Introduction
IntroductionPre-installation requirementsInstallVerify Docker imagesUninstall
IntroductionPre-installation requirementsInstallVerify Docker imagesUninstall
IntroductionPre-installation requirementsInstallVerify Docker imagesUninstall
IntroductionPre-installation requirements for KubernetesKubernetes Gateway API for CloudBees CI on modern cloud platformsKubernetes Gateway API supported implementationsGateway API features required by CloudBees CIVerify Kubernetes Gateway API prerequisitesDeploy a Kubernetes Gateway API namespace topologyInstall CloudBees CI with Kubernetes Gateway APIMigrate from Ingress to Gateway APIClean up Helm values for Gateway API migrationVerify Docker imagesUninstall
IntroductionPre-installation requirementsInstallVerify Docker imagesUninstall
IntroductionPre-installation requirementsInstallVerify Docker imagesUninstall
IntroductionSystem requirementsVerify Docker imagesInstall operations centerInstall client controllersVerify build componentsVerify WAR files
IntroductionHA fundamentalsGet ready for HAInstall HA on modern cloud platformsInstall HA on traditional platformsHA considerationsHigh Availability (active/passive) installation for CloudBees CI on traditional platforms
IntroductionWhat is FIPS and FIPS 140 compliance?Install CloudBees CI on modern cloud platforms in FIPS modeCAP plugin support in a FIPS 140-3 environmentConfigure the Pipeline Maven API plugin for FIPS complianceKnown FIPS incompatibilities with CloudBees CI on modern cloud platformsJenkins core: FIPS 140-3 compliant artifacts with caveatsJenkins core: Non-compliant classes and libraries
Introduction
IntroductionCommon Pipeline termsPipeline project typesCloudBees proprietary features for Pipelines
IntroductionPipeline development utilitiesDetermine plugin compatibilityPipeline best practices
IntroductionUse Declarative Pipeline syntaxUse Scripted Pipeline syntax
IntroductionPipeline prerequisitesCreate your first PipelineSelect an agent for your Pipeline jobCreate a Pipeline from SCMCreate a Pipeline in the UIUnderstand and implement Pipeline as Code
IntroductionConfigure advanced Scripted PipelineConfigure the build stageConfigure the deploy stageConfigure optional step argumentsConfigure the test stageCreate a JenkinsfileCustomize parametersHandle failuresString interpolationUse multiple agentsWork with the environmentReuse configuration files
IntroductionManage artifacts with CloudBees Fast Archiving pluginEnable artifact traceability with fingerprintingTrigger jobs with a simple webhookRestore filesVisualize the PipelineInsert checkpointsSecure PipelinesConfigure Pipelines with user-scoped credentialsEnforce standards with Pipeline PoliciesSpecify a matrix of one or more dimensionsConvert a Freestyle project to a Declarative PipelinePipeline builds and High Availability (active/active)
IntroductionRestart aborted buildsLong-running buildsSkip next buildConsolidated Build View pluginCloudBees Quiet Start pluginCloudBees Template pluginCloudBees Workspace Caching
IntroductionTrigger a job with a notification event using Cross Team CollaborationEnable external notification events with external HTTP endpointsCluster-wide copy artifactsCluster-wide job triggers
IntroductionSet up a Pipeline Template CatalogDefine Pipeline Template CatalogsSet up a Pipeline TemplateParameter types in the template.yaml fileManage Multibranch Pipeline options in the template.yaml fileManage Pipeline Template Catalogs in bulkExample full Maven/Java app Jenkinsfile
IntroductionBranch SourceBitbucketGitHubGitBranch Property StrategyExamples
CloudBees Docker Build and Publish pluginCloudBees Docker TraceabilityCloudBees Docker Hub/Registry Notification plugin
Introduction
Introduction
Introduction
IntroductionGet startedNavigate the operations center interfaceProvision agents in a separate Kubernetes cluster from a managed controllerProvision a controller in a different OpenShift project than the operations centerManage controllersManage controllers in specific Kubernetes namespacesMigrate an existing managed controller to High Availability (HA)Manage agentsManage SSH credentialsShared agentsShared configurationsShared cloud configurationTrigger restrictionsChange NFS storage locationQuiet startMove/Copy/PromoteCluster operationsInbound agentsUse Kaniko with CloudBees CIUse Buildkit with CloudBees CIUsing self-signed certificates in CloudBees CI on KubernetesSidecar injector for self-signed certificates on OpenShiftAuto-scale nodes on EKSEnable auto-scaling nodes on GKECloudBees Amazon Web Services Deploy EngineCloudBees Amazon AWS CLI pluginCloud Foundry CLI PluginIntegrate OpenShift CLICloudBees CI ServiceNow integrationCreate projects based on a GitHub repository structureUse GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText pluginController Lifecycle Notifications plugin
