Uploaded image for project: 'Jenkins Website'
  1. Jenkins Website
  2. WEBSITE-610

Fix documentation on what credentials masking actually is

    Details

    • Type: Improvement
    • Status: Done (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: content
    • Labels:
      None
    • Similar Issues:

      Description

      https://jenkins.io/doc/book/pipeline/jenkinsfile/#handling-credentials

      This section has the following description:

       To maintain the security and anonymity of these credentials, if you attempt to retrieve the value of these credential variables from within the Pipeline (e.g. echo $AWS_SECRET_ACCESS_KEY), Jenkins only returns the value “***” to prevent secret information from being written to the console output and any logs. Any sensitive information in credential IDs themselves (such as usernames) are also returned as “***” in the Pipeline run’s output.

      This might lead users to believe credentials masking is a miracle cure when all it does is prevent accidental exposure. This needs to be clarified to explain the limitations: Anyone able to change Jenkins or build scripts will be able to transform the credentials into a form that won't get masked.

      See also https://github.com/jenkinsci/credentials-binding-plugin/blob/2a0d796a742ea089fcebfa1d8170326b420fbfe5/src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help.html#L51...L59

        Attachments

          Issue Links

            Activity

            Hide
            markewaite Mark Waite added a comment -

            Merged

            Show
            markewaite Mark Waite added a comment - Merged

              People

              • Assignee:
                markewaite Mark Waite
                Reporter:
                danielbeck Daniel Beck
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: