feat(jenkins): add Jenkins platform scanner and CLI (#577)

* feat(jenkins): add Jenkins platform scanner and CLI

Author: frjcomp

cmd/pipeleek-jenkins/main.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"github.com/CompassSecurity/pipeleek/internal/cmd/common"
+	"github.com/CompassSecurity/pipeleek/internal/cmd/jenkins"
+	"github.com/spf13/cobra"
+)
+
+func main() {
+	common.Run(newRootCmd())
+}
+
+func newRootCmd() *cobra.Command {
+	jenkinsCmd := jenkins.NewJenkinsRootCmd()
+	jenkinsCmd.Use = "pipeleek-jenkins"
+	jenkinsCmd.Short = "Scan Jenkins logs and artifacts for secrets"
+	jenkinsCmd.Long = `Pipeleek-Jenkins scans Jenkins logs and artifacts to detect leaked secrets and pivot from them.`
+	jenkinsCmd.Version = common.Version
+	jenkinsCmd.GroupID = ""
+
+	common.SetupPersistentPreRun(jenkinsCmd)
+	common.AddCommonFlags(jenkinsCmd)
+
+	jenkinsCmd.SetVersionTemplate(`{{.Version}}
+`)
+
+	return jenkinsCmd
+}

docs/introduction/configuration.md

@@ -116,7 +116,7 @@ gitlab:
 
   scan:
     threads: 10 # gl scan --threads (can override common.threads)
-  
+
   tf:
     output_dir: ./terraform-states # gl tf --output-dir
     threads: 4 # gl tf --threads (can override common.threads)
@@ -186,6 +186,20 @@ gitea:
     repo: myrepo # gitea scan --repo (optional, scans all if not specified)
 ```
 
+### Jenkins
+
+```yaml
+jenkins:
+  url: https://jenkins.example.com
+  username: admin
+  token: jenkins-api-token
+
+  scan:
+    folder: team-a # jenkins scan --folder (optional)
+    job: team-a/service-a # jenkins scan --job (optional)
+    max_builds: 25 # jenkins scan --max-builds
+```
+
 ### Common Settings
 
 Scan commands inherit from `common`:

go.mod

@@ -6,6 +6,7 @@ require (
 	atomicgo.dev/keyboard v0.2.9
 	code.gitea.io/sdk/gitea v0.24.1
 	github.com/PuerkitoBio/goquery v1.12.0
+	github.com/bndr/gojenkins v1.2.0
 	github.com/docker/go-units v0.5.0
 	github.com/go-git/go-git/v5 v5.17.1
 	github.com/gofri/go-github-ratelimit/v2 v2.0.2

go.sum

@@ -104,6 +104,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bmatcuk/doublestar/v4 v4.10.0 h1:zU9WiOla1YA122oLM6i4EXvGW62DvKZVxIe6TYWexEs=
 github.com/bmatcuk/doublestar/v4 v4.10.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/bndr/gojenkins v1.2.0 h1:iomz/HKK5HlmQ1a65Qc3ejd6i1z6MtcyI85GZYetMxI=
+github.com/bndr/gojenkins v1.2.0/go.mod h1:Mzk6d2aV+fzE3UIEIohi59Lh20cfRiWdFztx/AQbizM=
 github.com/bodgit/plumbing v1.3.0 h1:pf9Itz1JOQgn7vEOE7v7nlEfBykYqvUYioC61TwWCFU=
 github.com/bodgit/plumbing v1.3.0/go.mod h1:JOTb4XiRu5xfnmdnDJo6GmSbSbtSyufrsyZFByMtKEs=
 github.com/bodgit/sevenzip v1.6.1 h1:kikg2pUMYC9ljU7W9SaqHXhym5HyKm8/M/jd31fYan4=

goreleaser.yaml

@@ -127,6 +127,27 @@ builds:
       - -X github.com/CompassSecurity/pipeleek/internal/cmd/common.Version={{.Version}}
       - -X github.com/CompassSecurity/pipeleek/internal/cmd/common.Commit={{.Commit}}
       - -X github.com/CompassSecurity/pipeleek/internal/cmd/common.Date={{.Date}}
+  - id: "pipeleek-jenkins"
+    skip: "{{ .IsSnapshot }}"
+    main: ./cmd/pipeleek-jenkins
+    binary: pipeleek-jenkins
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w
+      - -buildid=
+      - -X github.com/CompassSecurity/pipeleek/internal/cmd/common.Version={{.Version}}
+      - -X github.com/CompassSecurity/pipeleek/internal/cmd/common.Commit={{.Commit}}
+      - -X github.com/CompassSecurity/pipeleek/internal/cmd/common.Date={{.Date}}
 
 archives:
   - formats: binary

internal/cmd/flags/common.go

@@ -29,6 +29,15 @@ func AddCommonScanFlags(cmd *cobra.Command, opts *config.CommonScanOptions, maxA
 	cmd.Flags().BoolVarP(&opts.Owned, "owned", "o", false, "Scan only user owned repositories")
 }
 
+// AddCommonScanFlagsNoOwned adds standard scan flags including artifacts but excluding the
+// --owned flag, for platforms that have no concept of job/repository ownership (e.g. Jenkins).