IntroductionGet startedNavigate the operations center interfaceManage client controllersMigrate from High Availability (active/passive) to High Availability (active/active) on CloudBees CI on traditional platformsManaging agentsManage SSH credentialsShared agentsShared configurationsShared cloud configurationTrigger restrictionsQuiet startMove/Copy/PromoteCluster operationsInbound agentsCloudBees CI ServiceNow integrationCreate projects based on a GitHub repository structureUse GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText plugin
Introduction
Trust modelCentrally manage securityPod Security Admission
Use single sign-on (SSO) in the operations centerConfigure SAMLIntegrate Microsoft Entra IDSet up SSO Relay for CloudBees CI single sign-on
Role-based access control (RBAC)Example RBAC configurationsRBAC auto-configurer pluginRestrict job triggersAccess controls on the operations centerAccess controls on controllersOperations center specific permissionsAuthentication mappingDelegate administrationFoldersFolders Plus
Authenticate automated processes with CloudBees CI service accountsService account scope and visibilityGet started with CloudBees CI service accountsService accounts CLIService account API endpointsCreate and use service accounts with Configuration as CodeService account security considerations
Restricted credentialsInjecting secretsMask ephemeral secrets in Pipeline build logsEnhanced credentials maskingExternal secrets managementCyberArk credential providerManage secrets with HashiCorp VaultShared credentials administrative monitor
Cross-controller triggersTest the SSH connection to an agentManage build agents with Nodes PlusExtended security settings
Beekeeper security warningsCloudBees administrative monitorsSecurity recommendationsData collection
Replace an expired certificateList of URLs that need accessBlock access to URL patternsServe resources from JenkinsVerify Helm charts with a signature
Introduction
Introduction$JENKINS_HOME directoryBest practices for backup and restoreBack up $JENKINS_HOME manuallyBackup a Role-Based Access Control configurationRestore backup files manuallyRestore credentialsConfigure backups using the CloudBees Backup pluginSchedule backups in the CloudBees Backup pluginRestore backups created with the CloudBees Backup pluginBackup and restore on KubernetesBackup and restore on AWSBackup and restore Kubernetes cluster resources using VeleroRun backups using cluster operations
IntroductionConfigure multiple client controllers with the Jenkins CLI toolConfigure an alias for the Jenkins CLI toolConfigure Jenkins CLI tool with non-TrustStore TLS certificates
CloudBees Inactive Items Plugin
Jenkins Health Advisor by CloudBees
CloudBees Pull Request Builder for GitHub plugin
Count and monitor user licenses with the CloudBees User Activity Monitoring plugin
Count and monitor user licenses with the CloudBees User License Counting (ULC) system
Introduction
CasC fundamentalsCasC requirementsCasC permissionsRecommended workflow
IntroductionExport a CasC configurationTransform an exported bundleAdvanced CasC bundle configurationValidate a CasC bundle
CloudBees CI CasC for operations centersGet started with Configuration as Code for the operations centerConfigure the operations center on modern platforms using CasCConfigure the operations center on traditional platforms using CasCRetrieve bundles using an SCMTroubleshoot CasC
CloudBees CI CasC for controllersGet started with Configuration as Code for controllersDistribute CasC bundles to controllers from your operations centerAdd controller CasC bundles to the operations centerConfigure bundle availability for controllersSet up a client controller using CasCSet up a managed controller using CasCSet up a managed controller using the CasC Controller Bundle ServiceAdvanced topicsTroubleshoot CasC for controllers
IntroductionUpdate a CasC bundleBundle update timingReview the CasC update log
IntroductionPlugin management with CasCDetermine plugin compatibility using CasCCreate an alternate plugin download site
Create items using CasC
Configure RBAC with CasC
CasC CLI commands
CasC HTTP API
Introductionbundle.yaml file referencejenkins.yaml file referenceplugins.yaml file referenceplugin-catalog.yaml file referenceitems.yaml file referencerbac.yaml file referencevariables.yaml file reference
Introduction
HA on EKS Performance Test
Support policies

Mask ephemeral secrets in Pipeline build logs

5 minute readSecurity
CloudBees Beta

This feature is available as a beta release and is subject to change without notice. CloudBees recommends stringent testing in a development environment and a complete review of the documentation and architecture before using it in production.

Protect ephemeral credentials from accidental exposure by automatically masking them as they appear in Pipeline build logs and step arguments. Unlike stored credentials, ephemeral credentials are generated at runtime and are never stored in the Jenkins credentials store.

Mask credentials without Pipeline changes

Once masking patterns are configured, they apply globally to all Pipeline builds on the controller. Pipeline authors do not need to modify their Pipelines to benefit from this protection.

Configure patterns for your environment

Choose from stock patterns for common ephemeral credential formats or define custom regular expression patterns to match token formats specific to your environment.

Enforce secrets hygiene

Optionally configure patterns to fail the build if a secret is detected in the build log, signaling to Pipeline authors to fix their Pipelines rather than relying on masking as a permanent solution.

CloudBees CI version 2.528.1.29783 or later is required.

Masking behavior

Patterns define the credential formats to detect and mask. You can configure any pattern to fail the build if matched, to discourage Pipeline authors from accidentally printing secrets to logs. CloudBees CI always logs a warning to the controller system log when masking occurs.

Stock patterns

Stock patterns are predefined patterns for ephemeral credential formats, such as AWS Security Token Service (STS) access key IDs, AWS secret access keys, AWS session tokens, and JWTs. For the full list of available patterns and their descriptions, refer to Manage Jenkins  Security in the CloudBees CI UI.

  • The AWS STS access key ID pattern does not match long-term access key IDs stored in the Jenkins credentials store.

  • The AWS secret access key pattern can produce false positives (for example, from strings containing both mixed case and digits).

Custom patterns

Custom patterns allow you to define your own regular expression patterns for token formats specific to your environment. Each custom pattern requires a name to identify it in system log warnings and failure messages.

Replacement text

The replacement text is a string used to replace matched secrets in Pipeline build logs and step arguments. The default value uses a pattern that is visually distinctive in log output. You can specify any static text, or include the NAME placeholder to substitute the pattern name at runtime. For stock patterns, this is the predefined pattern name. For custom patterns, this is the name you specify when configuring the pattern. The replacement text applies to all patterns, both stock and custom.

Step argument masking

Masking also applies to step arguments (the parameters passed to Pipeline steps), which are visible in Pipeline visualization tools, such as CloudBees Pipeline Explorer. When double quotes are used for the script argument of sh, bat, powershell, and pwsh steps, the secret value is embedded directly in the step argument; the plugin detects and masks these, but matched step arguments are not displayed in the Pipeline Steps view.

The script argument is the default argument for sh, bat, powershell, and pwsh steps. For example, sh 'make world' is equivalent to sh script: 'make world'.

As a best practice, use single quotes for the script argument so step arguments are not exposed in Pipeline visualization tools.

