Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58664

Add pipeline function to obscure credentials inFile

    Details

    • Similar Issues:

      Description

      Problem

      The plugin hides secrets from the jenkins console but when a using complex tool chain the secrets may be stored in some tool's log and later published as build output. 

      For example: the following uses ansible and a junit output callback to generate junit xml which will include secrets.

      withCredentials([usernamePassword(credentialsId: 'my-test-user',
                  passwordVariable: 'USER',
                  usernameVariable: 'PASSWORD')]) {
              withEnv([
                      "ANSIBLE_STDOUT_CALLBACK=junit",
                      "JUNIT_OUTPUT_DIR=${env.WORKSPACE}"
              ]) {
                      try {
                            ansiblePlaybook(
                              playbook:"ansible/playbooks/steps.yml",
                              extraVars: [
                                      user: USER,
                                      password: PASSWORD
                                      ]
                            )
                      } finally {
                          junit 'steps.*xml'
                      }           
              }
      } 

      Recommendation

      Whereas

      • It seem unreasonable/impossible for the plugin to understand all tool chains
      • Only the binding plugin can properly know all secrets to hide

      The addition of an exposed function like obscureCredentialsInFile(file: 'mylog.xml') would allow the pipeline author to use the file cleaner to remove secrets from a file or perhaps with a glob a series of files.

      The method would perform the standard replacement in the file as it would do on the console regardless of the impact to the file.  For example, if the secret was 'error' and that was an xml key, the cleanup would be for the pipeline author to handle.

        Attachments

          Issue Links

            Activity

            There are no comments yet on this issue.

              People

              • Assignee:
                Unassigned
                Reporter:
                citizenkahn citizenkahn
              • Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: