In this chapter, we'll discuss the security of Jenkins, taking into account that Jenkins can live in a rich variety of infrastructures. We will also look at how to scan for known security issues in the libraries used by Java code that Jenkins compiles.
The only perfectly secure system is a system that does not exist. For real services, you will need to pay attention to the different surfaces open to attack. Jenkins' primary surfaces are its web-based graphical user interface and its trust relationships with its slave nodes and the native OS. Online services need vigorous attention to their security surface. For Jenkins, there are three main reasons why:
- Jenkins has the ability to communicate with a wide range of infrastructures through either its plugins or the master-slave topology
- The rate of code change around the plugins is high and open to the accidental...