How to hide passwords in Jenkins console output?

Question

The Mask Passwords plugin only allows for preset passwords to be passed in to the build process, so it really does nothing for the security of the Job.

I need a password parameter that needs to be entered every time the job is run (as a parameter) and I need that to be masked in the console output.

From what I am reading, going to Manage Jenkins -> Configure System and selecting to mask Password Parameters should work, but it is not for some reason.. any suggestions?

Answer 1

in case that you have a Linux builder you can hide the output of the shell command under the execute shell in the command text box just add in the first line the line:

#!/bin/bash +x
some other commands...

this will hide only the output of the command with the password in the console output

Answer 2

You can use credentials. Add secret text credentials and give and id that you'll use like the following:

          withCredentials([string(credentialsId: 'DOCKER_USER', variable: 'DOCKER_USER'), string(credentialsId: 'DOCKER_PASSWORD', variable: 'DOCKER_PASSWORD')]) {
            sh "docker login -u $DOCKER_USER -p $DOCKER_PASSWORD"
            sh "docker push '$DOCKER_USER/appName:test'" 
          }

DOCKER_USER AND DOCKER_PASSWORD are in the jenkins credentials store and will be replaced by *** in the logs

Answer 3

I am using here "Inject passwords to the build as environment variables" form "Build Environment". It's really works great. it will hide passwords form console. Even more it also hide user input passwords through "password parameter"

Really cool !! :)

Answer 4

Please find below my findings with solution [without using Mask Passwords plugin]:

Brief Description about my jenkins job: I wrote a job which downloads the artifacts from Nexus based on the parameters given at run-time and then makes a Database SQL connection and deploy the SQL scripts using maven flyway plugin. My job takes - Environment, Database Schema, Artifact version number, Flyway command, Database User and it's password as input parameters.

Brief Background about problem: While passing the PASSWORD as MAVEN GOAL (Parameter), it was coming in Jenkins Console as a plain text. Although I was using "Password Parameter" to pass the password at run-time but then also it was coming as plain text in console.

I tried to use the "secret text" to encrypt the password but then my job started failing because the encrypted password was getting passed to Maven Goals, which was not able to connect to DB.

Solution:

I used "Inject passwords to the build as environment variables" from Build Environment and defined its value as my "password parameter" (my password parameter name was db_password) which I am passing as parameter at run-time (eg.: I defined my inject password value as : ${db_password} ).

And this is working as expected. The password which I am passing while running my job is coming as [*******]

[console log: Executing Maven: -B -f /work/jenkins_data/workspace/S2/database-deployment-via-flyway-EDOS/pom.xml clean compile -Ddb=UAT_cms_core -DdatabaseSchema=cms-core -Dmode=info -DdeploymentVersion=1.2.9 -Ddb_user=DB_USER -Ddb_password=[*******] ]

Answer 5

you can use Mask Passwords Plugin this is very use https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin