Security concepts should guide the practices and tools used to fight and prevent threats. The major principles for security are:
Least privilege: Give people the privileges required to do their jobs but do not give everyone permission to do everything and do not open ports that are not required for your work.
Know the system: The more you understand about how your system works, the more you are prepared to protect the integrity of your system. See How Jenkins Executes Jobs for a summary of the Jenkins execution sequence.
Defense in depth: Systems are layered. Put security on all layers.
Prevention is good, but detection is better: Monitor your Jenkins installation constantly so that you quickly detect signs of a security breach.
Good practices that help keep your instance secure include:
Keep your system current: Pay attention to Jenkins Security Advisories and apply Security Updates as soon as possible. Keeping the Jenkins software and all plugins current also helps ensure that your system is secure. Also be sure to keep all other software up to date, including the underlying operating system software, build tools, and test tools that you use.
Revisit your security configuration periodically: Most Jenkins environments grow over time, requiring their trust models to evolve as the environment grows. Schedule regular "check-ups" of your security settings to ensure that they are still appropriate for your instance. In particular, if you had to disable some of the default protections that Jenkins provides, perhaps because you were using a plugin that had not been updated to support that protection, you may be able to re-enable that protection to increase the security of your instance.
Please submit your feedback about this page through this quick form.
Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?
See existing feedback here.