Enhance Jenkins Pipeline Security with this Robust, Open-Source CI/CD Tool Jenkins is the go-to choice for software development projects, offering an automated approach, Java-based infrastructure, and a vast plugin community. Streamlining the end-to-end cycle, from build to test and deployment, accelerates software development. Jenkins empowers you to continuously improve applications and rapidly release fresh builds. Safeguard your CI/CD processes with its plugin ecosystem, seamlessly integrating your pipeline with Git, Amazon EC2, and HTML publisher.
To clearly understand the importance of Jenkins, let’s quickly learn what continuous integration (CI) means.
What is CI?
Continuous Integration (CI) is a software development practice that requires you to regularly commit changes to the source code in the central repository. It will then be automated for builds and tests. This approach helps you in detecting any flaws in the code, thereby allowing you to rectify the problems early. This accelerates the entire software development process enabling you to release quality applications.
Why Use Jenkins for CI?
Before Jenkins, you had to test the complete code before identifying the bugs and fixing them. Since developers work independently on different aspects of the project, coordination becomes a tedious and time-consuming process. This slowed down the software delivery.
In brief, the below steps show how Jenkins architecture works:
- Developers commit changes to source code hosted in the repository.
- Jenkins CI server pulls the most recent update in the code.
- The Build Server develops an executable file.
- If the build process fails, it sends feedback.
- The build application is deployed to the test server.
- In case of a failure, the developer receives an alert.
- The tested application is deployed on the production server.
How Secure is Jenkins?
Installing and getting started with Jenkins is a fairly easy process. However, having it securely configured takes a lot of planning, with many factors at play. Primarily because Jenkins interacts with multiple servers and components, security becomes crucial. Moreover, with the kind of plugin dependency Jenkins has, setting up a basic authentication mechanism won’t cut it.
In addition to offering capabilities to secure your system, Jenkins constantly reviews and updates plugin vulnerabilities through a process called Security Advisory.
What is Jenkins Security Advisory and What Does it Do?
Jenkins Security Advisory is a list of security issues identified and highlighted in Jenkins and plugins released periodically. The publication includes a vulnerability description, security risks it poses, severities, vulnerable versions, workarounds, and resolutions if any.
Vulnerable Jenkins plugins
Below are five of the vulnerable Jenkins plugins mentioned in its 2022 security advisory list, their impact, and how they can be fixed.
- Active Directory Plugin – Transmits user credentials in plain text
Attackers can extract user credentials by capturing traffic between the Jenkins controller and Active Directory. This occurs because the Active Directory plugin transmits data without any encryption, exposing not just the credentials but also the Active Directory user.
Fix: To resolve the vulnerability, update to version 2.25.1
- Badge Plugin – Vulnerable to XSS attacks
Badge Plugin of version 1.9 and earlier allowed users to customize descriptions by adding URLs. However, it doesn’t follow the protocol for allowing arbitrary HTML links to open up the system for XSS attacks.
Fix: To resolve the vulnerability, update to version 1.9.1
- Bitbucket Branch Source Plugin – Allows capturing credentials
Bitbucket Branch Source Plugin can expose your credentials triggering disastrous CSRF attacks as it doesn’t require POST requests for an HTTP endpoint. Also, the Plugin does not check required permissions in many HTTP endpoints. This could lead to credentials capture and enumerating credentials IDs.
Fix: To resolve the vulnerability, update to version 746.v350d2781c184
- Conjur Secrets Plugin – Allows credential retrieval and secret decryption
Conjur Secrets Plugin allows agent processes to obtain all user credentials stored in Jenkins, and decrypt any attacker secrets. This gives a way for attackers to exploit agent processes to not just retrieve sensitive data but also obtain the plain text of encrypted secrets in Jenkins.
Fix: No resolution is available at this point
- Jenkins Matrix-Based Security – Opens Jenkins for XSS attacks
Matrix Project Plugin allows storage of XSS vulnerability in your system by allowing risky HTML metacharacters in nodes and descriptions. With appropriate permissions, the vulnerability can be exploited for serious repercussions.
Fix: To resolve the vulnerability, update to version 1.20
Avoid Building on Your Controller
Jenkins offers a built-in node so you can run tests as soon as possible to see if it's the solution for you. Builds that run on a single instance, however, have access to your operating system's file system. For this reason, Jenkins recommends you have jobs run on 'agents' instead (this happens in a scalable setup, which we talked about in our last post, Using dynamic build agents to automate scaling in Jenkins).
Agents are virtual Jenkins instances that run jobs instead of your controller. When using agents, you can prevent your controller from running builds to limit access to files that can do harm.
