just white space.
	helmReleaseName	artifactId from pom.xml for maven projects name of the build job for all other project types	Name of the Helm Release which will be installed or upgraded in your cluster.
	helmLockResource	null	Using lock the specified resource will be locked for the execution of any helm upgrade or helm uninstall command. This makes sense if deployHelmChart is used to upgrade an deployment in an environment which is currently used, e.g. for automated testing. In this case wrap your test in a lock statement with the same resource name. Defaults to null, which will not lock any resource.