secure jenkins

Enable Global Security

To secure Jenkins, enable global security.

Steps:

• Go to Manage Jenkins → Configure Global Security

• Enable “Enable Security”

• Choose an authentication method:

  • Jenkins own user database

  • LDAP / Active Directory

  • GitHub OAuth / Google SSO (via plugin)

Use Role-Based Access Control (RBAC)

Best Practice: Use Matrix-based or Role Strategy plugin

• Install Role-based Authorization Strategy plugin

• Define roles like:

  • admin: all permissions

  • developer: limited to job creation and build

  • viewer: read-only

Use Credentials Plugin Securely

Do:

• Store secrets (API keys, tokens, SSH keys) in Jenkins Credentials Store

• Use withCredentials block in Jenkinsfile

withCredentials([string(credentialsId: 'my-token', variable: 'TOKEN')]) {
    sh 'curl -H "Authorization: Bearer $TOKEN" https://api.prod.com/deploy'
}

Secure Jenkins URL and Network

• Use HTTPS:

  • Run Jenkins behind Nginx/Apache with SSL

  • Use Let’s Encrypt or internal SSL certificate

• Firewall rules:

  • Only allow Jenkins access from trusted IPs or VPN

  • Block public access to port 8080

Restrict Script and Plugin Execution

• Sandbox Groovy scripts:

  • Enforce Groovy sandbox for non-admins

  • Review scripts in In-Process Script Approval

• Update plugins regularly:

  • Manage Jenkins → Plugin Manager → Updates

  • Uninstall unused plugins

Monitoring, Auditing & Backups

Install and configure:

• Audit Trail Plugin → tracks UI actions

• Monitoring Plugin → view JVM memory, threads

• ThinBackup Plugin or back up /var/lib/jenkins/

Log important events:

• Configure jenkins.log

• Monitor who logs in, what builds are run, config changes, etc.

Disable Unused Features

Harden Jenkins on OS Level

Regular Maintenance & Alerts

• Set up Slack or Email notifications for failed builds or login attempts

• Rotate credentials regularly

• Periodically audit users and permissions