The Finite State Analysis Jenkins Plugin provides multiple post-build actions for integrating with the Finite State platform. Each build step selects a Platform:
- Legacy Platform (Java CLT) — the default. Downloads and runs the Finite State Java CLT on the build agent, exactly as previous plugin versions did (requires Java on the agent). Use this if your organization is still on the legacy platform.
- 2026 Platform Release (REST API) — calls the Finite State public API (v0) directly over HTTPS. No CLT download and no Java required on the agent. Use this once your organization has been upgraded to the 2026 platform release.
Jobs saved before the Platform field existed default to Legacy Platform, so upgrading the plugin does not change their behavior. Select 2026 Platform Release to opt into the v0 REST API path.
This plugin gives you the ability to add Post Build actions and Pipeline steps for:
- Freestyle projects
- Multi-configuration projects
- Pipeline (Declarative and Scripted)
- Finite State Analyze Binary: Upload and analyze binary files (firmware images included — large files use the API's multipart upload automatically)
- Finite State Import SBOM: Import CycloneDX or SPDX SBOM files (format auto-detected)
- Finite State Import 3rd Party Scan: Import third-party scan results
- Per-step Platform selector: Legacy Platform (Java CLT, default) or 2026 Platform Release (public v0 REST API — no CLT download, no Java required on the agent)
- Secure credential management for API tokens
- Optionally waits for the scan to complete and sets the build result accordingly
- Logs the resolved project/version/scan IDs and a direct link to the results in the Finite State UI
To use this plugin, follow the following steps:
- Install the plugin in your Jenkins instance.
- Create or edit your
Freestyle projectorMulti-configuration project. - Click on the Add a Post-build Actions dropdown and select one of the Finite State options:
Finite State - Analyze BinaryFinite State - Import SBOMFinite State - Import 3rd Party Scan
- Generate an API Token: You need to generate an API token from your Finite State instance. Navigate to your Finite State domain (e.g., if your domain is
fs-yolo.finitestate.io, go to https://fs-yolo.finitestate.io/settings/api-tokens) and generate a new API token. This token will be used to authenticate with the Finite State platform. - Complete the fields following the below reference. For sensitive fields like
API Token, we use the credentials plugin, so be sure to create the text credential for this field and select the correct one on the dropdown. - In the Platform dropdown, choose Legacy Platform (Java CLT) (the default) if your organization is still on the legacy platform, or 2026 Platform Release (REST API) once your organization has been upgraded to the 2026 platform release. Leaving it at the default keeps existing jobs working unchanged after a plugin upgrade.
Uploads binary files to Finite State for comprehensive analysis.
| parameter | description | required | type | default |
|---|---|---|---|---|
| Platform | Which Finite State platform to target: Legacy Platform (Java CLT) (default) or 2026 Platform Release (REST API). In Pipeline set platform: 'legacy' or platform: '2026'. |
false |
dropdown |
Legacy Platform (Java CLT) |
| Subdomain | Your Finite State instance subdomain (e.g., "fs-yolo.dev.fstate.ninja") | true |
string |
|
| API Token Credentials | A Secret Text credentials ID containing your Finite State API token | true |
credential |
|
| Binary File Path | Path to the binary file to upload for analysis | true |
string |
|
| Project Name | Name of the project in Finite State | true |
string |
|
| Project Version | Version of the project (recommended for tracking) | false |
string |
|
| Scan Types | Enable one or more: Binary SCA, Binary SAST, Configuration Analysis, Reachability Analysis. If none are selected, SCA is used by default. | false |
checkboxes |
SCA and Reachability enabled; SAST/Config disabled |
| Wait for completion | Optional. When enabled, block the build until the scan reaches a terminal state and set the build result accordingly. When disabled (default), the build returns once the scan is submitted and you follow progress in the Finite State UI. | false |
boolean |
false |
| Poll timeout (minutes) | Maximum minutes to wait for completion when "Wait for completion" is enabled, before failing with the scan ID and a link | false |
integer |
30 |
Imports SBOM (Software Bill of Materials) files to Finite State for analysis.
