In this guide, you’ll learn how to import a custom TrivyScanScript shared library into your Jenkins pipeline and run vulnerability scans at various severity levels. By centralizing your Trivy logic, you can maintain consistency across projects and simplify pipeline definitions.
Prerequisites
A Jenkins instance with Pipeline Shared Libraries enabled
A Git repository for your shared library
An application repository containing a Jenkinsfile
Docker image registry credentials (if needed)
1. Define the vulnerability Step in the Shared Library In your shared library repo, open or create vars/TrivyScanScript.groovy and add the vulnerability function:
// vars/TrivyScanScript.groovy def vulnerability ( Map config = [:]) { loadScript( name : 'trivy.sh' ) sh "./trivy.sh ${ config.imageName } ${ config.severity } ${ config.exitCode } " }
Commit and push these changes:
Command Description git checkout -b featureTrivyScanCreate a feature branch git add vars/TrivyScanScript.groovyStage the new step definition git commit -m "Add TrivyScanScript.vulnerability step"Commit with a clear message git push -u origin featureTrivyScanPush branch to remote
2. Invoke the Shared Library from Your Jenkinsfile In your application repository, update the Jenkinsfile to load and call trivyScanScript.vulnerability:
pipeline { agent any libraries { // Reference your shared library and feature branch library identifier : 'your-shared-lib@featureTrivyScan' } stages { stage( 'Build Docker Image' ) { steps { sh 'docker build -t myorg/app:$GIT_COMMIT .' } } stage( 'Trivy Vulnerability Scanner' ) { steps { script { // Run scans for each severity level [ 'LOW' , 'MEDIUM' , 'HIGH' , 'CRITICAL' ] . each { sev -> def exitCode = sev == 'CRITICAL' ? '1' : '0' trivyScanScript . vulnerability( imageName : "myorg/app: $GIT_COMMIT " , severity : sev, exitCode : exitCode ) } } } post { always { script { // Convert results to HTML trivyScanScript . reportsConverter() } publishHTML( allowMissing : true , alwaysLinkToLastBuild : true , keepAll : true , reportDir : './' ) } } } } }
Commit and push:
git add Jenkinsfile git commit -m "Invoke TrivyScanScript.vulnerability in pipeline" git push
3. Troubleshooting: MissingPropertyException If Jenkins logs show:
java.lang.MissingPropertyException : No such property : trivy for class : TrivyScanScript
that usually means the loadScript invocation wasn’t using a string literal for the script name.
Ensure you wrap the script name in quotes. Otherwise, Groovy tries to resolve an undefined property.
4. Fixing the loadScript Invocation Update vars/TrivyScanScript.groovy to use a quoted name:
def vulnerability ( Map config = [:]) { loadScript( name : 'trivy.sh' ) sh "./trivy.sh ${ config.imageName } ${ config.severity } ${ config.exitCode } " }
Then:
git add vars/TrivyScanScript.groovy git commit -m "Fix loadScript name quoting" git push
Rerun or trigger the Jenkins build.
5. Verifying a Successful Run After Jenkins picks up the fix, you should see output similar to:
Loading library your-shared-lib@featureTrivyScan ... chmod +x ./trivy.sh ./trivy.sh myorg/app:abcd1234 LOW 0 ./trivy.sh myorg/app:abcd1234 MEDIUM 0 ./trivy.sh myorg/app:abcd1234 HIGH 0 ./trivy.sh myorg/app:abcd1234 CRITICAL 1 ... trivy convert --format template \ --template "@/usr/local/share/trivy/templates/html.tpl" \ --output trivy-image-LOW-results.html trivy-image-LOW-results.json
You will also find the generated HTML reports under your build’s artifacts.
Conclusion By extracting the Trivy vulnerability scan into a shared library step, you:
Promote reuse and consistency across pipelines
Reduce duplication in Jenkinsfiles
Simplify maintenance when updating scan logic
For more details on Trivy and Jenkins integration, see:
