Suppress sensitive information from Jenkins logs

Question

I would like to suppress some sensitive information displayed in the logs.

Code:

    pipeline {
    parameters {
    string(defaultValue: '', description: '', name: 'pki_client_cacert_password', trim: true)
    string(defaultValue: '', description: '', name: 'db_url', trim: true)
    }
    stages {
        stage('DeployToDev') {
                steps {
                    script{
                        env.artifacts = sh(
                        returnStdout: true, 
                        script: "/var/lib/jenkins/python_jobs/venv/bin/python3 /var/lib/jenkins/python_jobs/encrypter_creds.py --db_url=${env.db_url} --pki_client_cacert_password='${env.pki_client_cacert_password}'"
                        )
                    }

                }
            }
    }
}

Output:

+ /var/lib/jenkins/python_jobs/venv/bin/python3 /var/lib/jenkins/python_jobs/encrypter_creds.py --db_url=<hide this from jenkins logs> '--pki_client_cacert_password=<hide this from jenkins logs>'

score 2 · Answer 1 · answered Mar 11 '21 at 07:36

First option is to set it as environment var:

withEnv(["MYSECRET=${params.pki_client_cacert_password}", 
         "MYURL=${env.db_url}"]) {
    env.artifacts = sh(
        returnStdout: true, 
        script: '.. python3 .. encrypter_creds.py --db_url=$MYURL ' +
            ' --pki_client_cacert_password=$MYSECRET'
)

Note the single quotes around the command to prevent any Groovy string interpolation.

Second option is to save something like pki_client_cacert_password (which hopefully doesn't change much) into Jenkins Credentials Store and use it withCredentials:

withCredentials([usernamePassword(
  credentialsId: 'MY_PKI_CLIENT_CREDENTIALS',
  passwordVariable: 'DB_URL',
  usernameVariable: 'PKI_USER')]) {
  env.artifacts = sh(
        returnStdout: true, 
        script: '.. python3 .. encrypter_creds.py --db_url=$DB_URL' +
            ' --pki_client_cacert_password=$PKI_PASSWORD'

}

You can also roll your own third option, e.g. by writing the info you need into a file and modifying your script to read the parameters from that file.

Install mask passwords plugin. In some cases jenkins could show creds in job's output, mask passwords plugin will prevent it. — Dmitriy Tarasevich, Mar 11 '21 at 08:19
@DmitriyTarasevich that plugin does not seem to support pipelines. — MaratC, Mar 11 '21 at 12:52
This plugin processes output, it doesn't care about type of job. If you have negative experience with the plugin, please share. — Dmitriy Tarasevich, Mar 12 '21 at 08:16
@DmitriyTarasevich I find it hard to understand what do I need to put in my pipeline to explain to that plugin what contributes a "password". — MaratC, Mar 13 '21 at 21:32

score 1 · Answer 2 · answered Mar 11 '21 at 21:55

I have added @MaratC suggestion however that did not help much, so I ended up adding set +x and set -x more so this question was related to Echo off in Jenkins Console Output which worked as expected

            script{
               withEnv(["ENV_PKI_CLIENT_CACERT_PASSWORD=${params.pki_client_cacert_password}", "ENV_DB_URL=${params.db_url}"]) {
                    env.artifacts = sh(
                        returnStdout: true, 
                        script: """
                            set +x
                            /var/lib/jenkins/python_jobs/venv/bin/python3 /var/lib/jenkins/python_jobs/encrypter_creds.py --db_url=${ENV_DB_URL} --pki_client_cacert_password='${ENV_PKI_CLIENT_CACERT_PASSWORD}'
                            set -x
                            """
                        )           
            }
        }

Jenkins output

 + set +x
[Pipeline] .....
[Pipeline] .....

Suppress sensitive information from Jenkins logs

2 Answers2