Uploaded image for project: 'Jenkins Website'
  1. Jenkins Website
  2. WEBSITE-610

Fix documentation on what credentials masking actually is

    Details

    • Type: Improvement
    • Status: Done (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: content
    • Labels:
      None
    • Similar Issues:

      Description

      https://jenkins.io/doc/book/pipeline/jenkinsfile/#handling-credentials

      This section has the following description:

       To maintain the security and anonymity of these credentials, if you attempt to retrieve the value of these credential variables from within the Pipeline (e.g. echo $AWS_SECRET_ACCESS_KEY), Jenkins only returns the value “***” to prevent secret information from being written to the console output and any logs. Any sensitive information in credential IDs themselves (such as usernames) are also returned as “***” in the Pipeline run’s output.

      This might lead users to believe credentials masking is a miracle cure when all it does is prevent accidental exposure. This needs to be clarified to explain the limitations: Anyone able to change Jenkins or build scripts will be able to transform the credentials into a form that won't get masked.

      See also https://github.com/jenkinsci/credentials-binding-plugin/blob/2a0d796a742ea089fcebfa1d8170326b420fbfe5/src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help.html#L51...L59

        Attachments

          Activity

          Hide
          markewaite Mark Waite added a comment -

          Merged

          Show
          markewaite Mark Waite added a comment - Merged

            People

            • Assignee:
              markewaite Mark Waite
              Reporter:
              danielbeck Daniel Beck
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: