Jenkins plugin to mask secrets based on configurable regex patterns.
Patterns are configured under the Jenkins Master system configuration under the Secrets Masking tab. Making it easier for system administrators to configure patterns for system-wide sensitive data.
A Pattern takes a regex string and will compare it to each line of a build's console output. Regex strings with capturing groups will have only the capturing groups matches masked. If the regex string has no capturing groups, the entire matched string will be masked. Masks consist of *****
followed by the last 2 characters of the secret.
Patterns are named and must be unique. Creating a new pattern with an existing name will override the previous pattern of the same name.
There is a Disable Secrets Masking
checkbox in the Advanced
section to toggle off secret masking. Checking this box will force the plugin to not mask any secrets.
To test changes
- Run
mvn install
to generate an.hpi
file. - Go to your
<jenkins_url>/pluginManager/advanced
and upload the.hpi
file under theUpload Plugin
section - Restart the Jenkins Master for the plugin to take effect and verify under
<jenkins_url>/pluginManager/installed
that it is the version expected. - Go to your Jenkins Master configuration page and under
Secrets Masking
, add any regex patterns you want matched. These will persist across Jenkins restarts. - Run a build that has output that contains your expected regex pattern and verify that the secrets are masked with
*****
followed by the last 2 characters of the secret.
To test locally
Run mvn install hpi:run
to create a local Jenkins server accessible at http://localhost:8080/jenkins
There is a logger that records when the masking functionality is toggled on or off. To record these log messages, a new log listener will need to be setup for the class com.intuit.dev.build.ibp.GlobalSecretPatternsConfig
.
Jenkins has instructions on setting up a logger here.
There is a logger that records when the masking functionality is turned on or off. To record these log messages, a log listener will need to be setup for the class com.intuit.dev.build.ibp.GlobalSecretsConfig
Take a look at CONTRIBUTING for contributing to this project.