Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
BuildJenkins Security

Jenkins already runs your builds. Now it secures them too.

O3's Jenkins plugin adds reachability-aware security scanning to any pipeline — freestyle, declarative, or scripted. No agents to manage. No extra infrastructure.

Pipeline Integration

Your Jenkinsfile. O3's security gates.

Add a single stage to any existing Jenkinsfile. O3 fits between build and deploy, blocks on confirmed threats, and works with freestyle, declarative, and scripted pipelines.

Jenkinsfile
pipeline {  agent any   stages {    stage('Build') {      steps {        sh 'mvn clean package'      }    }     stage('O3 Security Scan') {      steps {        o3Scan(          apiKey: credentials('O3_API_KEY'),          failOn: 'critical',          slsaProvenance: true        )      }    }     stage('Deploy') {      when {        expression { currentBuild.result == null }      }      steps { sh './deploy.sh' }    }  }}
Build Provenance

Cryptographic proof of what built your artifact.

O3 generates SLSA Level 3 provenance for every build — signed records that prove who built what, from which source, on which runner. Tamper-evident by design.

SLSA L3 Provenance · Build #1,043Verified ✓
builder:jenkins.internal/runner-04
source:github.com/acme/api@main
commit:a4d7f2e9c1b83f5d
digest:sha256:9c32b1a4f8e6d0...
timestamp:2026-05-26T14:22:01Z
signature:✓ cosign verified
Verification chain
Build
Sign
Upload
Verify
Artifact Integrity

Nothing tampered between pipeline stages.

O3 records cryptographic hashes of build artifacts at each stage transition. Any unexpected modification between build and deploy is detected and flagged before promotion.

Artifact Integrity CheckAll Clear
Build
artifact hash
sha256:3f8a2c1d...
Verified
hash match
Test
artifact hash
sha256:3f8a2c1d...
Verified
hash match
Deploy
artifact hash
sha256:3f8a2c1d...
Verified
Hashes recorded at every stage transition · tamper-evident
Secret Scanning

Credentials leaked in build logs. Caught.

Build logs print more than they should. O3 scans all Jenkins console output, archived artifacts, and environment variable exports for credentials that were accidentally printed at runtime.

Jenkins · Console Output
[Build] Compiling src/main/java...[Build] BUILD SUCCESS [O3 Secret Scan] Scanning console output...[O3 Secret Scan] Scanning build artifacts... ⚠ DETECTED: AWS_SECRET_KEY in build output (line 847)  Value: AKIAIOSFODNN7EXAMPLE...  Source: maven.log · archived artifact [O3 Secret Scan] 1 secret detected — alerting security team

Security scanning in every Jenkins build.

Add O3 to your Jenkins pipeline in minutes. SAST, SCA, and secret scanning — no separate tools required.

FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • Yes. The O3 Jenkins plugin supports freestyle projects, declarative pipelines, and scripted pipelines. For freestyle projects, O3 is added as a post-build action. For declarative and scripted pipelines, it is added as a pipeline step using the o3Scan() function in your Jenkinsfile.
  • SLSA (Supply Chain Levels for Software Artifacts) Level 3 requires that the provenance of a build artifact is generated by a system that is isolated from the build process and cryptographically signed. O3 captures build metadata, source commit, builder identity, build parameters, and output digest, from outside the build process and signs the provenance record with a key the build environment cannot access. This proves the artifact was built from the claimed source without modification.
  • Yes. O3 detects dependency confusion attacks by monitoring which package registries are used during a build and comparing them against your configured baseline. If a package that should be pulled from an internal registry is instead resolved from a public registry, the hallmark of a dependency confusion attack. O3 flags it immediately and can fail the build.
  • Yes. Build logs frequently contain more information than intended, environment variables printed during setup, credentials echoed by shell scripts, API tokens in verbose output. O3 monitors all Jenkins console output in real time and flags secrets as they are printed, before the build completes and logs are archived.
  • No. O3 is installed as a standard Jenkins plugin from the official plugin directory. It runs on your existing Jenkins controller and agents without any additional infrastructure, sidecar containers, or external services. Scan results are sent to the O3 platform over HTTPS and displayed in the Jenkins build view as a post-build report.
  • O3 records a cryptographic hash of every build artifact at the point of creation and re-verifies that hash before the artifact is promoted to the next stage or deployed. Any modification, whether from a compromised build step, a shared artifact store, or a malicious pipeline stage, will cause a hash mismatch that O3 surfaces immediately.