| parameter | description | required | type | default |
|---|---|---|---|---|
| Platform | Which Finite State platform to target: Legacy Platform (Java CLT) (default) or 2026 Platform Release (REST API). In Pipeline set platform: 'legacy' or platform: '2026'. |
false |
dropdown |
Legacy Platform (Java CLT) |
| Subdomain | Your Finite State instance subdomain | true |
string |
|
| API Token Credentials | A Secret Text credentials ID containing your Finite State API token | true |
credential |
|
| SBOM File Path | Path to the SBOM file to import (CycloneDX or SPDX; format auto-detected) | true |
string |
|
| Project Name | Name of the project in Finite State | true |
string |
|
| Project Version | Version of the project | false |
string |
|
| Wait for completion | Optional. When enabled, block the build until the scan reaches a terminal state and set the build result accordingly. When disabled (default), the build returns once the scan is submitted and you follow progress in the Finite State UI. | false |
boolean |
false |
| Poll timeout (minutes) | Maximum minutes to wait for completion when "Wait for completion" is enabled, before failing with the scan ID and a link | false |
integer |
30 |
Imports third-party scan results to Finite State for analysis.
| parameter | description | required | type | default |
|---|---|---|---|---|
| Platform | Which Finite State platform to target: Legacy Platform (Java CLT) (default) or 2026 Platform Release (REST API). In Pipeline set platform: 'legacy' or platform: '2026'. |
false |
dropdown |
Legacy Platform (Java CLT) |
| Subdomain | Your Finite State instance subdomain | true |
string |
|
| API Token Credentials | A Secret Text credentials ID containing your Finite State API token | true |
credential |
|
| Scan File Path | Path to the scan results file | true |
string |
|
| Project Name | Name of the project in Finite State | true |
string |
|
| Scan Type | Type of third-party scanner (e.g., GitLab SAST, SonarQube, Snyk, etc.) | true |
dropdown |
|
| Project Version | Version of the project | false |
string |
|
| Wait for completion | Optional. When enabled, block the build until the scan reaches a terminal state and set the build result accordingly. When disabled (default), the build returns once the scan is submitted and you follow progress in the Finite State UI. | false |
boolean |
false |
| Poll timeout (minutes) | Maximum minutes to wait for completion when "Wait for completion" is enabled, before failing with the scan ID and a link | false |
integer |
30 |
- Add any of the Finite State post-build actions to your Jenkins job
- Configure the required fields for your chosen action
- Run the build
The plugin will:
- Resolve (or create) the project and version in Finite State by name — honoring the Pre-Release flag on version creation
- Upload the artifact directly to Finite State storage and trigger processing (binary analysis, SBOM import, or third-party import)
- Log the resolved project ID, version ID, scan ID(s), and a link to the results in the Finite State UI
- By default, return success once the scan is submitted — you follow progress in the Finite State UI (the same flow the CLT used). Optionally enable "Wait for completion" to block until the scan reaches a terminal state and fail the build on a scan error or timeout
2026 platform release: all calls go to your instance's public API at https://<subdomain>/api/public/v0, authenticated with the X-Authorization header using the API token from the selected credential. The flow per run is: resolve project → resolve/create version → upload + trigger the scan → poll status (optional). No CLT is downloaded and nothing is executed as a subprocess; the upload runs on the build agent so artifact bytes never transit the Jenkins controller.
Legacy platform (default): the plugin downloads the Java CLT from https://<subdomain>/api/config/clt and runs it on the build agent (java -jar …), passing credentials via the FINITE_STATE_AUTH_TOKEN/FINITE_STATE_DOMAIN environment variables — the same behavior as plugin versions ≤ 1.092.
Upload mechanics differ by type:
- Binary uploads directly to storage (single PUT, or multipart for large firmware), then starts the scan.
