Jenkins Security
Authentication Methods
| Method | Use Case |
|---|---|
| Jenkins internal | Small teams, testing |
| LDAP/Active Directory | Enterprise environments |
| SAML/SSO | Single sign-on integration |
| GitHub/GitLab OAuth | Developer-friendly auth |
Role-Based Access Control
Install the Role-Based Authorization Strategy plugin.
Manage Jenkins → Security → Authorization → Role-Based Strategy
Define Roles
| Role | Permissions |
|---|---|
| admin | Full access |
| developer | Build, read, workspace |
| viewer | Read-only access |
| deployer | Build + deploy jobs only |
Project-Based Roles
Pattern: nextgen-.*
- Build: developer, deployer
- Read: viewer
- Configure: admin
Pattern: infra-.*
- Build: deployer
- Configure: admin
Credential Security
// NEVER do this
environment {
PASSWORD = 'hardcoded-secret' // BAD
}
// Always use credentials store
environment {
DB_CREDS = credentials('db-credentials') // GOOD
}
// Mask secrets in logs
withCredentials([string(credentialsId: 'api-key', variable: 'API_KEY')]) {
sh 'curl -H "Authorization: Bearer $API_KEY" https://api.example.com'
// $API_KEY is masked as **** in console output
}Security Checklist
- Enable CSRF protection
- Disable CLI over remoting
- Use HTTPS for Jenkins URL
- Restrict agent-to-master access
- Audit plugin installations
- Regular security updates
- Disable script console for non-admins
- Enable build authorization
Multi-Branch Pipelines
Multi-branch pipelines automatically discover branches in a repository and create pipeline jobs for each.
How It Works
Repository
├── main → Production pipeline
├── develop → Staging pipeline
├── feature/login → PR pipeline
└── hotfix/bug-42 → Hotfix pipeline
Each branch with a Jenkinsfile gets its own pipeline automatically.
Configuration
- New Item → Multibranch Pipeline
- Branch Sources → GitHub/Git
- Set repository URL and credentials
- Configure branch discovery behaviors
Branch Discovery Strategies
// Jenkinsfile with branch-specific behavior
pipeline {
agent any
stages {
stage('Test') {
steps {
sh 'npm test'
}
}
stage('Deploy to Staging') {
when { branch 'develop' }
steps {
sh 'deploy.sh staging'
}
}
stage('Deploy to Production') {
when {
branch 'main'
beforeInput true
}
input {
message "Deploy to production?"
ok "Deploy"
}
steps {
sh 'deploy.sh production'
}
}
stage('PR Checks') {
when { changeRequest() }
steps {
sh 'npm run lint'
sh 'npm run test:coverage'
publishHTML([reportDir: 'coverage', reportFiles: 'index.html'])
}
}
}
}Webhooks
Configure GitHub/GitLab webhooks to trigger builds instantly:
GitHub → Settings → Webhooks → Add webhook
URL: https://jenkins.example.com/github-webhook/
Content type: application/json
Events: Push, Pull Request
Branch Cleanup
// Jenkinsfile — clean up old branches
properties([
pipelineTriggers([
[$class: 'PeriodicFolderTrigger', interval: '1d']
]),
buildDiscarder(logRotator(
numToKeepStr: '10',
daysToKeepStr: '30'
))
])Pipeline Organization Patterns
Monorepo Strategy
pipeline {
agent any
stages {
stage('Detect Changes') {
steps {
script {
def changes = sh(script: 'git diff --name-only HEAD~1', returnStdout: true)
env.FRONTEND_CHANGED = changes.contains('frontend/') ? 'true' : 'false'
env.BACKEND_CHANGED = changes.contains('backend/') ? 'true' : 'false'
}
}
}
stage('Build Frontend') {
when { environment name: 'FRONTEND_CHANGED', value: 'true' }
steps { sh 'cd frontend && npm run build' }
}
stage('Build Backend') {
when { environment name: 'BACKEND_CHANGED', value: 'true' }
steps { sh 'cd backend && npm run build' }
}
}
}Summary
You've learned:
- Configuring RBAC for team access control
- Credential security and secret management
- Multi-branch pipeline setup and branch strategies
- Webhook configuration for instant triggers
- Monorepo and branch-specific pipeline patterns
Next Steps
Next, we'll explore Jenkins performance tuning, distributed builds, and high availability.