Chapter 5 – Jenkins Credential Management for Pipeline Data Masking

When configuring a continuous‑delivery pipeline, Jenkins often needs to interact with third‑party systems such as Jira, GitLab, or SonarQube. Storing authentication information in plain text is insecure, so Jenkins credentials (provided by the Credentials Binding plugin) should be used.

Credentials can be created via System → Credentials → Manage Credentials . Each credential has a unique ID that can be referenced in pipelines. The default scope is global, but scopes such as System and Job are also available.

Common credential types include:

Secret text – for API tokens (e.g., GitLab personal token).

Username and password – for accounts requiring both fields.

SSH Username with private key – for SSH authentication.

To create a Secret text credential, provide the token value and assign an ID. The credential is stored encrypted in three files under $JENKINS_HOME :

$JENKINS_HOME/credentials.xml
$JENKINS_HOME/secrets/master.key
$JENKINS_HOME/secrets/hudson.util.Secret

Credentials can be listed with commands such as:

# cat credentials.xml | grep "
"

To decrypt a credential value, use the Jenkins Script Console:

println hudson.util.Secret.decrypt("{AQAAABAAAA...}")

For bulk decryption, the jenkins-credentials-decryptor tool can be used:

cd ${JENKINS_HOME}
mv jenkins-credentials-decryptor_0.0.8_Linux_x86_64 jenkins-credentials-decryptor
chmod +x jenkins-credentials-decryptor
./jenkins-credentials-decryptor -m ./secrets/master.key -s ./secrets/hudson.util.Secret -c ./credentials.xml

In a pipeline, credentials are accessed via the withCredentials step. Example:

withCredentials([string(credentialsId: 'gitlab-api-token', variable: 'gitUsers')]) {
    // some block
}

A full pipeline example that prints the secret value:

pipeline {
    agent any
    stages {
        stage('Hello') {
            steps {
                echo 'Hello World'
                withCredentials([string(credentialsId: 'gitlab-api-token', variable: 'gitUsers')]) {
                    // some block
                    println(gitUsers)
                }
            }
        }
    }
}

When the job runs, Jenkins masks secret values in the log unless they are explicitly printed, so careful permission control is required to avoid leakage.

Additionally, a helper function for interacting with GitLab using a credential is provided:

def HttpReq(reqType, reqUrl, reqBody) {
    def gitServer = "http://192.168.1.200:30088/api/v4"
    withCredentials([string(credentialsId: 'gitlab-token', variable: 'gitlabToken')]) {
        result = httpRequest(
            customHeaders: [[maskValue: true, name: 'PRIVATE-TOKEN', value: "${gitlabToken}"]],
            httpMode: reqType,
            contentType: "APPLICATION_JSON",
            consoleLogResponseBody: true,
            ignoreSslErrors: true,
            requestBody: reqBody,
            url: "${gitServer}/${reqUrl}"
        )
    }
    return result
}

The article concludes that Jenkins credential management enables secure storage of authentication data for pipelines, but notes that storing secrets in external systems can further reduce risk, and promises future coverage of Jenkins permission management.