DEV Community

Cover image for Your CI Pipeline Catches Bugs. Mine Catches Architecture Drift, Supply-Chain Risk, and Tells Me If the Release Is Ready.
Saurabh
Saurabh

Posted on

Your CI Pipeline Catches Bugs. Mine Catches Architecture Drift, Supply-Chain Risk, and Tells Me If the Release Is Ready.

#devops #jenkins #ai #opensource

Every CI/CD pipeline runs linters. Runs tests. Maybe runs SonarQube. And then you ship, hoping nobody introduced a circular dependency, pulled in an unmaintained library with a GPL conflict, or quietly broke the hexagonal architecture your team spent three months agreeing on.

I got tired of finding these problems in code review, after the PR was already up, after the developer had moved on mentally, after the arguments about whether it's "really that bad." So I built a Jenkins plugin that catches them during the pipeline, scores the build, and gives you a release verdict: SHIP_IT, CAUTION, HOLD, or BLOCK.

It's called ForgeAI Pipeline Intelligence, it's open source (Apache 2.0), and it's been running in our pipelines since April.

What It Actually Does

ForgeAI embeds 8 specialized AI analyzers directly into your Jenkins pipeline. Each one has a focused job:

Code Review: Not just style. SOLID violations, anti-patterns, error handling gaps, DRY issues. Think of it as a senior engineer who never gets tired of reviewing PRs.

Vulnerability Analysis: OWASP Top 10 mapping, hardcoded secrets, injection vectors, CWE references. Goes deeper than regex-based scanners because it reads context.

Architecture Drift Detection: This is the one most teams don't have. It understands hexagonal, layered, CQRS, and microservice patterns. If someone puts a database call in your controller layer, it flags it.
Test Gap Analysis, Finds untested code paths, missing edge cases, and weak assertions. Doesn't just say "coverage is low", it tells you what to test and why.

Dependency Risk Scoring: License conflicts, unmaintained packages, unpinned versions, transitive dependency depth. Supply-chain risk is a spectrum, not a boolean.

Commit Intelligence: Commit message hygiene, breaking change detection, auto-generated changelog drafts, semver suggestions.

Pipeline Optimizer: Analyzes your Jenkinsfile itself. Finds parallelization opportunities, caching gaps, resource waste, and failure resilience issues.

Release Readiness: The capstone. Synthesizes all prior analyses into a composite score (security weighted 3x, architecture 2x) and a final verdict.

The 10-Line Integration

Here's what it looks like in a Jenkinsfile:

stage('ForgeAI Intelligence') {
    steps {
        script {
            def report = forgeAI(
                analyzers: ['code-review', 'vulnerability', 
                            'architecture-drift', 'test-gaps',
                            'dependency-risk', 'release-readiness'],
                sourceGlob: 'src/**/*.java',
                contextInfo: 'Spring Boot microservice, hexagonal architecture',
                failOnCritical: true,
                criticalThreshold: 4
            )
            echo "Composite Score: ${report.compositeScore}/10"
        }
    }
}
Enter fullscreen mode Exit fullscreen mode

That's it. Every build now gets an AI-powered analysis with a self-contained HTML report archived as a build artifact.

It Runs Without the Cloud
This was non-negotiable for me. Many teams can't send source code to external APIs, regulated environments, air-gapped networks, or just security policy.

ForgeAI is provider-agnostic. It works with:

  • OpenAI (GPT-4o, o1)
  • Anthropic Claude (Sonnet, Opus)
  • Ollama fully local, zero data leaves your network
  • LM Studio, vLLM or any OpenAI-compatible endpoint

The Ollama path is what makes this usable in enterprises. Pull deepseek-coder:6.7b, point ForgeAI at localhost:11434, and you have production-grade pipeline intelligence with no cloud dependency.

