-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ensure all credentials are masked in output logs #212
Comments
so far I only found the snyk auth token in the console output, what other credentials did you see? |
I think also the Nexus credentials can be exposed as they are not read via |
@clemensutschig @michaelsauter
...that way it is not displayed in the output. It looks then like this:
btw. I found in Jenkins that if you open a build and click on the right side 'Pipeline Steps' (instead of 'Console Output') that all credentials are visible there in clear text... even the ones that are used within withCredentials. |
I think the most important thing is to avoid accidental credentials leakage. Therefore I'm ok with them being visible outside the build logs. Regarding Snyk, it makes sense to do |
Yes I was thinking the same regarding the next steps... but I just discovered that if you use Jenkins in the blue ocean view, it is all there in clear text :( |
@renedupont wow. is that a known bug with the credentials plugin and/or blue ocean? that sounds like something the Jenkins community would try to fix, no? |
I don't know yet, this needs further investigation, but it looks like as if the blue ocean view is basically what you can see in the classic view if you click on 'Pipeline Steps' |
another idea that @stitakis told me about is to write the command into a file and execute it from there.
and it results in the log as:
I could not see it either in the ocean blue view. We could write a groovy method in /vars folder that encapsulates this, but for me this still looks like a workaround. I am considering to take a look at https://jenkins.io/doc/pipeline/steps/mask-passwords/ soon. If this works maybe we could integrate this into the jenkins image. |
@michaelsauter I think I found out why the credentials are not masked when we use withCredentials... we use triple-double-quotation marks instead of triple-single-quotation marks in the sh call. |
@renedupont Why is triple-double-quotes an issue? Do you have a reference? |
I tried it out because of the examples given here: https://jenkins.io/doc/pipeline/steps/credentials-binding/ |
partially fixed by #329 |
there is still cases where credentials may not be masked (e.g. thru the ods-context).
The text was updated successfully, but these errors were encountered: