Hello!
I'd like to create an interface between Jenkins and conftest (a Jenkins plugin that calls conftest to parse Jenkinsfiles to block the pipeline if they contain risky behaviors, before control is handed off to the pipeline's code), so that we can create a conftest policy to run against our Jenkinsfiles and mitigate risks like the Megalodon github actions attack.
I asked Claude to research whether it would be possible, and found out that while there is not currently a parser for this in conftest, it may be possible to fairly easily implement support.
Here's the full research report on conftest Groovy/Jenkinsfile parser options:
Q2: Conftest Groovy/Jenkinsfile Parser Options
Short answer: No existing parser, but a clear best implementation path exists.
What was found
No community fork, PR, or plugin in open-policy-agent/conftest adds Groovy parsing. The gap is confirmed and unfilled. The current 21 supported parsers have no .groovy or Jenkinsfile case.
Your best option: albertocavalcante/groovy-parser-go
A pure-Go, zero-CGO Groovy parser exists that was explicitly designed for this gap:
- GitHub: https://github.com/albertocavalcante/groovy-parser-go
- MIT license, active development (Feb 2026), no external dependencies
- The
Groovy2_4 target is labeled "the Jenkins CPS baseline" in the code
- Produces a lossless CST with full node taxonomy (
CallExpr, ClosureExpr, BlockStmt, etc.)
This is the right choice because conftest has no CGO dependencies — adding CGO would break its cross-compilation and static binary model. This library avoids that entirely.
The integration into conftest would look like:
- Add a
parser/groovy/groovy.go implementing conftest's Parser interface (just Unmarshal([]byte, any) error)
- Walk the CST, convert to
map[string]any, marshal to JSON, unmarshal into the output pointer
- Register in
parser/parser.go with Jenkinsfile filename matching (like the Dockerfile case) and .groovy extension
Tree-sitter alternatives (secondary options)
| Library |
CGO? |
Quality |
Notes |
smacker/go-tree-sitter (groovy) |
Required |
Stable, ~2024 |
Known gaps around pipeline-at-EOF |
dekobon/tree-sitter-groovy |
Required |
Best grammar coverage |
Explicitly targets Jenkinsfile, but < 4 weeks old |
amaanq/tree-sitter-groovy |
Required |
Weakest |
Java-shaped tree, not Groovy-idiomatic |
All tree-sitter options introduce CGO — a significant blocker for conftest.
Caveats on the recommended path
groovy-parser-go has no stable v1.0 release yet — API may shift
- Phase 011 (Jenkins corpus testing) is on the roadmap but not merged — Jenkinsfile coverage may have edge cases
- Requires Go 1.25; you'd need to verify conftest's current Go version
- The CST-to-map conversion layer for OPA consumption doesn't exist — you'd write that as part of the PR
Bottom line
The implementation is viable and the library is purpose-built for exactly this use case. You'd be submitting a meaningful open-source contribution to conftest. The main risk is the pre-v1.0 stability of the underlying parser — worth opening a discussion with the groovy-parser-go maintainer about their stability timeline before investing in the conftest PR.
Is this something you'd accept a PR for?
Hello!
I'd like to create an interface between Jenkins and conftest (a Jenkins plugin that calls conftest to parse Jenkinsfiles to block the pipeline if they contain risky behaviors, before control is handed off to the pipeline's code), so that we can create a conftest policy to run against our Jenkinsfiles and mitigate risks like the Megalodon github actions attack.
I asked Claude to research whether it would be possible, and found out that while there is not currently a parser for this in conftest, it may be possible to fairly easily implement support.
Is this something you'd accept a PR for?