Secure Your Build from Source Code to Artifacts

Source code forms the fundamental building blocks of any application or software product. It is the backbone of any technology-centric organization. Source code houses proprietary information about your company’s intellectual properties and safeguards the data that keeps your company running.

Integrating third-party open-source components makes it easy for software teams to utilize the code that is already available, without having to develop from scratch. Unfortunately, the downside of such convenience involves risks that target third-party vendors, causing supply chain attacks. During a supply chain attack, cybercriminals can insert malware into third-party code or build systems, therefore delivering malware to the organization and its associated customers.

In this blog, I will demonstrate how to prevent malware in source code using the MetaDefender Jenkins plugin.

Secure Builds with MetaDefender Plugin for Jenkins

The MetaDefender for Jenkins plugin scans Jenkins builds for malware and checks your source code and artifacts for threats. Advanced malware can easily bypass one single antivirus (AV) engine, putting source code at risk. False positive in malware detection is also a common side-effect in most AV solutions leading to wasted remediation efforts, time, and resources. MetaDefender for Jenkins utilizes Metascan—a multiscanning technology—to increase detection rates and decrease outbreak detection times for your software builds.

Here are two scenarios showing how malware can infiltrate: in the source code and during the build process.

Scenario 1: Malware in Source Code

The source code in this case can be your own source code (from a developer’s compromised machine) or from a third-party library. In the first scenario, I wanted to check a third-party library repository in GitHub. To make sure the repository is threat-free, I added a build step to scan with the MetaDefender plugin for Jenkins.


I also wanted the build to return as “failed” if there were any threats in the source code.

After attempting to run the build, the result was marked “failed” because of the infected files caught by the MetaDefender Jenkins plugin. 


Scenario 2: Malware Introduced in the Build Process

If you think that scanning your repository is enough to protect your source code, it may not always be true. Some malware doesn’t exist in the original source code repository but can get introduced when you download components such as dependencies or libraries. In this second video, I demonstrated an example of the second scenario and how to prevent it using the MetaDefender Jenkins plugin.

As you can see, no issues were found after I scanned the source code in the first run.


After that, I added a new build step to the process using a build.bat file and started the build again.


For demonstration purposes, I used npm to download an EICAR test package to simulate the action of installing malware in a real-life scenario. In this case, while there weren’t any threats in the original source code, the malicious npm package has occurred in the script during the build. The MetaDefender Jenkins plugin detected the threat, marking the build as failed.


The detailed scan results are shown in MetaDefender Core.


About OPSWAT MetaDefender for Jenkins

OPSWAT MetaDefender for Jenkins checks your builds for malware and secrets before releasing your application to the public. Powered by the full capabilities of the MetaDefender platform—including more than 30 leading anti-virus engines, Deep CDR, and Proactive DLP—the MetaDefender plugin for Jenkins will thoroughly scan your source code and artifacts for any threats. You will be informed of potential issues via built-in fail-safes that help prevent malware outbreaks and sensitive data leakage. Learn more about MetaDefender for Jenkins and other OPSWAT free tools.

For more information, please contact our cybersecurity experts.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.