To stop your controller from running builds:
- Click Manage Jenkins from the menu.
- Click Manage Nodes and Clouds.
- Click the cog to the right of the Built-In Node.
- You have 2 options to prevent builds on the controller. Choose one and click Save:
- Change the Number of executors to 0 if you never want to build on the controller.
- Select Only build jobs with label expressions matching this node from the Usage dropdown if you want to build on the controller when needed.
Jenkins Pipeline Security Best Practices
Jenkins provides a variety of security features, with some enabled by default, while others require configuration based on the environment. Let’s take a look at the following options for Jenkins Pipeline Security.
1: Access Control
Jenkins undertakes a two-pronged approach to secure your pipeline from unwanted and unauthorized access.
2: Security Realm
To authenticate a user, Jenkins uses a user database to determine users, their passwords, and the groups they belong to. The default security realm configuration for users has now been set to Jenkins Own User Database to prevent trespassing.
Another option Jenkins allows for proper user authentication is using a third-party identity provider like LDAP (Lightweight Directory Access Protocol).
3: Authorization
You can configure your Jenkins in a detailed manner by defining which user or group can access which sections of Jenkins. The authorization options that Jenkins offers are as follows:
4: Anyone can do anything
With this option, everyone including anonymous users gets access to a complete play area as the name suggests. However, it isn’t a very good idea to pick this.
5: Legacy mode
Only admins get full control over the system, while others will only have read access. Jenkins's best practices advise you not to use this setting.
6: Logged-in users can do anything
This setting forces users to log in before accessing any aspect of Jenkins. It also records actions every user takes within the system. You can also utilize advanced settings to give just-read access to anonymous users.
7: Matrix-based security
With this setting, you can establish controls in a fine-grained manner on which users and groups get what rights and access across the system.
8: Project-based Matrix Authorization Strategy
Using the Matrix Authorization Strategy plugin achieves an extension of Matrix-based security. This allows you to set ProjectWise access control lists.
9: Controller Isolation
In a Jenkins environment, code authors, build script authors and other users possess control over commands executed during the build. This approach exposes the system to external threats like supply chain vulnerabilities. To mitigate this and maintain the stability of the Jenkins controller, we recommend not executing builds on the built-in node. This distributed builds approach secures your environment from malicious attacks.
10: Sanitizing Environment Variables
Environment variables come with potential risks and can harm builds, changing the behavior of the scripts. Therefore, it is important to adopt processes that sanitize environment variables. By doing so, you can effectively block the unsafe variables containing insecure metacharacters like ^ and &.
Jenkins allows you to use the below plugins to filter the environment variables:
- Safe Batch Environment Filter – It automatically fails Batch build steps in case it identifies variables with Batch metacharacters
- Generic Build Step Environment Filters – Filters environment variables through standard implementations
- Pipeline: Keep Environment Step – Detects unused environment variables in pipelines
11: Access Control for Builds
Jenkins Pipeline Security recommends setting authorization to run builds within the system. By default, users that have access to execute builds also have the authority to create, modify, or delete other builds as well. However, you can enhance security by using plugins like Authorize Project Plugin to set up ProjectWise build authorization instead.
12: Protection against CSRF
Cross-Site Request Forgery is a security threat wherein an authenticated user is tricked into triggering an unwarranted action in Jenkins. It usually occurs when a Jenkins user visits a hostile website or clicks on a malicious link.
Jenkins safeguards your pipeline from CSRF attacks by generating a token called crumb for every user. The crumb contains specific user information for efficient identification. Whenever there is a request generated seeking any kind of modification, the system asks for the crumb.
13: Avoid XSS Attacks
To help users steer clear of attacks like XSS (Cross-Site Scripting), Jenkins provides a functionality called Markup Formatter. This feature filters descriptions that users submit for a variety of purposes like user profiles, jobs, and builds to detect unsafe HTML metacharacters.
You can use OWASP Markup Formatter to sanitize HTML sources that users add to the descriptions.
Offensive360 can be your ideal Jenkins security partner
Despite its popularity and wide adoption, Jenkins is a platform that is vulnerable to security threats via multiple sources. These include Jenkins Controller, application code, XSS, and CSRF. The platform does offer an extensive infrastructure of plugins for Jenkins Pipeline Security.
However, keeping track of all the plugins and the added vulnerabilities they bring into the picture can be a task. Instead, you can delegate your security checks to an expert. For instance, consider Offensive360’s policy-based solution. It is a one-of-a-kind security solution that protects your entire CI/CD pipeline through fine-grained access controls and continuous scanning.