- SBOM and third-party scans use the API's single-shot upload: the file is sent to the API, which stores it server-side and triggers processing in one call. This keeps scanner output (which often contains attack-signature strings) off a direct client→storage request that a WAF could block. Limitation: single-shot uploads are bounded by the API's request-body limit (a few MB), which is ample for typical SBOM/scanner files.
You can use these steps directly in Pipelines. The step names are the Jenkins symbols shown below.
finiteStateAnalyzeBinaryfiniteStateImportSbomfiniteStateImportThirdParty
- Analyze Binary
pipeline {
agent any
stages {
stage('Finite State Binary Analysis') {
steps {
finiteStateAnalyzeBinary(
platform: 'legacy', // 'legacy' = Legacy Platform (Java CLT, default); '2026' = 2026 Platform Release (REST API)
subdomain: 'fs-your-subdomain.finitestate.io',
apiTokenCredentialsId: 'your-jenkins-string-credentials-id',
binaryFilePath: 'build/firmware.bin',
projectName: 'My Project',
projectVersion: '1.2.3',
scaEnabled: true,
sastEnabled: false,
configEnabled: false,
reachabilityEnabled: true,
externalizableId: false,
preRelease: false,
waitForCompletion: false,
pollTimeoutMinutes: 30
)
}
}
}
}
- Import SBOM
pipeline {
agent any
stages {
stage('Finite State Import SBOM') {
steps {
finiteStateImportSbom(
platform: 'legacy', // 'legacy' = Legacy Platform (Java CLT, default); '2026' = 2026 Platform Release (REST API)
subdomain: 'fs-your-subdomain.finitestate.io',
apiTokenCredentialsId: 'your-jenkins-string-credentials-id',
sbomFilePath: 'sbom/cyclonedx.json',
projectName: 'My Project',
projectVersion: '1.2.3',
externalizableId: false,
preRelease: false,
waitForCompletion: false,
pollTimeoutMinutes: 30
)
}
}
}
}
- Import 3rd Party Scan
pipeline {
agent any
stages {
stage('Finite State Import 3rd Party Scan') {
steps {
finiteStateImportThirdParty(
platform: 'legacy', // 'legacy' = Legacy Platform (Java CLT, default); '2026' = 2026 Platform Release (REST API)
subdomain: 'fs-your-subdomain.finitestate.io',
apiTokenCredentialsId: 'your-jenkins-string-credentials-id',
scanFilePath: 'reports/sonarqube.json',
scanType: 'sonarqube_scan',
projectName: 'My Project',
projectVersion: '1.2.3',
externalizableId: false,
preRelease: false,
waitForCompletion: false,
pollTimeoutMinutes: 30
)
}
}
}
}
Notes:
-
platformselects the transport and defaults to'legacy'(Java CLT). Setplatform: '2026'to use the public v0 REST API. It applies to all three steps, e.g.finiteStateAnalyzeBinary(platform: '2026', subdomain: '…', apiTokenCredentialsId: '…', …). -
Use
apiTokenCredentialsId(the ID of a Secret Text credential containing your Finite State API token). -
If you set
externalizableId: true, the step will use the Jenkins Run Externalizable ID as the project version. IfexternalizableIdisfalse,projectVersionis required (the build fails with a clear message if both are empty). -
waitForCompletion(defaultfalse) returns as soon as the scan is submitted, logging the scan ID and UI link so you can follow progress in the Finite State UI. Set it totrueto block until the scan reaches a terminal state and set the build result accordingly;pollTimeoutMinutes(default30) bounds that wait. These optional fields apply to all three steps. -
For the
scanTypefield in thefiniteStateImportThirdPartystep, you must select one of the supported scan types from the list in section Third-Party scanType values (exact identifiers) below. The value you provide should match exactly one of the identifiers in the "Third-Party scanType values" table. This ensures your scan is properly recognized and processed by the Finite State platform.
-
These options are presented in the UI as four checkboxes:
Binary SCA,Binary SAST,Configuration Analysis, andReachability Analysis. -
At runtime the plugin maps the checkboxes onto the API's binary scan configuration:
Checkbox API BinaryScanConfigfieldBinary SCA (always-on — see limitation below) Configuration Analysis configurationAnalysisReachability Analysis (requires SCA) vulnerabilityAnalysisBinary SAST binarySast -
SCA: Binary Software Composition Analysis. Limitation: the API always runs the binary SCA pass, so unchecking this box does not disable it; the checkbox is retained for configuration parity with earlier versions.
-
SAST: Binary Static Application Security Testing
-
Configuration Analysis: Configuration and security analysis
-
Reachability Analysis: Performs reachability analysis on identified vulnerabilities (enabled by default, requires Binary SCA)
The plugin supports a comprehensive list of third-party scanning tools including:
Popular Tools:
- GitLab SAST/DAST/Container Scan: GitLab's built-in security scanning
- SonarQube: Code quality and security analysis
- Snyk: Vulnerability scanning for dependencies and containers
- Trivy: Container and infrastructure vulnerability scanner
- Semgrep: Static analysis for security and bugs
- Bandit: Python security linter
- Gosec: Go security linter
- ESLint: JavaScript/TypeScript linting with security rules
Cloud Security:
- AWS Prowler: AWS security assessment
- AWS Security Hub: AWS security findings
- Azure Security Center: Azure security recommendations
- Checkov: Infrastructure as Code security scanning
Container Security:
- Clair: Container vulnerability scanning
- Anchore: Container image analysis
- Twistlock: Container security platform
Dependency Scanning:
- Dependency Check: OWASP dependency vulnerability scanner
- Retire.js: JavaScript library vulnerability scanner
- NPM Audit: Node.js package vulnerability scanning
- Yarn Audit: Yarn package vulnerability scanning
And many more... including Acunetix, Burp Suite, Checkmarx, Fortify, Qualys, Tenable, Veracode, ZAP, and over 100 other supported tools.
For the complete list of supported tools and their expected file formats, refer to the dropdown in the Jenkins configuration.
Use these values for the scanType field in Pipelines (e.g., scanType: 'sonarqube_scan'). The left column is the UI label; the right column is the exact scanType identifier accepted by the step.
| Tool | scanType |
|---|---|
| Acunetix360 Scan | acunetix360_scan |
| Acunetix Scan | acunetix_scan |
| Anchore Engine Scan | anchore_engine_scan |
| Anchore Enterprise Policy Check | anchore_enterprise_policy_check |
| Anchore Grype | anchore_grype |
| AnchoreCTL Policies Report | anchorectl_policies_report |
| AnchoreCTL Vuln Report | anchorectl_vuln_report |
| AppSpider Scan | appspider_scan |
| Aqua Scan | aqua_scan |
| Arachni Scan | arachni_scan |
| AuditJS Scan | auditjs_scan |
| AWS Prowler Scan | aws_prowler_scan |
| AWS Prowler V3 | aws_prowler_v3 |
| AWS Scout2 Scan | aws_scout2_scan |
| AWS Security Finding Format (ASFF) Scan | aws_security_finding_format_asff_scan |
| AWS Security Hub Scan | aws_security_hub_scan |
| Azure Security Center Recommendations Scan | azure_security_center_recommendations_scan |
| Bandit Scan | bandit_scan |