+func AddCommonScanFlagsNoOwned(cmd *cobra.Command, opts *config.CommonScanOptions, maxArtifactSize *string) {
+	addBaseScanFlags(cmd, opts)
+	cmd.Flags().BoolVarP(&opts.Artifacts, "artifacts", "a", false, "Scan artifacts")
+	cmd.Flags().StringVarP(maxArtifactSize, "max-artifact-size", "", "500Mb",
+		"Maximum artifact size to scan. Larger files are skipped. Format: https://pkg.go.dev/github.com/docker/go-units#FromHumanSize")
+}
+
 // AddCommonScanFlagsNoArtifacts adds standard scan flags excluding artifact and ownership filters.
 func AddCommonScanFlagsNoArtifacts(cmd *cobra.Command, opts *config.CommonScanOptions) {
 	addBaseScanFlags(cmd, opts)

internal/cmd/jenkins/jenkins.go

@@ -0,0 +1,18 @@
+package jenkins
+
+import (
+	"github.com/CompassSecurity/pipeleek/internal/cmd/jenkins/scan"
+	"github.com/spf13/cobra"
+)
+
+func NewJenkinsRootCmd() *cobra.Command {
+	jenkinsCmd := &cobra.Command{
+		Use:     "jenkins [command]",
+		Short:   "Jenkins related commands",
+		GroupID: "Jenkins",
+	}
+
+	jenkinsCmd.AddCommand(scan.NewScanCmd())
+
+	return jenkinsCmd
+}

internal/cmd/jenkins/scan/scan.go

@@ -0,0 +1,131 @@
+package scan
+
+import (
+	"github.com/CompassSecurity/pipeleek/internal/cmd/flags"
+	"github.com/CompassSecurity/pipeleek/pkg/config"
+	jenkinsscan "github.com/CompassSecurity/pipeleek/pkg/jenkins/scan"
+	"github.com/CompassSecurity/pipeleek/pkg/logging"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+type JenkinsScanOptions struct {
+	config.CommonScanOptions
+	JenkinsURL string
+	Username   string
+	Token      string
+	Folder     string
+	Job        string
+	MaxBuilds  int
+}
+
+var options = JenkinsScanOptions{
+	CommonScanOptions: config.DefaultCommonScanOptions(),
+}
+
+var maxArtifactSize string
+
+func NewScanCmd() *cobra.Command {
+	scanCmd := &cobra.Command{
+		Use:   "scan",
+		Short: "Scan Jenkins jobs",
+		Long:  `Scan Jenkins job logs, artifacts, job definitions, and exposed environment variables for secrets.`,
+		Example: `
+# Scan all accessible jobs on the Jenkins instance
+pipeleek jenkins scan --jenkins https://jenkins.example.com --username admin --token token_value
+
+# Scan only a folder recursively
+pipeleek jenkins scan --jenkins https://jenkins.example.com --username admin --token token_value --folder team-a
+
+# Scan one specific job path
+pipeleek jenkins scan --jenkins https://jenkins.example.com --username admin --token token_value --job team-a/service-a
+
+# Limit builds per job and include artifacts
+pipeleek jenkins scan --jenkins https://jenkins.example.com --username admin --token token_value --max-builds 20 --artifacts
+		`,
+		Run: Scan,
+	}
+
+	flags.AddCommonScanFlagsNoOwned(scanCmd, &options.CommonScanOptions, &maxArtifactSize)
+	scanCmd.Flags().StringVarP(&options.JenkinsURL, "jenkins", "j", "", "Jenkins base URL")
+	scanCmd.Flags().StringVarP(&options.Username, "username", "u", "", "Jenkins username")
+	scanCmd.Flags().StringVarP(&options.Token, "token", "t", "", "Jenkins API token")
+	scanCmd.Flags().StringVarP(&options.Folder, "folder", "f", "", "Jenkins folder path to scan recursively (e.g. team-a/platform)")
+	scanCmd.Flags().StringVarP(&options.Job, "job", "", "", "Specific Jenkins job path to scan (e.g. team-a/service-a)")
+	scanCmd.Flags().IntVarP(&options.MaxBuilds, "max-builds", "", 25, "Maximum builds to scan per job (0 = all builds)")
+	scanCmd.MarkFlagsMutuallyExclusive("folder", "job")
+
+	return scanCmd
+}
+
+func Scan(cmd *cobra.Command, args []string) {
+	if err := config.AutoBindFlags(cmd, map[string]string{
+		"jenkins":                  "jenkins.url",
+		"username":                 "jenkins.username",
+		"token":                    "jenkins.token",
+		"folder":                   "jenkins.scan.folder",
+		"job":                      "jenkins.scan.job",
+		"max-builds":               "jenkins.scan.max_builds",
+		"threads":                  "common.threads",
+		"truffle-hog-verification": "common.trufflehog_verification",
+		"max-artifact-size":        "common.max_artifact_size",
+		"confidence":               "common.confidence_filter",
+		"hit-timeout":              "common.hit_timeout",
+	}); err != nil {
+		log.Fatal().Err(err).Msg("Failed to bind command flags to configuration keys")
+	}
+
+	if err := config.RequireConfigKeys("jenkins.url", "jenkins.username", "jenkins.token"); err != nil {
+		log.Fatal().Err(err).Msg("required configuration missing")
+	}
+
+	options.JenkinsURL = config.GetString("jenkins.url")
+	options.Username = config.GetString("jenkins.username")
+	options.Token = config.GetString("jenkins.token")
+	options.Folder = config.GetString("jenkins.scan.folder")
+	options.Job = config.GetString("jenkins.scan.job")
+	options.MaxBuilds = config.GetInt("jenkins.scan.max_builds")
+	options.MaxScanGoRoutines = config.GetInt("common.threads")
+	options.TruffleHogVerification = config.GetBool("common.trufflehog_verification")
+	maxArtifactSize = config.GetString("common.max_artifact_size")
+	options.ConfidenceFilter = config.GetStringSlice("common.confidence_filter")
+
+	if err := config.ValidateURL(options.JenkinsURL, "Jenkins URL"); err != nil {
+		log.Fatal().Err(err).Msg("Invalid Jenkins URL")
+	}
+	if err := config.ValidateToken(options.Username, "Jenkins Username"); err != nil {
+		log.Fatal().Err(err).Msg("Invalid Jenkins Username")
+	}
+	if err := config.ValidateToken(options.Token, "Jenkins API Token"); err != nil {
+		log.Fatal().Err(err).Msg("Invalid Jenkins API Token")
+	}
+	if err := config.ValidateThreadCount(options.MaxScanGoRoutines); err != nil {
+		log.Fatal().Err(err).Msg("Invalid thread count")
+	}
+
+	scanOpts, err := jenkinsscan.InitializeOptions(
+		options.Username,
+		options.Token,
+		options.JenkinsURL,
+		options.Folder,
+		options.Job,
+		maxArtifactSize,
+		options.Artifacts,
+		options.TruffleHogVerification,
+		options.MaxBuilds,
+		options.MaxScanGoRoutines,
+		options.ConfidenceFilter,
+		options.HitTimeout,
+	)
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed initializing scan options")
+	}
+
+	scanner := jenkinsscan.NewScanner(scanOpts)
