Jenkins

Securing Jenkins

Managing and enabling security

Managing and securing Jenkins is a critical aspect of system administration. While developers may not interact with every security detail, ensuring robust code security remains essential. In this article, we explore the various security options available in Jenkins, covering both global security settings and plugin-based implementations.

When you navigate to the "Manage Jenkins" section, you'll notice a dedicated area for security. To further enhance your setup, consider exploring the security-related plugins available under "Manage Plugins." By searching for terms like "Role-based Authorization Strategy," "Authorize Project," "Mask Passwords," "GitHub Authentication," and "OWASP Dependency Check," you can find multiple approaches tailored to different security needs.

The image shows the Jenkins Plugin Manager interface, displaying available security-related plugins for installation, including "Role-based Authorization Strategy" and "Authorize Project."

Returning to "Manage Jenkins," you will find four primary security options:

  • Manage Credentials
  • Configure Credential Providers
  • Manage Users
  • Configure Global Security

We previously discussed managing credentials during pipeline creation and user management. In the "Configure Credential Providers" section, clicking on "Providers" and selecting "Exclude Selected" displays several available options.

The image shows a Jenkins dashboard with options for system configuration, security settings, and build executor status, including managing plugins, credentials, and users.

Within this view, you'll see selections for folder credential providers, Jenkins credential providers, and user credential providers. Additional providers may appear if installed via plugins. Similarly, clicking on "Types" and selecting "Exclude Selected" reveals options such as username and password, GitHub app, SSH username with private key, secret file, secret text, and certificate. This variety underscores Jenkins' flexible and secure configuration capabilities.

Now, let’s shift focus to "Configure Global Security." This section determines who can access and use your Jenkins instance and includes several key settings:

  • Authentication Options: Disable features like "Remember Me" (which caches credentials similar to Gmail) to minimize security risks and ensure users re-enter their credentials each session.
  • Security Realm: Choose from various options:
    • Delegate to Servlet Container (utilizes the container's authentication system)
    • Jenkins' own user database (with an optional sign-up feature)
    • LDAP configuration
    • Unix user group database
    • None (not recommended)
  • Agent Protocols: Configure TCP ports for inbound connectivity and control the display of security warnings.
  • API Options: While creating legacy API tokens or manual generation is discouraged, enabling API token usage statistics can enhance security monitoring.
  • Agent Controller Access: Enable this if you plan on using build agents for your pipelines.
  • Jenkins as an SSH Server: Although Jenkins can act as an SSH server for Jenkins Cloud commands, it is disabled by default. Current recommendations suggest keeping it disabled for better security.

Note

Appropriately configuring global security settings is essential for protecting your Jenkins environment. Always assess your organization's requirements before modifying security features.

The image shows a Jenkins dashboard interface for configuring credential providers, with options to exclude specific providers and types, and buttons to save or apply changes.

These global security settings offer the flexibility to tailor your Jenkins instance according to your organization's specific needs. Whether you enable or disable certain features, the available options ensure that your system remains secure and manageable.

The image shows a Jenkins "Configure Global Security" settings page, detailing options for security realm and authorization, with user signup enabled.

Additional configuration options, such as agent protocols, legacy API tokens, API token usage statistics, and SSH server settings, allow for further fine-tuning of your security setup.

The image shows a Jenkins configuration page for global security settings, including API token options, agent-controller security, and SSH server port settings.

This concludes our detailed overview of managing and enabling security in Jenkins. We encourage you to apply these concepts on your system to enhance your understanding and further secure your Jenkins environment.

Watch Video

Watch video content

Practice Lab

Practice lab

Previous
Jenkins Security