Solutions Delivery Platform

SDP Pipeline Libraries

The Solution Delivery Platform’s open source pipeline libraries plug in to the Jenkins Templating Engine to accelerate the development of a DevSecOps pipeline.

For any relevant upgrade notes about the SDP Pipeline Libraries, checkout the GitHub Releases.


The Jenkins pipeline-as-code that is developed to perform various tool integrations is largely undifferentiated. That is to say, it doesn’t really matter what project you’re working on - the pipeline code that’s written can be reused anywhere if the configuration is appropriately externalized.

These libraries serve as an open source, reusable portfolio of tool integrations that can help us speak a common language and leverage a common framework when implementing CI/CD pipelines.


Container Images as Pipeline Run Time Environments

Maintaining tool installations on a Jenkins instance can be a configuration management nightmare. Trying to keep straight 3 different versions of Java, Maven, Ant, Gradle, and so on within your Jenkins instance quickly leads to a bloated and difficult to maintain instance.

Furthermore, when tools are installed directly on Jenkins build agents it can be difficult to rapidly introduce new features to the pipeline.

We use container images to decouple the Jenkins infrastructure from the tools that the pipeline needs for building, testing, and deploying applications.

Each library, rather than direclty invoke a tool, will leverage helpers from the sdp library to execute portions of the pipeline inside of container images.

These images can be found in the Booz Allen SDP Images GitHub Repository and are hosted through the GitHub Package Registry.

The sdp Library

If using the SDP Pipeline Libraries as a Library Source for your pipeline, then you must include the sdp library. This library containers helper functions such as inside_sdp_image() to facilitate the use of the SDP Pipeline Container Images as run time environments.


Your Jenkins build agents must have Docker installed due to the above-mentioned use of container images in the SDP Pipeline Libraries.


Table 1. SDP Pipeline Libraries
Library Description

The A11y Machine

Leverages The A11y Machine to perform accessibility compliance scanning


Performs comprehensive container image vulnerability scan and compliance policy evaluation using your Anchore Enterprise or Anchore Engine installation


Uses docker to build and publish container images, tagging them with the Git SHA


Allows you to map a branching strategy to specific pipeline actions when using Public GitHub or GitHub Enterprise

GitHub Enterprise

Allows you to map a branching strategy to specific pipeline actions when using or GitHub Enterprise


Allows you to map a branching strategy to specific pipeline actions when using GitLab

Google Lighthouse

Performs accessibility compliance, performance, search engine optimization, and best practice validations on a frontend application


Allows you to perform deployments using Helm to a kubernetes cluster (or clusters)


Allows you to perform deployments using Helm to a Red Hat OpenShift Container Platform (or platforms)

OWASP Dependency Checker

Leverages OWASP Dependency Checker for scanning third party application dependencies


Leverages OWASP ZAP to perform penetration testing


Leverages Protractor, a frontend unit testing utility, to perform unit tests


Leverages PyTest, a Python unit testing library, to perform unit tests


An internal helper library that the others utilize


Facilitates pipeline notifications to the configured Slack channel


Performs static code analysis with SonarQube

Sysdig Secure

Performs container image scanning with Sysdig Secure’s inline scanner


Deploys Infrastructure as Code using Terraform


Performs container image scanning with TwistLock