| BlackDuck API | blackduck_api |
| Blackduck Component Risk | blackduck_component_risk |
| Blackduck Hub Scan | blackduck_hub_scan |
| Brakeman Scan | brakeman_scan |
| Bugcrowd API Import | bugcrowd_api_import |
| BugCrowd Scan | bugcrowd_scan |
| Bundler-Audit Scan | bundler_audit_scan |
| Burp Enterprise Scan | burp_enterprise_scan |
| Burp GraphQL API | burp_graphql_api |
| Burp REST API | burp_rest_api |
| Burp Scan | burp_scan |
| CargoAudit Scan | cargoaudit_scan |
| Checkmarx One Scan | checkmarx_one_scan |
| Checkmarx OSA | checkmarx_osa |
| Checkmarx Scan | checkmarx_scan |
| Checkmarx Scan detailed | checkmarx_scan_detailed |
| Checkov Scan | checkov_scan |
| Clair Klar Scan | clair_klar_scan |
| Clair Scan | clair_scan |
| Cloudsploit Scan | cloudsploit_scan |
| Cobalt.io API Import | cobalt_io_api_import |
| Cobalt.io Scan | cobalt_io_scan |
| Codechecker Report native | codechecker_report_native |
| Contrast Scan | contrast_scan |
| Coverity API | coverity_api |
| Crashtest Security JSON File | crashtest_security_json_file |
| Crashtest Security XML File | crashtest_security_xml_file |
| CredScan Scan | credscan_scan |
| CycloneDX | cyclonedx |
| DawnScanner Scan | dawnscanner_scan |
| Dependency Check Scan | dependency_check_scan |
| Dependency Track Finding Packaging Format (FPF) Export | dependency_track_finding_packaging_format_fpf_export |
| Detect-secrets Scan | detect_secrets_scan |
| docker-bench-security Scan | docker_bench_security_scan |
| Dockle Scan | dockle_scan |
| DrHeader JSON Importer | drheader_json_importer |
| DSOP Scan | dsop_scan |
| Edgescan Scan | edgescan_scan |
| ESLint Scan | eslint_scan |
| Fortify Scan | fortify_scan |
| Generic Findings Import | generic_findings_import |
| Ggshield Scan | ggshield_scan |
| Github Vulnerability Scan | github_vulnerability_scan |
| GitLab API Fuzzing Report Scan | gitlab_api_fuzzing_report_scan |
| GitLab Container Scan | gitlab_container_scan |
| GitLab DAST Report | gitlab_dast_report |
| GitLab Dependency Scanning Report | gitlab_dependency_scanning_report |
| GitLab SAST Report | gitlab_sast_report |
| GitLab Secret Detection Report | gitlab_secret_detection_report |
| Gitleaks Scan | gitleaks_scan |
| Gosec Scanner | gosec_scanner |
| Govulncheck Scanner | govulncheck_scanner |
| HackerOne Cases | hackerone_cases |
| Hadolint Dockerfile check | hadolint_dockerfile_check |
| Harbor Vulnerability Scan | harbor_vulnerability_scan |
| Horusec Scan | horusec_scan |
| HuskyCI Report | huskyci_report |
| Hydra Scan | hydra_scan |
| IBM DAST | ibm_appscan_dast |
| Immuniweb Scan | immuniweb_scan |
| IntSights Report | intsights_report |
| JFrog Xray API | jfrog_xray_api_summary_artifact_scan |
| JFrog Xray Scan | jfrog_xray_scan |
| JFrog Xray Unified Scan | jfrog_xray_unified_scan |
| KICS Scan | kics_scan |
| Kiuwan Scan | kiuwan_scan |
| Kube Bench Scan | kube_bench_scan |
| Logic Bomb | logic_bomb |
| Meterian Scan | meterian_scan |
| Microfocus WebInspect Scan | microfocus_webinspect_scan |
| MobSF Scan | mobsf_scan |
| Mobsfscan Scan | mobsfscan_scan |
| Mozilla Observatory Scan | mozilla_observatory_scan |
| Netsparker Scan | netsparker_scan |
| NeuVector (compliance) | neuvector_compliance |
| NeuVector (REST) | neuvector_rest |
