CODEWITHSUNDEEP
jenkinsloggingpluginspasswords
A.G.
A.G.

Reputation: 2149

How to tell Jenkins build Console Logs to obfuscate passwords, preferably without a plugIn?

We need for Jenkins to stop displaying passwords in the Console Build Logs.

We are not using the Jenkins Vault to store passwords, and neither are we using environment variables. Instead we get credentials from our own central location and get then to build 'bat' commands to run in our build pipelines.

The problem is that Jenkins posts all the passwords naked in the build logs.

Is there a way to intervene in the Jenkins Console Logging process, grab the text about to be logged and replace strings with "XXXXX", on the fly?

Barring that, is there a plugin to do this easily?

I have seen some plugins that mask the password, but they require the passwords be stored in Jenkins build environment parameters, which we do not use.

Upvotes: 0

Views: 1480

Answers (2)

Wlad Neto
Wlad Neto

Reputation: 381

1 - Install plugin: mask-passwords

2 - In your jenkinsFile folow this example:

// Example code:

node {
  withSecretEnv([[var: 'VAULT_TOKEN', password: 'toosekret']]) {
    sh '''#!/bin/bash -eu
    echo "with env use:      ${VAULT_TOKEN}"
    sleep 1
    echo "without env use:   toosekret"
    sleep 1
    echo "just the var name: VAULT_TOKEN"
    '''
    sleep 1
    echo "Outside SH: VAULT_TOKEN=${VAULT_TOKEN}"
  }
}

// Dont forgot this def
def withSecretEnv(List<Map> varAndPasswordList, Closure closure) {
  wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: varAndPasswordList]) {
    withEnv(varAndPasswordList.collect { "${it.var}=${it.password}" }) {
      closure()
    }
  }
}

3 - The result wil:

// Example output:
'''
[Pipeline] node
Running on magic-agent in /a/workspace/with-secret-env
[Pipeline] {
[Pipeline] wrap
[Pipeline] {
[Pipeline] withEnv
[Pipeline] {
[Pipeline] sh
[with-secret-env] Running shell script
with env use:      ********
without env use:   ********
just the var name: VAULT_TOKEN
[Pipeline] sleep
Sleeping for 1 sec
[Pipeline] echo
Outside SH: VAULT_TOKEN=********
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // wrap
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
'''

Upvotes: 2

A.G.
A.G.

Reputation: 2149

Answering my own question: Found a PlugIn : MaskPasswordsBuildWrapper, just install then, 

def pass='Abc123'; 
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: pass, var: 'SECRET']]]) 
{ print 'Here it is: ' + pass; }

Prints: ************, instead of the password in log.

Upvotes: 0

Related Questions