Problem The plugin hides secrets from the jenkins console but when a using complex tool chain the secrets may be stored in some tool's log and later published as build output. For example: the following uses ansible and a junit output callback to generate junit xml which will include secrets.
withCredentials([usernamePassword(credentialsId: 'my-test-user',
passwordVariable: 'USER',
usernameVariable: 'PASSWORD')]) {
withEnv([
"ANSIBLE_STDOUT_CALLBACK=junit",
"JUNIT_OUTPUT_DIR=${env.WORKSPACE}"
]) {
try {
ansiblePlaybook(
playbook:"ansible/playbooks/steps.yml",
extraVars: [
user: USER,
password: PASSWORD
]
)
} finally {
junit 'steps.*xml'
}
}
}
Recommendation Whereas
- It seem unreasonable/impossible for the plugin to understand all tool chains
- Only the binding plugin can properly know all secrets to hide
The addition of an exposed function like obscureCredentialsInFile(file: 'mylog.xml') would allow the pipeline author to use the file cleaner to remove secrets from a file or perhaps with a glob a series of files. The method would perform the standard replacement in the file as it would do on the console regardless of the impact to the file. For example, if the secret was 'error' and that was an xml key, the cleanup would be for the pipeline author to handle. |
