Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Jenkins Hardening for DevSecOps

Table of contents

  1. Enable security
  2. Use secure connection
  3. Restrict project access
  4. Use plugins with caution
  5. Limit user permissions
  6. Use credentials securely
  7. Regularly update Jenkins
  8. Enable audit logging
  9. Secure access to Jenkins server
  10. Use Jenkins agent securely
  11. Use build tools securely
  12. Follow secure coding practices

List of some best practices to harden Jenkins for DevSecOps

Enable security

Go to “Manage Jenkins” -> “Configure Global Security” and select “Enable security”

Use secure connection

Go to “Manage Jenkins” -> “Configure Global Security” and select “Require secure connections”

Restrict project access

Go to the project configuration -> “Configure” -> “Enable project-based security”

Use plugins with caution

Install only necessary plugins from trusted sources and regularly update them

Limit user permissions

Assign minimal necessary permissions to each user or group

Use credentials securely

Store credentials in Jenkins credentials store and use them only where necessary

Regularly update Jenkins

Keep Jenkins updated with the latest security patches and updates

Enable audit logging

Enable audit logging to track and investigate security incidents

Secure access to Jenkins server

Limit access to Jenkins server by configuring firewall rules and setting up VPN access

Use Jenkins agent securely

Use secure connections between Jenkins master and agents and limit access to agents

Use build tools securely

Use secure and updated build tools and avoid using system tools or commands directly in build scripts

Follow secure coding practices

Follow secure coding practices to avoid introducing vulnerabilities in build scripts or plugins