BestHub
search
Sign in
Operations 7 min read

Integrating Black Duck Source Code Scanning into Jenkins Pipelines

This guide explains why source‑code scanning is essential for security and compliance, describes manual Black Duck scanning steps, outlines integration goals, details required parameters, shows Jenkins configuration, and provides a complete Jenkinsfile pipeline script to automate Black Duck scans on each build.

DevOps Engineer
DevOps Engineer
DevOps Engineer
Integrating Black Duck Source Code Scanning into Jenkins Pipelines

Why Perform Source Scanning

In product development, open‑source components are frequently used, but their vulnerabilities and license issues can introduce security and commercial risks; therefore, scanning these components before release is necessary.

Black Duck Manual Execution Steps

Download the specific Git repository and branch.

Remove irrelevant files (or specify files/folders via Black Duck parameters).

Run the Black Duck scan command manually.

After a successful scan, upload the results to the internal Black Duck web portal for review.

Integration Goals for Black Duck and Jenkins

Provide a pipeline that can download code from customizable repositories.

Offer developers and testers a simple, on‑demand interface to execute source scans.

Support periodic automatic scans and allow chaining with other Jenkins jobs.

Key Black Duck Parameters

--blackduck.url               # Your Black Duck URL
--blackduck.username          # Your login user
--blackduck.api.token        # Your login token
--detect.project.name        # Black Duck project name
--detect.project.version.name# Project version
--detect.source.path         # Path to source code
--logging.level.com.synopsys.integration=debug
--blackduck.trust.cert=TRUE
--detect.blackduck.signature.scanner.snippet.matching # Snippet scan mode

Additional parameters can be found in the official Synopsys Detect for Jenkins documentation.

Black Duck Configuration in Jenkins

1. Install the Synopsys Detect plugin in Jenkins.

2. Configure the plugin under Jenkins → Manage Jenkins → Configure System :

Black Duck URL (e.g., https://yourcompany.blackducksoftware.com )

Credentials: select Secret text and provide the user token.

Click “Test connection to Black Duck”; a “Connection successful” message confirms the setup.

Jenkins Pipeline Script (Black Duck Scan)

pipeline {
  agent {
    node {
      label 'black-duck'
      customWorkspace "/agent/workspace/blackduck"
    }
  }
  parameters {
    choice(name: 'VERSION', choices: ['MVSURE_v1.1','MVSURE_v1.2','MVSURE_v2.2'], description: 'Which version do you want scan on Black Duck?')
    choice(name: 'REPO', choices: ['blog-server','blog-client','blog-docker'], description: 'Which repository does the VERSION belong to?')
    string(name: 'BRANCH', defaultValue: 'develop', description: 'Which branch does the VERSION belong to?')
    choice(name: 'SNIPPET-MODES', choices: ['SNIPPET_MATCHING','SNIPPET_MATCHING_ONLY','FULL_SNIPPET_MATCHING','FULL_SNIPPET_MATCHING_ONLY','NONE'], description: 'What snippet scan mode do you want to choose?')
  }
  environment {
    ROBOT = credentials("d1cbab74-823d-41aa-abb7-858485121212")
    hub_detect = 'https://blackducksoftware.github.io/hub-detect/hub-detect.sh'
    blackduck_url = 'https://yourcompany.blackducksoftware.com'
    blackduck_user = '[email protected]'
    detect_project = 'GITHUB'
    detect_project_version = '${VERSION}'
    detect_source_path = '${WORKSPACE}/${REPO}/src'
  }
  options { buildDiscarder(logRotator(numToKeepStr: '10')) }
  stages {
    stage('git clone') {
      steps {
        sh '''
          if [ -d ${REPO} ]; then
            rm -rf ${REPO}
          fi
          git clone -b ${BRANCH} --depth 1 https://$ROBOT_USR:"$ROBOT_PSW"@git.yourcompany.com/scm/github/${REPO}.git
        '''
      }
    }
    stage('black duck scan') {
      steps {
        withCredentials([string(credentialsId: 'robot-black-duck-scan', variable: 'TOKEN')]) {
          synopsys_detect 'bash <(curl -s ${hub_detect}) --blackduck.url=${blackduck_url} --blackduck.username=${blackduck_user} --blackduck.api.token=${TOKEN} --detect.project.name=${detect_project} --detect.project.version.name=${detect_project_version} --detect.source.path=${detect_source_path} --logging.level.com.synopsys.integration=debug --blackduck.trust.cert=TRUE --detect.blackduck.signature.scanner.snippet.matching=${SNIPPET-MODES}'
        }
      }
    }
  }
  post {
    always {
      script {
        def email = load "vars/email.groovy"
        wrap([$class: 'BuildUser']) {
          def user = env.BUILD_USER_ID
          email.build(currentBuild.result, "${user}")
        }
      }
    }
    success {
      echo "success, cleanup blackduck workspace"
      cleanWs()
    }
  }
}

The pipeline downloads the selected repository, runs the Black Duck scan with the configured parameters, and sends an email notification regardless of the result, cleaning up the workspace on success.

CI/CDAutomationsecurityJenkinsBlack Ducksource code scanning
DevOps Engineer
Written by

DevOps Engineer

DevOps engineer, Pythonista and FOSS contributor. Created cpp-linter, commit-check, etc.; contributed to PyPA.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment