How to manage sensitive credentials?

Issue

Some companies have a strong security policy.

Make Credentials available for users can make your entity/company in trouble because of Security vulnerabilities. Indeed, any user having access to credentials can expose them.
Examples of security vulnerabilities:

  • A malicious unit test can steal many the credentials used during the build (read maven settings, access git credentials…)
  • Credentials locked down to a specific plugin could be leaked using the locked down plugin (e.g. git) to connect to a rogue endpoint

Jenkins credentials can be used by plugins and plugins can expose these credentials in the build environment (environment variable…); it’s then easy to leak the credentials with a bat/sh command (wget, email…). Due to this design, credentials can be leaked by malicious users.

Environment

Resolution

Credentials can be secured being located with scripts/tasks that don’t expose high level APIs that don’t allow to see the credentials being used. These secured scripts/tasks can be secured with CloudBees solutions:

  • Remove the permission(1) for application team members to create/edit their pipelines & jobs without control from the “Jenkins admins in charge of ensuring security”
    • Templatize the jobs(2)
    • Restrict the available types of job so that application teams can only create templatized jobs(3)
    • Use pipeline jobs stored in a git repo owned by Jenkins admins on which the application teams submits changes through pull requests(4)
      Note: The Jenkins admins can ensure that the pipeline script is not malicious and is not leaking credentials.
    • The use of marker files is highly recommended(4)(5)
  • Locate these “atomic scripts” in dedicated folders secured by CloudBees RBAC(1) so that only Jenkins admins can modify these scripts and define the credentials at the folder level

Remark

The use of the Mask Passwords Plugin(6) and/or Credentials Binding Plugin(7) remains recommended.

  • Benefits: prevent secrets leaks in the logs
  • Limits: don’t protect against pipeline script code that would decide to leak the password outside of Jenkins

References

(1) Role-Based Access Control Plugin
(2) Pipeline Job Templates
(3) How to restrict job types in folders?
(4) Custom Pipeline as Code Scripts (marker files)
(5) Ensuring Corporate Standards in Pipelines with Custom Marker Files
(6) Mask Passwords Plugin
(7) Credentials Binding Plugin

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.