[JENKINS-43814] Password parameters should be hidden in pipeline logs by default - Jenkins Jira

Type: New Feature
Resolution: Unresolved
Priority: Minor
Component/s: credentials-binding-plugin, mask-passwords-plugin, redacted-password-parameters-plugin
Labels:
- cloudbees-internal-pipeline

Similar Issues:
Powered by SuggestiMate

Show

In a pipeline script when a developer uses `withCredentials` credentials are hidden in logs to reduces the chance of accidental disclosure (see ~~JENKINS-38181~~)

When using a password parameter in a job the same concept should be applied to it and it should be impossible to display its value in logs

A work-around is to use the MaskPasswordsBuildWrapper but it has to be manually done (and it's a bit crappy)

node {
  wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: "${myPassword}", var: 'PASSWORD']]]) {
   println myPassword
   sh 'echo "Hello World ${myPassword}"'
  }
}

relates to

JENKINS-27392 API to decorate console output

Resolved

JENKINS-57717 showRawYaml doesn't work inside podTemplate

Resolved

JENKINS-36007 Way to mask arbitrary Secret (was: Password is clear on log with input parameter)

Open

JENKINS-34101 Option for input parameters to be flattened to string

Open

JENKINS-44779 Add @Symbol to MaskPasswordsBuildWrapper

In Progress

Assignee:: Unassigned

Reporter:: Arnaud Héritier

Votes:: 6 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2017-04-25 08:27

Updated:: 2022-01-03 22:54

Details

Description

Attachments

Issue Links

Activity

People

Dates