jenkins-infra · StackScribe · Oct 27, 2021 · Nov 1, 2021 · Nov 1, 2021 · Jan 11, 2022
@@ -18,3 +18,6 @@ sections:
 
 # Further references
 - services
+
+# New files
+- pipeline-authors
@@ -0,0 +1,33 @@
+---
+title: Security Practices for Pipeline Authors
+layout: section
+---
+ifdef::backend-html5[]
+:toc:
+ifdef::env-github[:imagesdir: ../resources]
+ifndef::env-github[:imagesdir: ../../resources]
+:hide-uri-scheme:
+endif::[]
+
+The job of securing the Jenkins instance falls mostly on administrators but Pipeline authors must also adhere to good security practices.
+We summarize these here.
+
+== Use Credentials to Access Resources
+
+If your Pipeline needs to access external resources such as a database, artifact repository, or cloud, be sure to use credentials [add link] for authorization rather than coding the username/password, secret text, or other identifiers in your Pipeline.
+
+== Handle String Interpolation Properly
+
+Understand Groovy
+link:/doc/book/pipeline/jenkinsfile/#string-interpolation[string interpolation]
+and be very careful when passing sensitive data such as environment variables.
+Never enclose sensitive environment variables in single quotes!
+Data inside single quotes is subject to Groovy string interpolation, which means that Groovy evaluates the string and passes the actual value through where it may be visible as an argument to the `sh` or `bat` step or some other facility.
+Data that is enclosed in double quotes is passed to the interpreter (`sh`, `bat`, `powershell`, or `pwsh` for evaluation and so is secure.
+
+See
+link:/doc/book/pipeline/jenkinsfile/#interpolation-of-sensitive-environment-variables[Interpolation of sensitive environment variables]
+and
+link:/doc/book/pipeline/jenkinsfile/#injection-via-interpolation[Injection via interpolation]
+for more details.
+