Jenkins Security Tips
September 26, 2022

Andy Corrigan
Octopus Deploy

For such an open, customizable platform, Jenkins provides decent security even in its default state. Given it connects to countless industry tools, though, there are a few other ways to help protect your projects.

In this post, we look at some of the methods and tools to keep your Jenkins instance safe, secure, and protect those using it.

Keep everything updated

As December 2021 reminded us, software vulnerabilities come to light at any time. Software providers not only update their applications to fix bugs or add new features, but also to remove security exploits.

Jenkins has a security advisories page to keep you informed about vulnerabilities for their platform. It's still a good idea, however, to keep your instance updated, including its plugins.

To check for updates in Jenkins:
1. Click Manage Jenkins from the menu.
2. The Manage Jenkins screen will tell you at the top if there's a new version available. Click the Or Upgrade Automatically button to upgrade straight away. Otherwise, you can download the latest version and upgrade at a scheduled time.

You can also roll back an upgrade from the same screen — just click the Downgrade button.

To update Jenkins plugins:
1. Click Manage Jenkins from the menu.
2. Click Manage Plugins.
3. Make sure you're on the Updates tab, tick the updates you want to install and click Download now and install after restart.
4. Restart Jenkins to complete updates.

You can install Jenkins on most major operating systems and containers, so keep those updated too. Seek out your operating system's documentation for more information on how.

Only change Jenkins' security defaults if you're sure

Jenkins enables most of its security features on install to make things as secure as possible. Given the many ways you can use Jenkins, though, there's no "one size fits all" approach for how best to configure or lock down your instance.

So while we can't offer advice on what's best for your team (with an exception we'll explore next), Jenkins provides detailed documentation on the important features you should look at. See the Securing Jenkins page for help with security related to:
- Basic setup
- Build behavior
- User interface

You should only make changes with careful consideration and, if possible, a chat with your cyber security specialist. You can make these changes in the Configure Global Security page — find it by selecting Manage Jenkins from the left menu.

Avoid building on your controller

Jenkins offers a built-in node so you can run tests as soon as possible to see if it's the solution for you. Builds that run on a single instance, however, have access to your operating system's file system. For this reason, Jenkins recommends you have jobs run on "agents" instead (this happens in a scalable setup, which we talked about in our last post, Using dynamic build agents to automate scaling in Jenkins).

Agents are virtual Jenkins instances that run jobs instead of your controller. When using agents, you can prevent your controller from running builds to limit access to files that can do harm.

To stop your controller from running builds:
1. Click Manage Jenkins from the menu.
2. Click Manage Nodes and Clouds.
3. Click the cog to the right of the Built-In Node.
4. You have 2 options to prevent builds on the controller. Choose one and click Save:
- Change the Number of executors to 0 if you never want to build on the controller.
- Select Only build jobs with label expressions matching this node from the Usage dropdown if you want to build on the controller when needed.

Only give your team access to what they need

Security is more than just protecting yourself from incoming threats. It's also about protecting your environment from within because accidents can happen. And they're more likely to happen if:
- You're running a Jenkins instance with a single admin account
- Everyone has access to everything
- People can change things they shouldn't change

Here are a few suggestions for managing your user access.

Give each Jenkins user an account

To help track what your users are doing, create individual user accounts for anyone using your Jenkins instance. This way you can see all activity and who's done what.

To create extra users:
1. Click Manage Jenkinsfrom the menu.
2. Scroll down and select Manage Users.
3. Click Create User from the left.
4. Complete all fields and click Create User.

We recommend using the Matrix Authorization Strategy plugin to manage user access to Jenkins on a more granular level. For example, with this plugin you could:
- Restrict users' access so they can only see and manage builds for the projects they're part of
- Give read-only access to project managers so they can see how builds are progressing

To install the plugin:
1. Click Manage Jenkins from the left menu.
2. Click Manage Plugins.
3. Click the Available tab and start typing Matrix Authorization. The plugin will appear in the predicted results.
4. Tick the box to the left of the plugin and click Install without restart.

To set permissions with the plugin:
1.Click Manage Jenkins from the menu.
2. Click Configure Global Security.
3. Click the radio button for either:
- Matrix-based security — allows you to manage global user and group permissions.
- Project-based Matrix Authorization Strategy — allows you to manage user and group permissions at a project level.
4. Regardless of your choice, use the buttons to add users or groups, and select their level of access using the checkboxes in the table. Click Save when you're done.

Other user access plugins you should consider

If you already use other systems for access management, you might be able to authenticate your Jenkins users with those. For example, there are plugins for both Microsoft's Active Directory and OpenID, which can save you from managing access in more than one spot.

We also recommend looking at both the Folders and Folder-based Authorization Strategy plugins.

The Folders plugin allows you to group jobs as you want in nestable folders. This plugin lets you group jobs that share security needs, which helps you keep a closer eye on them.

The Folder-based Authorization Strategy plugin extends security for folders, by letting you set folder access using roles.

Securely store your credentials

The Credentials Binding plugin is the best option for encrypting and securely storing credentials that connect Jenkins with other services. Jenkins recommends it too — as one of their suggested plugins when installing Jenkins for the first time. Plus, plenty of other plugins use it as a dependency.

This plugin lets you store and reuse all types of authentication methods, such as:
- Usernames and passwords
- SSH usernames and private keys
- Secret files
- Secret text
- Certificates


As you can see, there are plenty of ways to ensure safe use of Jenkins to protect projects from risks outside and within. Check Jenkins' documentation for even more information on keeping your instances secure.

Check out our other posts about configuring Jenkins:
Using dynamic build agents to automate scaling in Jenkins
Managing credentials in Jenkins

Try the free Jenkins Pipeline Generator tool to create a Pipeline file in Groovy syntax. It's everything you need to get your Pipeline project started.

Andy Corrigan is a Technical Content Creator at Octopus Deploy
Share this

Industry News

March 21, 2023

OpenText launched the latest version of ValueEdge -- an innovative modular, cloud-based DevOps and value stream management (VSM) platform.

March 21, 2023

Oracle announced the availability of Java 20, the latest version of the programming language and development platform.

March 21, 2023

Rafay Systems introduced Environment Manager, a solution that empowers enterprise platform teams to improve the developer experience by delivering self-service capabilities for provisioning full-stack environments.

March 20, 2023

To meet the growing demand for Oracle Container Engine for Kubernetes (OKE) with global organizations, Oracle Cloud Infrastructure (OCI) is introducing new capabilities that can boost the reliability and efficiency of large-scale Kubernetes environments while simplifying operations and reducing costs.

March 20, 2023

Perforce Software joined the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program and listed its free Enhanced Studio Pack (ESP) in AWS Marketplace.

March 20, 2023

Aembit, an identity platform that lets DevOps and Security teams discover, manage, enforce, and audit access between federated workloads, announced its official launch alongside $16.6M in seed financing from cybersecurity specialist investors Ballistic Ventures and Ten Eleven Ventures.

March 16, 2023

Hyland released Alfresco Content Services 7.0 – a cloud-native content services platform, optimized for content model flexibility and performance at scale.

March 16, 2023

CAST AI has announced the closing of a $20M investment round.

March 15, 2023

Check Point® Software Technologies introduced Infinity Global Services, an all-encompassing security solution that will empower organizations of all sizes to fortify their systems, from cloud to network to endpoint.

March 15, 2023

OpsCruise's Kubernetes and Cloud Service observability platform is certified to run on the Red Hat OpenShift Kubernetes platform.

March 14, 2023 released an update to the platform, delivering productivity for data teams.

March 14, 2023

CoreStack and Zensar announced a strategic global partnership. CoreStack will provide its AI-powered NextGen cloud governance and FinOps capabilities, complementing Zensar’s composable cloud operations offering.

March 14, 2023

Delinea introduced the Delinea Platform, a cloud-native foundation for Delinea's PAM solutions that empowers end-to-end visibility, dynamic privilege controls, and adaptive security.

March 13, 2023

Sysdig announced a new foundation that will serve as the long-term custodian of the Wireshark open source project.

March 13, 2023

Talend announced the latest update to Talend Data Fabric, its end-to-end platform for data discovery, transformation, governance, and sharing.