Enhanced credentials masking

1 minute readSecurity

When using the withCredentials( …​ ) { …​ } step of a Pipeline, credential variables' values printed (by referencing or echoing these variable values) within the step’s block are typically masked with “****” values in the console output or Jenkins log. This is done to protect the secrecy of these credentials.

If, however, such variables' values were printed outside a withCredentials( …​ ) { …​ } Pipeline block, the variables' values would be exposed (unmasked) in the console output or Jenkins log. This grants users of your CloudBees CI masters who are not authorized to access such credentials (other than through the scope of a CloudBees CI Pipeline) clear visibility of these credential values.

The enhanced credentials masking feature (provided by the Enhanced Credentials Masking plugin) is used to mask credential variables and values used outside of withCredentials( …​ ) { …​ } Pipeline blocks, thereby maintaining the security and secrecy of such credentials.

To activate this feature (which is available on a CloudBees CI master only):

Be sure that the CloudBees Enhanced Credentials Masking Plugin is installed before you attempt to perform these steps.
  1. Access the Manage Jenkins area of your CloudBees CI master.

  2. On the Manage Jenkins page, click Configure Global Security near the top of the page.

  3. On the resulting Configure Global Security page, scroll down to the CloudBees Enhanced Masking Credentials Plugin section and select the Enable extended masking of credentials check box.

  4. Scroll to the end of the page and click the Save button.