+	logging.RegisterStatusHook(func() *zerolog.Event { return scanner.Status() })
+
+	if err := scanner.Scan(); err != nil {
+		log.Fatal().Err(err).Msg("Scan failed")
+	}
+}

internal/cmd/jenkins/scan/scan_test.go

@@ -0,0 +1,64 @@
+package scan
+
+import (
+	"testing"
+
+	"github.com/CompassSecurity/pipeleek/pkg/config"
+)
+
+func TestNewScanCmd(t *testing.T) {
+	cmd := NewScanCmd()
+	if cmd == nil {
+		t.Fatal("expected non-nil command")
+	}
+
+	if cmd.Use != "scan" {
+		t.Fatalf("expected use 'scan', got %q", cmd.Use)
+	}
+
+	flags := cmd.Flags()
+	for _, name := range []string{
+		"jenkins",
+		"username",
+		"token",
+		"folder",
+		"job",
+		"max-builds",
+		"threads",
+		"truffle-hog-verification",
+		"confidence",
+		"artifacts",
+		"max-artifact-size",
+	} {
+		if flags.Lookup(name) == nil {
+			t.Errorf("expected flag %q to exist", name)
+		}
+	}
+}
+
+func TestJenkinsScanOptions(t *testing.T) {
+	opts := JenkinsScanOptions{
+		CommonScanOptions: config.CommonScanOptions{
+			ConfidenceFilter:       []string{"high"},
+			MaxScanGoRoutines:      5,
+			TruffleHogVerification: true,
+			Artifacts:              true,
+		},
+		JenkinsURL: "https://jenkins.example.com",
+		Username:   "admin",
+		Token:      "apitoken",
+		Folder:     "team-a",
+		Job:        "",
+		MaxBuilds:  10,
+	}
+
+	if opts.JenkinsURL == "" || opts.Username == "" || opts.Token == "" {
+		t.Fatal("expected required Jenkins fields to be populated")
+	}
+	if opts.MaxBuilds != 10 {
+		t.Fatalf("expected MaxBuilds=10, got %d", opts.MaxBuilds)
+	}
+	if len(opts.ConfidenceFilter) != 1 || opts.ConfidenceFilter[0] != "high" {
+		t.Fatalf("unexpected confidence filter: %#v", opts.ConfidenceFilter)
+	}
+}

internal/cmd/root.go

@@ -13,6 +13,7 @@ import (
 	"github.com/CompassSecurity/pipeleek/internal/cmd/gitea"
 	"github.com/CompassSecurity/pipeleek/internal/cmd/github"
 	"github.com/CompassSecurity/pipeleek/internal/cmd/gitlab"
+	"github.com/CompassSecurity/pipeleek/internal/cmd/jenkins"
 	"github.com/CompassSecurity/pipeleek/pkg/config"
 	"github.com/CompassSecurity/pipeleek/pkg/format"
 	"github.com/CompassSecurity/pipeleek/pkg/httpclient"
@@ -74,6 +75,7 @@ func init() {
 	rootCmd.AddCommand(bitbucket.NewBitBucketRootCmd())
 	rootCmd.AddCommand(devops.NewAzureDevOpsRootCmd())
 	rootCmd.AddCommand(gitea.NewGiteaRootCmd())
+	rootCmd.AddCommand(jenkins.NewJenkinsRootCmd())
 	rootCmd.AddCommand(docs.NewDocsCmd(rootCmd))
 	rootCmd.PersistentFlags().StringVar(&ConfigFile, "config", "", "Config file path. Example: ~/.config/pipeleek/pipeleek.yaml")
 	rootCmd.PersistentFlags().BoolVarP(&JsonLogoutput, "json", "", false, "Use JSON as log output format")
@@ -93,6 +95,7 @@ func init() {
 	rootCmd.AddGroup(&cobra.Group{ID: "BitBucket", Title: "BitBucket Commands"})
 	rootCmd.AddGroup(&cobra.Group{ID: "AzureDevOps", Title: "Azure DevOps Commands"})
 	rootCmd.AddGroup(&cobra.Group{ID: "Gitea", Title: "Gitea Commands"})
+	rootCmd.AddGroup(&cobra.Group{ID: "Jenkins", Title: "Jenkins Commands"})
 }
 
 type CustomWriter struct {