| Nexpose Scan | nexpose_scan |
| Nikto Scan | nikto_scan |
| Nmap Scan | nmap_scan |
| Node Security Platform Scan | node_security_platform_scan |
| NPM Audit Scan | npm_audit_scan |
| Nuclei Scan | nuclei_scan |
| Openscap Vulnerability Scan | openscap_vulnerability_scan |
| OpenVAS CSV | openvas_csv |
| ORT evaluated model Importer | ort_evaluated_model_importer |
| OssIndex Devaudit SCA Scan Importer | ossindex_devaudit_sca_scan_importer |
| Outpost24 Scan | outpost24_scan |
| PHP Security Audit v2 | php_security_audit_v2 |
| PHP Symfony Security Check | php_symfony_security_check |
| pip-audit Scan | pip_audit_scan |
| PMD Scan | pmd_scan |
| Popeye Scan | popeye_scan |
| PWN SAST | pwn_sast |
| Qualys Infrastructure Scan (WebGUI XML) | qualys_infrastructure_scan_webgui_xml |
| Qualys Scan | qualys_scan |
| Qualys Webapp Scan | qualys_webapp_scan |
| Retire.js Scan | retire_js_scan |
| Rubocop Scan | rubocop_scan |
| Rusty Hog Scan | rusty_hog_scan |
| SARIF | sarif |
| Scantist Scan | scantist_scan |
| Scout Suite Scan | scout_suite_scan |
| Semgrep JSON Report | semgrep_json_report |
| SKF Scan | skf_scan |
| Snyk Scan | snyk_scan |
| Solar Appscreener Scan | solar_appscreener_scan |
| SonarQube Cloud Scan | sonarqube_cloud_scan |
| SonarQube Scan | sonarqube_scan |
| SonarQube Scan detailed | sonarqube_scan_detailed |
| Sonatype Application Scan | sonatype_application_scan |
| SPDX | spdx |
| SpotBugs Scan | spotbugs_scan |
| SSL Labs Scan | ssl_labs_scan |
| Sslscan | sslscan |
| SSLyze Scan (JSON) | sslyze_scan_json |
| Sslyze Scan | sslyze_scan |
| StackHawk HawkScan | stackhawk_hawkscan |
| Talisman Scan | talisman_scan |
| Tenable Scan | tenable_scan |
| Terrascan Scan | terrascan_scan |
| Testssl Scan | testssl_scan |
| TFSec Scan | tfsec_scan |
| Trivy Operator Scan | trivy_operator_scan |
| Trivy Scan | trivy_scan |
| Trufflehog3 Scan | trufflehog3_scan |
| Trufflehog Scan | trufflehog_scan |
| Trustwave Fusion API Scan | trustwave_fusion_api_scan |
| Trustwave Scan (CSV) | trustwave_scan_csv |
| Twistlock Image Scan | twistlock_image_scan |
| VCG Scan | vcg_scan |
| Veracode Scan | veracode_scan |
| Veracode SourceClear Scan | veracode_sourceclear_scan |
| Vulners | vulners |
| Wapiti Scan | wapiti_scan |
| Wazuh | wazuh |
| WFuzz JSON report | wfuzz_json_report |
| Whispers Scan | whispers_scan |
| WhiteHat Sentinel | whitehat_sentinel |
| Whitesource Scan | whitesource_scan |
| Wpscan | wpscan |
| Xanitizer Scan | xanitizer_scan |
| Yarn Audit Scan | yarn_audit_scan |
| ZAP Scan | zap_scan |
- Jenkins 2.479.3 or later
- Network access from the Jenkins controller and agents to your Finite State instance (
https://<subdomain>) - A Finite State API token with permission to read/create projects and versions, create scans, and read scan status
- API tokens are stored securely using Jenkins credentials and read only at execution time — never written to job config, build XML, or the console
- All API calls use HTTPS with the
X-Authorizationheader; artifact uploads use short-lived presigned URLs - No sensitive data is logged in the build output
Report issues and enhancements in the Github issue tracker.
Refer to our contribution guidelines
Licensed under MIT, see LICENSE
Please follow the steps described in the Developer Guide
