For such an open, customizable platform, Jenkins provides decent security even in its default state. Given it connects to countless industry tools (Octopus included), though, there are a few other ways to help protect your projects. In this post, we look at some of the methods and tools to keep your Jenkins instance safe, and secure, and protect those using it. Keep Everything Updated , software vulnerabilities come to light at any time. Software providers not only update their applications to fix bugs or add new features but also remove security exploits. As December 2021 reminded us to keep you informed about vulnerabilities in their platform. It's still a good idea, however, to keep your instance updated, including its plugins. Jenkins have a security advisories page To check for updates in Jenkins: Click from the menu. Manage Jenkins The screen will tell you at the top if there's a new version available. Click the button to upgrade straight away. Otherwise, you can download the latest version and upgrade at a scheduled time. Manage Jenkins Or Upgrade Automatically You can also roll back an upgrade from the same screen - just click the button. Downgrade To update Jenkins plugins: Click from the menu. Manage Jenkins Click . Manage Plugins Make sure you're on the tab, tick the updates you want to install and click . Updates Download now and install after restart Restart Jenkins to complete updates. You can install Jenkins on most major operating systems and containers, so keep those updated too. Seek out your operating system's documentation for more information on how. Only Change Jenkins' security Defaults if you're sure Jenkins enables most of its security features on install to make things as secure as possible. Given the many ways you can use Jenkins, though, there's no 'one size fits all’ approach for how best to configure or lock down your instance. So while we can't offer advice on what's best for your team (with an exception we'll explore next), Jenkins provides detailed documentation on the important features you should look at. See the for help with security related to: Securing Jenkins page Basic setup Build behavior User interface You should only make changes with careful consideration and, if possible, a chat with your cyber security specialist. You can make these changes on the page – find it by selecting from the left menu. Configure Global Security Manage Jenkins Avoid Building on your Controller Jenkins offers a built-in node so you can run tests as soon as possible to see if it's the solution for you. Builds that run on a single instance, however, have access to your operating system's file system. For this reason, Jenkins recommends you have jobs run on 'agents' instead (this happens in a scalable setup, which we talked about in our last post, ). Using dynamic build agents to automate scaling in Jenkins Agents are virtual Jenkins instances that run jobs instead of your controller. When using agents, you can prevent your controller from running builds to limit access to files that can do harm. To stop your controller from running builds: Click from the menu. Manage Jenkins Click . Manage Nodes and Clouds Click the cog to the right of the . Built-In Node You have 2 options to prevent builds on the controller. Choose one and click : Save Change the to if you never want to build on the controller. Number of executors 0 Select from the dropdown if you want to build on the controller when needed. Only build jobs with label expressions matching this node Usage Only Give your Team Access to What they Need Security is more than just protecting yourself from incoming threats. It's also about protecting your environment from within because accidents can happen. And they're more likely to happen if: You're running a Jenkins instance with a single admin account Everyone has access to everything People can change things they shouldn't change Here are a few suggestions for managing your user access. Give each Jenkins user an account To help track what your users are doing, create individual user accounts for anyone using your Jenkins instance. This way you can see all activity and who's done what. To create extra users: Click from the menu. Manage Jenkins Scroll down and select . Manage Users Click from the left. Create User Complete all fields and click . Create User Use the Matrix Authorization Strategy plugin We recommend using the to manage user access to Jenkins on a more granular level. For example, with this plugin you could: Matrix Authorization Strategy plugin Restrict users' access so they can only see and manage builds for the projects they're part of Give read-only access to project managers so they can see how builds are progressing To install the plugin: Click from the left menu. Manage Jenkins Click . Manage Plugins Click the tab and start typing . The plugin will appear in the predicted results. Available Matrix Authorization Tick the box to the left of the plugin and click . Install without restarting To set permissions with the plugin: Click from the menu. Manage Jenkins Click . Configure Global Security Click the radio button for either: – allows you to manage global user and group permissions. Matrix-based security – allows you to manage user and group permissions at a project level. Project-based Matrix Authorization Strategy Regardless of your choice, use the buttons to add users or groups, and select their level of access using the checkboxes in the table. Click when you're done. Save Other user-access plugins you should consider If you already use other systems for access management, you might be able to authenticate your Jenkins users with those. For example, there are plugins for both and , which can save you from managing access in more than one spot. Microsoft's Active Directory OpenID We also recommend looking at both the and plugins. Folders Folder-based Authorization Strategy The Folders plugin allows you to group jobs as you want in nestable folders. This plugin lets you group jobs that share security needs, which helps you keep a closer eye on them. The Folder-based Authorization Strategy plugin extends security for folders, by letting you set folder access using roles. Securely Store your Credentials The is the best option for encrypting and securely storing credentials that connect Jenkins with other services. Jenkins recommends it too – as one of their suggested plugins when installing Jenkins for the first time. Plus, plenty of other plugins use it as a dependency. Credentials Binding plugin This plugin lets you store and reuse all types of authentication methods, such as: Usernames and passwords SSH usernames and private keys Secret files Secret text Certificates We'll cover the Credentials Binding plugin in detail in a future post. Conclusion As you can see, there are plenty of ways to ensure the safe use of Jenkins to protect projects from risks outside and within. Check for even more information on keeping your instances secure. Jenkins' documentation Check out our other posts about configuring Jenkins: Using dynamic build agents to automate scaling in Jenkins Managing credentials in Jenkins to create a Pipeline file in Groovy syntax. It's everything you need to get your Pipeline project started. Try our free Jenkins Pipeline Generator tool Happy deployments! Also Published here

Microsoft

Too Long; Didn't Read

ML Practitioners - Ready to Level Up your Skills?

Tips to Secure Your Jenkins Pipeline

Too Long; Didn't Read

Company Mentioned

@andycorrigan

RELATED STORIES