Why are my credentials being exposed in Blue Ocean view?

Article ID:360058888571
2 minute readKnowledge base


You observe that after upgrading your instance to use Pipeline: Groovy version 2.85 or higher, running the pipeline code shown below causes the credentials to be shown in the pipeline view.

node("your_node") {
withCredentials([string(credentialsId: "secret", variable: "mySecret")]) {

sh "echo mock login --secret '${MYSECRET}'"
sh "echo starting"
sh "echo exiting"

wrap([$class: "MaskPasswordsBuildWrapper", varPasswordPairs: [[var: "mySecret", password: mySecret]]]) {

sh "echo mock login --secret '${MYSECRET}' # wrapped"
sh "echo starting #  wrapped with maskpassword"
sh "echo exiting # wrapped with maskpassword"



The issue is related to a change in the way that Pipeline: Groovy intercepts groovy string interpolation. This change was included in version 2.85.

In order to solve the problem, you will need to install Credentials Binding 1.24 or higher.

This version solves the issues listed below:

It’s best to use single quotes (;) to surround the commands for a sh step, instead of double quotes (") (like the example code above), so that the variable expansion happens on the build agent, instead of using groovy string interpolation.

Tested product/plugin versions