Triggering builds with webhooks behind a secure firewall

In this post I wanted to show how you can run Jenkins behind a firewall (which could be a corporate firewall, a NAT’ed network like you have at home) but still receive webhooks in real time from GitHub.com. You can generalise this to other services too – such as BitBucket or DockerHub, or anything really Read more about Triggering builds with webhooks behind a secure firewall[…]

The Silence of the Lambs: Inspecting binaries with Jenkins

This is a guest post by Michael Hüttermann. In a past blog post, Delivery Pipelines, with Jenkins 2, SonarQube, and Artifactory, we talked about pipelines which result in binaries for development versions, and in Delivery pipelines, with Jenkins 2: how to promote Java EE and Docker binaries toward production, we examined ways to consistently promote Read more about The Silence of the Lambs: Inspecting binaries with Jenkins[…]

Important security updates for Jenkins

We just released security updates to Jenkins, versions 2.146 and 2.138.2, that fix multiple security vulnerabilities. For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our LTS upgrade guide. Further improvements In addition to the security fixes listed Read more about Important security updates for Jenkins[…]

Jenkins 2.121.3 and 2.138 security updates

We just released security updates to Jenkins, versions 2.138 and 2.121.3, that fix multiple security vulnerabilities. For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our LTS upgrade guide. Subscribe to the jenkinsci-advisories mailing list to receive important Read more about Jenkins 2.121.3 and 2.138 security updates[…]

Security Hardening: New API token system in Jenkins 2.129+

About API tokens Jenkins API tokens are an authentication mechanism that allows a tool (script, application, etc.) to impersonate a user without providing the actual password for use with the Jenkins API or CLI. This is especially useful when your security realm is based on a central directory, like Active Directory or LDAP, and you Read more about Security Hardening: New API token system in Jenkins 2.129+[…]

Securing your Jenkins CI/CD Container Pipeline with Anchore (in under 10 minutes)

(adapted from this blog post by Daniel Nurmi) As more and more Jenkins users ship docker containers, it is worth thinking about the security implications of this model, where the variance in software being included by developers has increased dramatically from previous models. Security implications in this context include what makes up the image, but Read more about Securing your Jenkins CI/CD Container Pipeline with Anchore (in under 10 minutes)[…]

Security updates for Jenkins core and plugins

We just released security updates to Jenkins, versions 2.121 and 2.107.3, that fix multiple security vulnerabilities. Additionally, we announce previously published security issues and corresponding fixes in these plugins: Black Duck Hub Groovy Postbuild Gitlab Hook (fix unreleased) For an overview of what was fixed, see the security advisory. For an overview on the possible Read more about Security updates for Jenkins core and plugins[…]

AWS Firewall Manager: Central Management for Your Web Application Portfolio

There’s often tension between distributed and centralized control, especially in larger organizations. While a distributed control model allows teams to move fast and to respond to specialized local needs, a central model can provide the right level of oversight for global initiatives and challenges that span all teams. We’ve seen this challenge arise first-hand when Read more about AWS Firewall Manager: Central Management for Your Web Application Portfolio[…]

Jenkins community account password audit

Last year, news of compromised passwords being used for accounts able to distribute NPM packages made the rounds. Their system looks similar to how publishing of plugins works in the Jenkins project: Accounts are protected by passwords chosen by users. Individual contributors have permission to release the components they maintain. The components they release are Read more about Jenkins community account password audit[…]

Security hardening: Jenkins LTS 2.107.1 switches XStream / Remoting blacklists to whitelists (JEP-200)

This is a post about a major change in Jenkins, which is available starting from Jenkins 2.102 and Jenkins LTS 2.107.1. This is a change with a serious risk of regressions in plugins. If you are a Jenkins administrator, please read this blogpost and upgrade guidelines BEFORE upgrading. I would like to provide some heads-up Read more about Security hardening: Jenkins LTS 2.107.1 switches XStream / Remoting blacklists to whitelists (JEP-200)[…]