Nctl works with the Jenkins CI pipeline and can be used in the Jenkins workflow to scan the configuration files present in a repository against the centrally defined policies. The Jenkins job will trigger the scanning of the files and if unsuccessful, the entire job will fail, which will prompt the user with feedback for their changes. Upon successful completion of the job, the scan results will be published to the NPM for viewing. NPM provides insights to platform administrators on overall governance of different code repositories in their organization.

Understanding the Jenkins Workflow

To see pipeline scanning with Jenkins CI in action:

  1. Create a Bitbucket or Git repository with some Docker, Kubernetes, and Terraform files. Refer to the official GitHub docs for creating a repository.

  2. Next, log into Jenkins with your credentials which will take you the dashboaerd page.

  3. After that, click on New Item located on the left hand top corner of the screen. It will initiate the creation of a Jenkins job.

  4. Enter the name of the job. Select Freestyle project from the list of options to choose from and click OK.


  1. Now that the job is created, it needs to be configured accordingly for the pipeline scanning to take place. To do so:
    a. Click on General and fill out Jira site with your organization’s Atlassian URL.
    b. After that, select Git as the Source Code Management and provide the repository details.
    c. Enter the URL of your repository and provide the credentials if its a private one. Leave credentials as none if it is a public repository.
    d. Next, mention the branch name where the scanning will take place. Type ./main if there is no other branches in the repository.
    e. Next, under Additional Behaviours, click Add and select Check out to specific local branch from the dropdown and type main under Branch Name.
    f. After this, scroll down to Build Steps and click on Add build step.
    g. Select Run Nctl Scan from the dropdown.
    g. Fill out the NCTL Binary Link field with the URL of the latest Nctl binary version to download. The required URL is available here.
    h. Now, check the box for Scan Only Repository which will help integrate NPM.
    i. Under API Key, add the API key that can be found in the profile section of the NPM tenant.
    j. Fill out Path to Policies files with the path to your policy files and Nirmata URL with the NPM URL (
    k. Finally, click Save to complete the job configuration.


  1. Next, click on Build Now on the left hand side navigation bar to run the job. This will trigger the pipeline scan and the process can be seen under Build History located on the left hand lower corner of the screen.


  1. Now, click on the build number under Build History to see details on the completion of the job. The status page will open by default where the information on the success or the failure of the job will be visible.
  2. Click on Console Output on the navigation bar to have a look at the scan results.


  1. Scroll down to the end of the page to verify the publishing of the report to the NPM tenant.

To have a look at the scan report in NPM:

  1. Log into the NPM and go to Policies>Policy Reports. The Policy Reports can be viewed based on Categories, Clusters, Namespaces, and Repositories.
  2. Navigate to the Repositories tab to find the scanned repository under the list of repositories.


  1. Click on the repository hyperlink to get a detailed view of the scanned report.