What Makes This Different From "Just Asking ChatGPT"

I've seen teams paste code into ChatGPT and call it "AI-powered code review." ForgeAI is architecturally different in a few ways:

Specialized system prompts. Each analyzer has a purpose-built prompt tuned for its domain. The vulnerability analyzer thinks like a security auditor. The architecture drift analyzer thinks like a principal engineer. They don't share a generic "review this code" prompt.

Weighted composite scoring. Not all findings are equal. A security vulnerability is more urgent than a naming convention issue. ForgeAI weights security 3x and architecture 2x in the composite score.

Pipeline-native. It runs in your CI/CD, not in a browser tab. Results are tied to builds, archived, and can fail the pipeline. It becomes part of your quality gate, not a suggestion you can ignore.

It analyzes itself. The Pipeline Optimizer analyzer reads your Jenkinsfile and finds inefficiencies. I haven't seen another tool do this.

The Architecture 

Jenkins Pipeline
    └── ForgeAI Step (forgeAI / forgeAIScan)
        ├── DirectoryTreeCallable → reads source files
        ├── LLMProviderFactory
        │   ├── OpenAICompatibleProvider
        │   ├── AnthropicProvider
        │   └── OllamaProvider
        ├── Analyzers (each extends BaseAnalyzer)
        │   ├── CodeReviewAnalyzer
        │   ├── VulnerabilityAnalyzer
        │   ├── ArchitectureDriftAnalyzer
        │   ├── TestGapAnalyzer
        │   ├── DependencyRiskAnalyzer
        │   ├── CommitIntelligenceAnalyzer
        │   ├── PipelineAdvisorAnalyzer
        │   └── ReleaseReadinessAnalyzer
        └── ForgeAIReportGenerator → HTML report
Enter fullscreen mode Exit fullscreen mode

The provider abstraction is clean, LLMProvider is an interface, each backend implements it, and LLMProviderFactory selects based on the global config. Adding a new provider means implementing one interface.

The analyzer pattern is similar, BaseAnalyzer handles prompt construction, LLM calls, and result parsing. Each specialized analyzer provides its system prompt and result schema. If you want to add a custom analyzer (say, accessibility or i18n), you extend BaseAnalyzer and register it.

Getting Started

Option 1: Install from the Jenkins Update Center (recommended):

Go to Manage Jenkins → Plugins → Available plugins, search for "ForgeAI Pipeline Intelligence", and install. No build step, no HPI upload, it's in the official Jenkins plugin index.

Option 2: Build from source (JDK 17+, Maven 3.9+):

git clone https://github.com/jenkinsci/forgeai-pipeline-intelligence-plugin.git
cd forgeai-pipeline-intelligence-plugin
mvn clean package -DskipTests
Enter fullscreen mode Exit fullscreen mode

Upload target/forgeai-pipeline-intelligence.hpi via Manage Jenkins → Plugins → Advanced → Deploy Plugin.

Then configure: Navigate to Manage Jenkins → System → ForgeAI Pipeline Intelligence, select your LLM provider, enter the endpoint and API key, click Test Connection, and you're running.

The examples/ directory has three annotated Jenkinsfiles: full suite, parallel targeted scans, and local Ollama setup.

Upcoming Additions

The roadmap includes GitHub Checks API integration (PR annotations), historical trend dashboards, Slack/Teams notifications, and custom analyzer support via the UI. Contributions are welcome, prompt engineering, additional language support, and HTML report improvements are all high-impact areas.

Repo: github.com/jenkinsci/forgeai-pipeline-intelligence-plugin
Plugin page: plugins.jenkins.io/forgeai-pipeline-intelligence/

Next up: How I built an AI-governed SDLC for teams using Claude Code and Cursor, with CrewAI agents, secret scanning, SAST, and Grafana observability all running locally on Docker.

Connect with me:

  • GitHub: saurabh-oss
  • LinkedIn: saurabh-tcs
  • X: @sauvast
  • Reddit: u/sauvast
  • Discord: sauvast

Top comments (0)