[JENKINS-43814] Password parameters should be hidden in pipeline logs by default

Type: New Feature
Resolution: Unresolved
Priority: Minor
Component/s: credentials-binding-plugin, mask-passwords-plugin, redacted-password-parameters-plugin
Labels:
- cloudbees-internal-pipeline

Similar Issues:
Powered by SuggestiMate

Show

In a pipeline script when a developer uses `withCredentials` credentials are hidden in logs to reduces the chance of accidental disclosure (see ~~JENKINS-38181~~)

When using a password parameter in a job the same concept should be applied to it and it should be impossible to display its value in logs

A work-around is to use the MaskPasswordsBuildWrapper but it has to be manually done (and it's a bit crappy)

node {
  wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: "${myPassword}", var: 'PASSWORD']]]) {
   println myPassword
   sh 'echo "Hello World ${myPassword}"'
  }
}

relates to

JENKINS-27392 API to decorate console output

Resolved

JENKINS-57717 showRawYaml doesn't work inside podTemplate

Resolved

JENKINS-36007 Way to mask arbitrary Secret (was: Password is clear on log with input parameter)

Open

JENKINS-34101 Option for input parameters to be flattened to string

Open

JENKINS-44779 Add @Symbol to MaskPasswordsBuildWrapper

In Progress

Arnaud Héritier created issue - 2017-04-25 08:27

Jesse Glick added a comment - 2017-05-09 15:43

Could be done naturally by Declarative I think.

Jesse Glick added a comment - 2017-05-09 15:43 Could be done naturally by Declarative I think.

Jesse Glick made changes - 2017-05-09 15:43

Component/s		New: pipeline-model-definition-plugin [ 21706 ]
Component/s	Original: pipeline [ 21692 ]

Andrew Bayer made changes - 2017-06-08 15:41

Link

New: This issue relates to JENKINS-44779 [ JENKINS-44779 ]

James Dumay made changes - 2017-07-20 06:36

Labels

New: cloudbees-internal-pipeline

Jesse Glick made changes - 2017-08-08 13:54

Link

New: This issue is duplicated by JENKINS-36007 [ JENKINS-36007 ]

Jesse Glick made changes - 2017-08-08 13:54

Link

Original: This issue is duplicated by JENKINS-36007 [ JENKINS-36007 ]

Jesse Glick made changes - 2017-08-08 13:54

Link

New: This issue relates to JENKINS-36007 [ JENKINS-36007 ]

Andrew Bayer added a comment - 2017-10-20 13:30

jglick huh? How would Declarative have anything to do with that?

Andrew Bayer added a comment - 2017-10-20 13:30 jglick huh? How would Declarative have anything to do with that?

Andrew Bayer added a comment - 2017-10-20 13:31

Oh, wait, do you mean MaskPasswordsBuildWrapper could be replicated in Declarative? I'd prefer not - better to get a proper block-scoped step implementation that can be used as an option in Declarative.

Andrew Bayer added a comment - 2017-10-20 13:31 Oh, wait, do you mean MaskPasswordsBuildWrapper could be replicated in Declarative? I'd prefer not - better to get a proper block-scoped step implementation that can be used as an option in Declarative.

Assignee:: Unassigned

Reporter:: Arnaud Héritier

Votes:: 6 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2017-04-25 08:27

Updated:: 2022-01-03 22:54

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Jesse Glick added a comment - 2017-05-09 15:43

Expand comment: Jesse Glick added a comment - 2017-05-09 15:43

Collapse comment: Andrew Bayer added a comment - 2017-10-20 13:30

Expand comment: Andrew Bayer added a comment - 2017-10-20 13:30

Collapse comment: Andrew Bayer added a comment - 2017-10-20 13:31

Expand comment: Andrew Bayer added a comment - 2017-10-20 13:31

People

Dates