On Thu, Apr 13, 2023 at 12:55 PM d...@kinneartech.com <d...@kinneartech.com> wrote:
> How can we pass those sensitive args to Jenkins agent machine without > getting disclosed. We already tried adding them to envVars but there seems > to be an issue that the envVars are disclosed in a parallel job in a > different workspace when using some commands to print them. > This is pretty vague. Disclosed how, to whom? Which commands? https://javadoc.jenkins.io/plugin/credentials-binding/org/jenkinsci/plugins/credentialsbinding/masking/SecretPatterns.html can be used to mask secrets which may be bound in environment variables in scope (for example via https://javadoc.jenkins.io/plugin/workflow-step-api/org/jenkinsci/plugins/workflow/steps/EnvironmentExpander.html) though it is better to have users run the standard `withCredentials` step instead. Anyway a parallel job in a different workspace > would one way or another likely have access to any secrets actively in use by an executor on the same agent machine used by another build: it is not straightforward to create a strict separation between two processes running on the same machine, under the same user account. (Any secrets written to a temporary file would trivially be visible to any other builds, secrets bound to environment variables in other processes can be seen in `/proc/*/environ` on Linux, and even secrets solely present inside a JVM can by default be accessed using the Java Attach API.) If there is any possibility that different projects might be owned by different teams who do not trust one another, then you must reserve an agent for the exclusive use of a single build, preferably using “one-shot” provisioning in containers or VMs. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1%3D%3Drno-OoACrA6xcqhYSr2MqTpg%2BaJsAUcSG48kSY3kA%40mail.gmail.com.
