I originally posted this issue here, thinking that it was a JCasC issue, but I learnt that JCasC compatibility is implemented in the plugins themselves. The below is a condensed version of that issue:

It is already possible to configure approvedSignatures:

security:   scriptApproval:     approvedSignatures:       - "some signature"

But it isn't possible to configure approved scripts or hashes of approved scripts, which is what's technically being approved.

I'm working on migrating from jenkins-startup-scripts, where this is a built in feature. Here's the implementation for reference.

Obtaining the hashes is a bit of a pain, as it requires you to run the job that needs the script approvals, then approve them in the UI and finally grab the hashes from scriptApproval.xml in JENKINS_HOME. So we might want to simplify that by letting the user provide the whole script, but being able to approve hashes is a good start.

So here is my suggestion:

security:   scriptApproval:     approvedScriptHashes:       - "some hash"

To make life easier, we could also have: 

security:   scriptApproval:     approvedScripts:       - "some script"

However that is a bit more effort and mostly a nice to have. The first one is essential, though.

I think this is related to JENKINS-62448. If we make something configurable via, JCasC it makes sense to make it configurable in the UI as well. And if we show approved scripts in the UI, then it doesn't make much sense to just show the hashes. Would be quite difficult for the user to know which one to delete.

Perhaps the UI could show the hashes in the list with an option to expand to the full script. Then it would be easy for the admin to copy the hash from the UI to the yaml, where it's probably preferable to use the hash, since the yaml could get quite bloated if whole scripts are kept there. Although for short one liners it may be preferable to use the script in the yaml for easier maintenance, so perhaps the best thing is to support both options if possible.