A simple overview of how Jenkins executes a Freestyle or Pipeline job helps to understand the security considerations. The execution sequence is similar for Freestyle and Pipeline jobs, with the following differences:
Pipelines are controlled by a Jenkinsfile that is written in a scripting language whereas Freestyle jobs are controlled from a configuration defined in the UI. The scripting language supports features such as loops and allows more flexibility about when and where a build script executes; these features also provide additional opportunities to do mischief.
The Jenkinsfile is stored under SCM, which can initiate its execution, so securing the SCM is also an important part of protecting the integrity of your Jenkins installation.
By default, a job executes with the full privileges of the Jenkins administrator, although you can configure Jenkins to execute jobs with fewer privileges.
All of the job’s logic as well as a Pipeline’s Groovy conditionals, loops, and so forth execute on the controller.
When the job runs:
Jenkins creates a workspace on the controller for each build that runs. Files for that build are stored in the workspace.
The job calls a series of steps, each of which is a script or command that does the real work and mostly executes using an executor on an agent.
The agent:
Writes some files to the local node.
Sends data back to the controller.
May also request information from the controller.
Many different people have some control over the commands that are executed during a build:
Jenkins users with Job/Configure permission
Authors of build scripts such as pom.xml and Makefile
Authors of code, such as test suites that are executed during a build
Any of these could introduce security issues, either deliberately or accidentally. In addition, supply chain attacks can occur on build dependencies, whereby attackers take over control of NPM or Maven packages and insert malicious code.
You can see the complexity of keeping your Jenkins instance secure. In the following sections we discuss specific protections that Jenkins provides and practices that you can implement to protect Jenkins from intrusions.
Please submit your feedback about this page through this quick form.
Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?
See existing feedback here.