OPSWAT Announces FileScan.IO Asset Acquisition. Read More

MetaDefender Jenkins Plugin

Check your Jenkins builds for malware and secrets before releasing your application to the public. Powered by the full capabilities of the MetaDefender platform—including more than 30 leading anti-virus engines, Deep CDR, and Proactive DLP—the MetaDefender plugin for Jenkins will thoroughly scan your source code and artifacts for any threats. Get alerted to any potential issues and build-in automated fail-safes to prevent malware outbreaks and sensitive data leakage.

Instructions for integrating MetaDefender Jenkins Plugin

Step 1: Install the plugin

From the Jenkins web UI:

  • Go to Manage Jenkins > Manage Plugins
  • Click the Available tab
  • Search for MetaDefender > select MetaDefender
  • Click Install without restart. Make sure you check the box “Restart Jenkins when installation is complete and no jobs are running.

To confirm the plugin is installed:

  • Log in to Jenkins
  • Go to Manage Jenkins > Manage Plugins
  • Click the Installed tab > search for the MetaDefender Plugin.
Step 2: Retrieve MetaDefender Cloud API Key

Skip this step if you’re already using MetaDefender Core

Sign up for an account at https://portal.opswat.com and get your API key for free (see the limitations of the free user key at https://metadefender.opswat.com/licensing). You may upgrade your license or purchase an on-premises product for the exhaustive features and capabilities of the MetaDefender suite.

Step 3: Create a test project

On the left menu bar, click New Item and create your test project. Under Build, create a build step (e.g., Execute Windows batch command) to generate a small file.

Add "Scan with MetaDefender" as a build step or a post-build action or pipeline to your build configuration. Click Add build step select Scan with MetaDefender.


Fill in the configuration details:

  • API URL: MetaDefender Core or MetaDefender Cloud scan URL
  • ApiKey: MetaDefender API Key
  • Rule: Define which rules you wish to scan with MetaDefender
  • Private scan: Applicable for only paid users on MetaDefender Cloud
  • Folders/files to scan: To specify the folders or files to scan, you can define multiple items, separated by the pipe "|" (e.g. src|resources)
  • Exclude folder/files from scan: To specify folders or files to exclude from "source," you can define multiple items, separated by the pipe "|" (e.g. .git|.idea)
  • Scan timeout per file(s): Set your desired scan timeout for each file
  • Mark the build as 'failed' if a threat is found: The build will be marked as Failed if any issues are found
  • Create a log file: Create metadefender-plugin.log to troubleshoot issues


You can start testing by setting up Jenkins to pull the source code from a GitHub repo that has an EICAR test file (for example, https://github.com/fire1ce/eicar-standard-antivirus-test-files). For testing purpose, uncheck the box “Show Blocked scan results only” so that you can see the full results.

Step 4: Trigger the build and view the scan results

After setting up your project, run the build, then check the Console Output to view the scan results.

For pipeline testing, you can use the sample below to generate an EICAR file and scan. The build should fail at the "scan" stage because of a found threat.

Note: the script uses a static function, hudson.util.Secret.fromString, to convert string to secret, so you have to either approve the function or uncheck “Use Groovy Sandbox”.

pipeline { 
    agent any stages { 
        stage('build') { 
            steps { 
                bat 'echo X5O!P%%@AP[4\\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > eicar.txt' 
            } 
        } 
        stage('scan') { 
            steps { 
                script { 
                    withCredentials([string(credentialsId: 'MD_APIKEY', variable: 'md_apikey')]){ 
                        step([$class: 'ScanBuilder', scanURL: 'https://api.metadefender.com/v4/file', apiKey: hudson.util.Secret.fromString(md_apikey), rule: '',  
                        source: '', exclude: '', timeout: 600, isPrivateScan: false, isShowBlockedOnly: false,  
                        isAbortBuild: true])              
                    } 
                } 
            } 
        }		 
    } 
}

You can also view the scan results in MetaDefender Core:

Ready to start using MetaDefender Jenkins plugin?