For such an open, customizable platform, Jenkins provides decent security even in its default state. Given it connects to countless industry tools (Octopus included), though, there are a few other ways to help protect your projects.
In this post, we look at some of the methods and tools to keep your Jenkins instance safe, and secure, and protect those using it.
As December 2021 reminded us, software vulnerabilities come to light at any time. Software providers not only update their applications to fix bugs or add new features but also remove security exploits.
Jenkins have a security advisories page to keep you informed about vulnerabilities in their platform. It's still a good idea, however, to keep your instance updated, including its plugins.
To check for updates in Jenkins:
Click Manage Jenkins from the menu.
The Manage Jenkins screen will tell you at the top if there's a new version available. Click the Or Upgrade Automatically button to upgrade straight away. Otherwise, you can download the latest version and upgrade at a scheduled time.
You can also roll back an upgrade from the same screen - just click the Downgrade button.
To update Jenkins plugins:
Click Manage Jenkins from the menu.
Click Manage Plugins.
Make sure you're on the Updates tab, tick the updates you want to install and click Download now and install after restart.
Restart Jenkins to complete updates.
You can install Jenkins on most major operating systems and containers, so keep those updated too. Seek out your operating system's documentation for more information on how.
Jenkins enables most of its security features on install to make things as secure as possible. Given the many ways you can use Jenkins, though, there's no 'one size fits all’ approach for how best to configure or lock down your instance.
So while we can't offer advice on what's best for your team (with an exception we'll explore next), Jenkins provides detailed documentation on the important features you should look at. See the Securing Jenkins page for help with security related to:
Basic setup
Build behavior
User interface
You should only make changes with careful consideration and, if possible, a chat with your cyber security specialist. You can make these changes on the Configure Global Security page – find it by selecting Manage Jenkins from the left menu.
Jenkins offers a built-in node so you can run tests as soon as possible to see if it's the solution for you. Builds that run on a single instance, however, have access to your operating system's file system. For this reason, Jenkins recommends you have jobs run on 'agents' instead (this happens in a scalable setup, which we talked about in our last post, Using dynamic build agents to automate scaling in Jenkins).
Agents are virtual Jenkins instances that run jobs instead of your controller. When using agents, you can prevent your controller from running builds to limit access to files that can do harm.
To stop your controller from running builds:
Security is more than just protecting yourself from incoming threats. It's also about protecting your environment from within because accidents can happen. And they're more likely to happen if:
Here are a few suggestions for managing your user access.
To help track what your users are doing, create individual user accounts for anyone using your Jenkins instance. This way you can see all activity and who's done what.
To create extra users:
We recommend using the Matrix Authorization Strategy plugin to manage user access to Jenkins on a more granular level. For example, with this plugin you could:
To install the plugin:
Matrix Authorization
. The plugin will appear in the predicted results.
To set permissions with the plugin:
If you already use other systems for access management, you might be able to authenticate your Jenkins users with those. For example, there are plugins for both Microsoft's Active Directory and OpenID, which can save you from managing access in more than one spot.
We also recommend looking at both the Folders and Folder-based Authorization Strategy plugins.
The Folders plugin allows you to group jobs as you want in nestable folders. This plugin lets you group jobs that share security needs, which helps you keep a closer eye on them.
The Folder-based Authorization Strategy plugin extends security for folders, by letting you set folder access using roles.
The Credentials Binding plugin is the best option for encrypting and securely storing credentials that connect Jenkins with other services. Jenkins recommends it too – as one of their suggested plugins when installing Jenkins for the first time. Plus, plenty of other plugins use it as a dependency.
This plugin lets you store and reuse all types of authentication methods, such as:
We'll cover the Credentials Binding plugin in detail in a future post.
As you can see, there are plenty of ways to ensure the safe use of Jenkins to protect projects from risks outside and within. Check Jenkins' documentation for even more information on keeping your instances secure.
Check out our other posts about configuring Jenkins:
Try our free Jenkins Pipeline Generator tool to create a Pipeline file in Groovy syntax. It's everything you need to get your Pipeline project started.
Happy deployments!
Also Published here