Draft for review: Security notes for Pipeline authors

content/doc/book/security/_chapter.yml

@@ -18,3 +18,6 @@ sections:
 
 # Further references
 - services
+
+# New files
+- pipeline-authors

content/doc/book/security/pipeline-authors.adoc

@@ -0,0 +1,34 @@
+---
+title: Security Practices for Pipeline Authors
+layout: section
+---
+ifdef::backend-html5[]
+:toc:
+ifdef::env-github[:imagesdir: ../resources]
+ifndef::env-github[:imagesdir: ../../resources]
+:hide-uri-scheme:
+endif::[]
+
+The job of securing the Jenkins instance falls mostly on administrators, but Pipeline authors must also adhere to good security practices.
+We summarize these here.
+
+== Use Credentials to Access Resources
+
+If your Pipeline needs to access external resources such as a database, artifact repository, or cloud, be sure to use credentials for authorization rather than hard coding the username/password, secret text, or other identifiers in your Pipeline.
+See link:/doc/book/using/using-credentials/[Using Credentials] for more information.
+
+== Handle String Interpolation Properly
+
+Understand Groovy
+link:/doc/book/pipeline/jenkinsfile/#string-interpolation[string interpolation]
+and be very careful when passing sensitive data such as environment variables.
+Never enclose sensitive environment variables in double quotes!
+Data inside double quotes is subject to Groovy string interpolation, which means that Groovy evaluates the string and passes the actual value through where it may be visible as an argument to the `sh` or `bat` step or some other facility.
+Data that is enclosed in single quotes is passed to the interpreter (`sh`, `bat`, `powershell`, or `pwsh` for evaluation and so is secure.
+
+See
+link:/doc/book/pipeline/jenkinsfile/#interpolation-of-sensitive-environment-variables[Interpolation of sensitive environment variables]
+and
+link:/doc/book/pipeline/jenkinsfile/#injection-via-interpolation[Injection via interpolation]
+for more details.
+