2026-02-06 · Authensor

How to Integrate AI Agent Safety with Jenkins

SafeClaw by Authensor integrates into Jenkins pipelines to validate AI agent safety policies, run simulation tests, and verify audit trail integrity as part of your build process. By adding SafeClaw stages to your Jenkinsfile, you block deployments that contain invalid policies or unsafe action patterns. Install with npx @authensor/safeclaw and make AI agent safety a required gate in your Jenkins CI/CD pipeline.

Prerequisites

Jenkins 2.x with Pipeline plugin installed
Node.js 18+ available on Jenkins agents (or use a Docker agent)
SafeClaw initialized in your project repository

Step 1 — Declarative Pipeline with Safety Stages

Create or update your Jenkinsfile:

pipeline {
    agent {
        docker {
            image 'node:20-slim'
        }
    }

stages {
        stage('Install') {
            steps {
                sh 'npm ci'
            }
        }

stage('Safety Validate') {
            steps {
                sh 'npx @authensor/safeclaw validate'
            }
        }

stage('Safety Simulation') {
            steps {
                sh 'npx @authensor/safeclaw test --simulation'
            }
        }

stage('Unit Tests') {
            steps {
                sh 'npm test'
            }
        }

stage('Deploy') {
            when {
                branch 'main'
            }
            steps {
                sh 'npx @authensor/safeclaw'
                sh 'npm run deploy'
            }
        }
    }

post {
        always {
            archiveArtifacts artifacts: 'safeclaw-report.json', allowEmptyArchive: true
        }
        failure {
            echo 'AI Safety check failed — deployment blocked'
        }
    }
}

The Safety Validate stage checks policy syntax. Safety Simulation runs the agent in dry-run mode, evaluating every action against the policy without executing. Both must pass before Deploy.

Step 2 — Parallel Safety Checks

Run validation and simulation in parallel to reduce pipeline time:

stage('Safety Checks') {
    parallel {
        stage('Validate Policy') {
            steps {
                sh 'npx @authensor/safeclaw validate'
            }
        }
        stage('Simulation Test') {
            steps {
                sh 'npx @authensor/safeclaw test --simulation --output safeclaw-report.json'
            }
        }
    }
}

Step 3 — Policy Change Approval Gate

Add a manual approval step when the policy file is modified:

stage('Policy Change Approval') {
    when {
        changeset 'safeclaw.config.yaml'
    }
    steps {
        script {
            sh 'npx @authensor/safeclaw diff --base origin/main --head HEAD'
        }
        input message: 'SafeClaw policy has changed. Approve deployment?',
              submitter: 'security-team'
    }
}

The input step pauses the pipeline and requires a member of the security team to approve before proceeding.

Step 4 — Use Jenkins Credentials

Store sensitive values in Jenkins credentials, not in the repository:

stage('Post-Deploy Audit Verify') {
    when {
        branch 'main'
    }
    steps {
        withCredentials([string(credentialsId: 'audit-log-url', variable: 'AUDIT_URL')]) {
            sh "npx @authensor/safeclaw audit verify --last 100"
        }
    }
}

SafeClaw does not need LLM API keys during CI. Validation and simulation run without making real API calls.

Step 5 — Multibranch Pipeline

For multibranch pipelines, apply different policies per environment:

stage('Safety Checks') {
    steps {
        script {
            def policyFile = env.BRANCH_NAME == 'main'
                ? 'policies/production.yaml'
                : 'policies/staging.yaml'
            sh "npx @authensor/safeclaw validate --config ${policyFile}"
            sh "npx @authensor/safeclaw test --simulation --config ${policyFile}"
        }
    }
}

Step 6 — Shared Library for Organization-Wide Safety

Create a Jenkins Shared Library so all teams use the same safety checks:

// vars/safeClawCheck.groovy
def call(Map config = [:]) {
    def policyFile = config.policy ?: 'safeclaw.config.yaml'
    sh "npm ci"
    sh "npx @authensor/safeclaw validate --config ${policyFile}"
    sh "npx @authensor/safeclaw test --simulation --config ${policyFile}"
}

Use it in any project's Jenkinsfile:

@Library('shared-pipelines') _

pipeline {
    agent { docker { image 'node:20-slim' } }
    stages {
        stage('Safety') {
            steps {
                safeClawCheck(policy: 'safeclaw.config.yaml')
            }
        }
    }
}

Step 7 — Archive Simulation Reports

stage('Safety Simulation') {
    steps {
        sh 'npx @authensor/safeclaw test --simulation --output safeclaw-report.json'
        archiveArtifacts artifacts: 'safeclaw-report.json'
    }
}

The archived report shows every simulated action, the matching rule, and the decision. Reviewable from the Jenkins build page.

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw