First successful use of Jenkins telemetry

Half a year ago we delivered a security fix for Jenkins that had the potential to break the entire Jenkins UI. We needed to change how Jenkins, through the Stapler web framework, handled HTTP requests, tightening the rules around what requests would be processed by Jenkins. In the six months since, we didn’t receive notable Read more about First successful use of Jenkins telemetry[…]

Security spring cleaning

Today we published a security advisory that mostly informs about issues in Jenkins plugins that have no fixes. What’s going on? The Jenkins security team triages incoming reports both to Jira and our non-public mailing list. Once we’ve determined it is a plugin not maintained by any Jenkins security team members, we try to inform Read more about Security spring cleaning[…]

Limitations of Credentials Masking

In the Jenkins project, we ask that people report security issues to our private issue tracker. This allows us to review issues and prepare fixes in private, often resulting in better, safer security fixes. As a side effect of that, we also learn about common misconceptions and usability problems related to security in Jenkins. This Read more about Limitations of Credentials Masking[…]

Remoting-based CLI removed from Jenkins

Close to two years ago, we announced in New, safer CLI in 2.54 that the traditional “Remoting” operation mode of the Jenkins command-line interface was being deprecated for a variety of reasons, especially its very poor security record. Today in Jenkins 2.165 support for this mode is finally being removed altogether, in both the server Read more about Remoting-based CLI removed from Jenkins[…]

Triggering builds with webhooks behind a secure firewall

In this post I wanted to show how you can run Jenkins behind a firewall (which could be a corporate firewall, a NAT’ed network like you have at home) but still receive webhooks in real time from GitHub.com. You can generalise this to other services too – such as BitBucket or DockerHub, or anything really Read more about Triggering builds with webhooks behind a secure firewall[…]

The Silence of the Lambs: Inspecting binaries with Jenkins

This is a guest post by Michael Hüttermann. In a past blog post, Delivery Pipelines, with Jenkins 2, SonarQube, and Artifactory, we talked about pipelines which result in binaries for development versions, and in Delivery pipelines, with Jenkins 2: how to promote Java EE and Docker binaries toward production, we examined ways to consistently promote Read more about The Silence of the Lambs: Inspecting binaries with Jenkins[…]

Important security updates for Jenkins

We just released security updates to Jenkins, versions 2.146 and 2.138.2, that fix multiple security vulnerabilities. For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our LTS upgrade guide. Further improvements In addition to the security fixes listed Read more about Important security updates for Jenkins[…]

Jenkins 2.121.3 and 2.138 security updates

We just released security updates to Jenkins, versions 2.138 and 2.121.3, that fix multiple security vulnerabilities. For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our LTS upgrade guide. Subscribe to the jenkinsci-advisories mailing list to receive important Read more about Jenkins 2.121.3 and 2.138 security updates[…]

Security Hardening: New API token system in Jenkins 2.129+

About API tokens Jenkins API tokens are an authentication mechanism that allows a tool (script, application, etc.) to impersonate a user without providing the actual password for use with the Jenkins API or CLI. This is especially useful when your security realm is based on a central directory, like Active Directory or LDAP, and you Read more about Security Hardening: New API token system in Jenkins 2.129+[…]

Securing your Jenkins CI/CD Container Pipeline with Anchore (in under 10 minutes)

(adapted from this blog post by Daniel Nurmi) As more and more Jenkins users ship docker containers, it is worth thinking about the security implications of this model, where the variance in software being included by developers has increased dramatically from previous models. Security implications in this context include what makes up the image, but Read more about Securing your Jenkins CI/CD Container Pipeline with Anchore (in under 10 minutes)[…]