Secrets Exposure in Build Logs and Artifacts

critical

securityUpdated Jul 1, 2025

Sensitive credentials (tokens, API keys, private keys) leak into Jenkins console logs and archived artifacts when not properly masked, creating security audit failures and compliance violations.

Sources

Troubleshooting Jenkins: Resolving Common Issueswww.linkedin.com

Jenkins in Production: Real Issues, RCA, and Fixes That Actually Workforem.com

Technologies:

JenkinsSymptoms of this issue are visible in Jenkins metrics and logs

jenkins.build.log.size

jenkins.artifact.count

How to detect:

Scan build logs and artifacts for patterns matching secrets (AKIA for AWS, BEGIN RSA for keys). Monitor for use of echo commands with credential variables. Alert on archived .env files or credential files in build artifacts.

Recommended action:

Always use withCredentials() wrapper for secrets in pipelines. Enable secret masking in Jenkins. Implement pre-build secret scanning with tools like GitLeaks. Block artifact upload if secrets detected. Never use echo or print with credential variables.