Configure masking patterns

Choose one of the following configuration methods:

Configure masking patterns in the UI

  1. Install the CloudBees Mask Secrets plugin to the controller.

  2. Navigate to Manage Jenkins  Security.

  3. Scroll down to Automatic pattern masking.

  4. To specify a stock pattern:

    1. Select + Add.

    2. Select the appropriate pattern.

    3. (Optional) To fail the build if the pattern is matched, select Fail build on match.

  5. To add a custom pattern:

    1. Select + Add custom pattern.

    2. Enter a Regular expression for the pattern to match.

      Use Java regular expression syntax.

    3. Specify a Name for the pattern, which is used in system log warnings and failure messages.

    4. (Optional) To fail the build if the pattern is matched, select Fail build on match.

  6. If needed, update the default Replacement text for matched secrets.

  7. Select Save.

Configure masking patterns using Configuration as Code

You can use Configuration as Code (CasC) to define stock and custom masking patterns.

CloudBees recommends using CasC Plugin Management 2.0 to automatically manage plugin dependencies. CasC Plugin Management 2.0 requires apiVersion:2 in the bundle.yaml file.

To configure masking patterns using CasC:

  1. Add the CloudBees Mask Secrets plugin to the controller plugins.yaml file:

    plugins:
- id: cloudbees-mask-secrets

  2. Update the controller jenkins.yaml file to configure masking patterns:

    security:
  cloudbeesMaskSecrets:
    stockPatterns:
    - awsStsAccessKeyId
    - awsSecretAccessKey
    - awsSessionToken:
        failBuild: true(1)
    - jwt
    customPatterns:
    - name: internal-api-key(2)
      regexp: key_[A-Za-z0-9]+(3)
      failBuild: true(1)
    replacementText: '****NAME****'(4)
    1 Optional. Set to true to fail the build if this pattern is matched, to discourage Pipeline authors from accidentally printing secrets to logs; applies to stock and custom patterns.
    2 A name for the pattern, which is used in system log warnings and failure messages.
    3 A Java regular expression for the pattern to match.
    4 The replacement text for matched secrets. Include NAME to substitute the pattern name at runtime.

  3. Apply the bundle to your controller. For more information, refer to Update a CasC bundle.

Security considerations

Masking ephemeral secrets in build logs is a secondary, best-effort defense against accidental disclosure. Malicious Pipeline authors can bypass masking trivially, or steal secrets without involving the build log at all. Pipeline authors should avoid printing secrets to logs in the first place.

Encoding and escaping limitations

Patterns match against log text as it appears; if any process transforms a secret before it appears in the log, the match fails.

Shell metacharacter escaping

When a shell prints a variable, it may escape characters such as "'[{(*&$` that are present in the secret value. For hexadecimal and Base64 patterns, this is unlikely to be an issue, since these formats do not contain shell metacharacters.

Secret encoding

CloudBees CI does not mask secrets embedded in Base64-encoded output. For example, credentials returned by aws sts assume-role are masked when they appear as-is in a kubectl create secret command. However, retrieving those credentials later with kubectl get secret -o yaml returns them Base64-encoded, and the encoded form is not matched.

Agent temp file exposure

For any form of masking in CloudBees CI, including injecting secrets into builds, log text from sh, bat, powershell, and pwsh Pipeline steps is streamed to a temporary file on the agent before being forwarded to the controller or external log storage. Masking occurs during this forwarding process, so secrets exist in plaintext in the temporary file on the agent.

On High Availability (HA) controllers, masking occurs on the agent rather than the controller. A message is sent to the controller to support failing build behavior and system log warnings.

On permanent agents or cloud agents with multiple executors, all builds run under the same OS account. Builds belonging to other jobs can therefore read files from concurrently running builds, inspect process arguments, and in some environments read process memory. Even if the agent only has a single executor, a malicious build can set up a long-running process to steal secrets from future builds running on the same agent.

Do not reuse agents across teams that must be security-isolated from one another. This applies to any situation in which an agent has access to privileged information, including regular usage of Jenkins credentials.
Injecting secrets
Enhanced credentials masking