a·gen·tic a·gil·i·ty

Mask password in Jenkins when calling TEE

Learn how to securely mask passwords in Jenkins logs when using Team Explorer Everywhere (TEE), preventing sensitive credentials from being exposed during build processes.

Published on
2 minute read
Image
https://nkdagility.com/resources/rG_NN58PQym
Subscribe

When you use the release build plugin in Jenkins to create a new release the plugin inadvertently leaves your password in clear text in the log files. We need to be able to mask password in Jenkins when calling Team Explorer Everywhere (TEE) so that we meet security requirements.

As you can imagine working at a bank, they get a little…squirmy… when they see or hear about passwords being stored on viewable in the clear. If you are using TFS to do builds from Jenkins then you are likely using the command line tools that come with Team Explorer Everywhere.

Mask password in Jenkins when calling TEE

If you are also using the Release Plugin and you create a release build then you will see the SCM password that you enter written in the clear in the log. Bit of a shock to my banking colleagues I can tell you. So much so that they called “critical blocker” for the migration to TFVC.

Mask password in Jenkins when calling TEE

However during the… conversation… they did say that they had a plugin installed that was supposed to mask the passwords when you do a build. Armed with that knowledge, and little other knowledge of Jenkins, I dived in to find a solution. Maybe it just needed more configuration…

Mask password in Jenkins when calling TEE

So I looked through the documentation and found that you can set variables for passwords and send the variable instead. The plugin will then mask it correctly…. So I thought… that’s for me!

Mask password in Jenkins when calling TEE

So I dutifully created a global password veriable called “MrHinshPas” (yes, I am testing with my own account) and once saved I should be able to use “$(MrHinshPass)” in places where I want the password replaced.

Mask password in Jenkins when calling TEE

Running another build and, wohoo, the password gets replaced.

However why do I need to create a variable for this occurrence when it usually replaced things for other passwords in the list. So I went hunting around… I looked at server configuration. I looked at plugins and documentation.

Eventually I looked in the build configuration and I found this…

Mask password in Jenkins when calling TEE

So for each specific job you can activate the “Mask passwords” option in the Build Environment section and all passwords are magically hidden in your builds. Awesome! How did I miss that…

Software Development Troubleshooting Install and Configuration
Subscribe

Related Blog

Related videos

Connect with Martin Hinshelwood

If you've made it this far, it's worth connecting with our principal consultant and coach, Martin Hinshelwood, for a 30-minute 'ask me anything' call.

Our Happy Clients​

We partner with businesses across diverse industries, including finance, insurance, healthcare, pharmaceuticals, technology, engineering, transportation, hospitality, entertainment, legal, government, and military sectors.​

Brandes Investment Partners L.P. Logo

Brandes Investment Partners L.P.

Ericson Logo

Ericson

Microsoft Logo

Microsoft

MacDonald Humfrey (Automation) Ltd. Logo

MacDonald Humfrey (Automation) Ltd.

Sage Logo

Sage

Deliotte Logo

Deliotte

YearUp.org Logo

YearUp.org

Healthgrades Logo

Healthgrades

New Signature Logo

New Signature

Philips Logo

Philips

Bistech Logo

Bistech

Cognizant Microsoft Business Group (MBG) Logo

Cognizant Microsoft Business Group (MBG)

Flowmaster (a Mentor Graphics Company) Logo

Flowmaster (a Mentor Graphics Company)

Boeing Logo

Boeing

Lean SA Logo

Lean SA

Capita Secure Information Solutions Ltd Logo

Capita Secure Information Solutions Ltd

Jack Links Logo

Jack Links

Genus Breeding Ltd Logo

Genus Breeding Ltd

Nottingham County Council Logo

Nottingham County Council

Department of Work and Pensions (UK) Logo

Department of Work and Pensions (UK)

New Hampshire Supreme Court Logo

New Hampshire Supreme Court

Washington Department of Enterprise Services Logo

Washington Department of Enterprise Services

Royal Air Force Logo

Royal Air Force

Ghana Police Service Logo

Ghana Police Service

Genus Breeding Ltd Logo

Genus Breeding Ltd

Kongsberg Maritime Logo

Kongsberg Maritime

Emerson Process Management Logo

Emerson Process Management

Qualco Logo

Qualco

Philips Logo

Philips

Lockheed Martin Logo

Lockheed Martin