A couple of days ago I noticed that there is a lot of plugin repositories that do not run the
Jenkins Security Scan. Eventhough by now the GitHub action containing the scan is present in templates and archtypes there are still some plugins that were likely created before or simply did not care for it. Nevertheless, it is stated in the
JENKINS SECURITY POLICY that
The Jenkins project takes security seriously. We make every possible effort to ensure users can adequately secure their automation infrastructure. To that end, we work with Jenkins core and plugin developers, as well as security researchers, to fix security vulnerabilities in Jenkins in a timely manner, and to improve the security of Jenkins in general.We as plugin developers should therefor try our best to support this. One way of doing so is to enable the Jenkins Security Scan.
This is why over the course of the last two days I created roughly 200 PRs as a consequence. My PRs where made towards plugins that could be considered "in active development" - meaning they have had commit in the last 30 days and a release in the last 6 month. For all that I setup a script to grab me a list of plugin repositories that match those criteria and semi-automatically issue PRs for them, many of which have already been merged.
Since this is my first go at automating such a thing, there were some hickups that hopefully all got resolved by hand. Please let me know if you found any unresolved issues.
By now there seem to be no more plugins left that match my criteria, but I will likely run another analysis in a couple of weeks. If I caused any issues in the infrastructure, yeah, what can I say but sorry. It was not my intention to cause more work for anyone but rather do a good deed
Overall my goal is to make use of the great security features that we have at our hands and to share the word that security is so important in software development and doing my part in supporting the community to my best efforts.