Jenkins Pipeline as Code Templates

Jenkins Pipeline as Code Templates

Jenkins is the tool everyone has opinions about but nobody wants to maintain. I have inherited Jenkins instances at three different enterprises where the Jenkinsfile was a 2,000-line scripted pipeline written by an engineer who left two years ago. No shared libraries, no parameterized stages, and plugins that had not been updated since 2021. When I rebuilt the Jenkins pipeline for a defense contractor's classified build system, the goal was simple: make it so reliable that the platform team does not get paged about CI anymore. This template achieves that.

This declarative Jenkinsfile uses shared libraries, parallel stages, and environment-specific deployment gates. It runs on Jenkins 2.440+ with the Pipeline, Docker, and Credentials plugins.

Pipeline Stages

• Checkout — checkout scm with CleanCheckout extension. Ensures a pristine workspace on every build. Shallow clone with depth: 1 for faster checkout on large repositories.
• Build — Runs inside a Docker agent (agent { docker { image 'node:20-alpine' } }) for reproducible builds. stash captures build artifacts for downstream stages.
• Test — parallel block runs unit, integration, and contract tests simultaneously. junit '**/test-results/*.xml' publishes results to the Jenkins test dashboard. Coverage via Cobertura plugin.
• Security Scan — SonarQube analysis via withSonarQubeEnv('sonar') plus waitForQualityGate. Trivy container scan. OWASP Dependency-Check for vulnerable libraries.
• Build Image — docker.build("app:${env.BUILD_NUMBER}") with multi-stage Dockerfile. Push to private registry with both build number and git SHA tags.
• Deploy Dev — Automatic on develop branch. Uses Jenkins credentials store for deployment keys. sshagent for remote deployment or withKubeConfig for Kubernetes.
• Deploy Staging — input message: 'Deploy to staging?' manual gate. Timeout after 24 hours. Runs smoke tests post-deployment.
• Deploy Prod — input gate with submitter: 'prod-approvers'. Blue-green deployment via load balancer switch. Health check validation before traffic cutover. Automatic rollback on health check failure.

Security Gates

• SonarQube Quality Gate — Blocks pipeline if code quality metrics drop below threshold: coverage, duplications, security hotspots, reliability rating.
• OWASP Dependency-Check — Scans project dependencies against NVD. Fails on CVSS score >= 7.0.
• Credentials management — All secrets stored in Jenkins Credentials store with withCredentials binding. No plaintext secrets in Jenkinsfile or job configuration.
• Trivy container scan — Post-build image scan. Critical vulnerabilities block the deployment stage.

What Breaks First

• Agent workspace disk exhaustion — Jenkins agents accumulate workspaces from old builds. Fix: configure "Discard Old Builds" to keep last 10 builds and add cleanWs() in post { always } block.
• Plugin version conflicts after update — Updating the Pipeline plugin breaks syntax that worked on the previous version. Fix: pin plugin versions in plugins.txt, test updates on a staging Jenkins instance first.
• Docker-in-Docker socket permission errors — Running Docker commands inside a Docker agent requires the socket mount. Fix: use -v /var/run/docker.sock:/var/run/docker.sock in the agent args, or use Kaniko for rootless builds.