Why are my credentials being exposed in Blue Ocean view?

Issue

You observe that after upgrading your instance to use Pipeline: Groovy version 2.85 or higher, running the pipeline code shown below causes the credentials to be shown in the pipeline view.

node("your_node") {
withCredentials([string(credentialsId: "secret", variable: "mySecret")]) {
   
sh "echo mock login --secret '${MYSECRET}'"
sh "echo starting"
sh "echo exiting"

wrap([$class: "MaskPasswordsBuildWrapper", varPasswordPairs: [[var: "mySecret", password: mySecret]]]) {
    
sh "echo mock login --secret '${MYSECRET}' # wrapped"
sh "echo starting #  wrapped with maskpassword"
sh "echo exiting # wrapped with maskpassword"

}
}
}

Environment

Resolution

The issue is related to a change in the way that Pipeline: Groovy intercepts groovy string interpolation. This change was included in version 2.85.

In order to solve the problem, you will need to install Credentials Binding 1.24 or higher.

This version solves the issues listed below:

It’s best to use single quotes (;) to surround the commands for a sh step, instead of double quotes (") (like the example code above), so that the variable expansion happens on the build agent, instead of using groovy string interpolation.

Tested product/plugin versions

Have more questions?

0 Comments

Please sign in to leave a comment.