环境

Jenkins 2.462.2

描述

在 Jenkins 使用 Pipeline 以及 Credentials,当在 Jenkinsfile Pipeline 中不安全传递凭证时,Pipeline 中会有多处地方会出现警告。
HARBOR = credentials('凭证ID') 方式调用凭证,会自动产生三个变量:HARBOR(帐号:密码),HARBOR_USR(帐号),HARBOR_PSW(密码)。

Status 警告图

Jenkins01

Status 警告代码

The following steps that have been detected may have insecure interpolation of sensitive variables (click here for an explanation):
sh: [HARBOR_PSW]
sshPublisher: [HARBOR_PSW]

Console Output 警告图

Jenkins02

Console Output 警告代码

Warning: A secret was passed to "sshPublisher" using Groovy String interpolation, which is insecure.
         Affected argument(s) used the following variable(s): [HARBOR_PSW]
         See https://jenkins.io/redirect/groovy-string-interpolation for details.

安全传递方式

当使用凭证变量时,单独使用单引号包裹调用,并使用加号与其他代码拼接。

示例1

以 Usernames and passwords credentials 用户名和密码凭证 为例,传递凭证到 sh,登录 Harbor。

图示

Jenkins03

代码

...
        stage('安全传递凭证') {
            environment {
                HARBOR = credentials('凭证ID')
            }
            steps {
                sh "docker build -t $proj_name:$proj_tag -f docker/Dockerfile-uwsgi . && \
docker login -u " + '$HARBOR_USR' + " -p " + '$HARBOR_PSW' + " $harbor_addr && \
docker tag $proj_name:$proj_tag $harbor_addr/$harbor_repo/$proj_name:$proj_tag && \
docker push $harbor_addr/$harbor_repo/$proj_name:$proj_tag"
            }
        }
...

示例2

以 Usernames and passwords credentials 用户名和密码凭证 为例,传递凭证到 sshPublisher,传递凭证到 Shell 脚本,由 Shell 脚本登录 Harbor。
当 Username 没有设置加密显示时,可直接放在双引号中。

图示

Jenkins04

代码

...
            steps {
sshPublisher(publishers: [sshPublisherDesc(configName: 't01-ubuntu', transfers:
[sshTransfer(cleanRemote: false, excludes: '',
execCommand: "deploy-swarm.sh $harbor_addr $harbor_repo $proj_name $proj_tag $local_path $HARBOR_USR" + '$HARBOR_PSW',
execTimeout: 120000, flatten: false, makeEmptyDirs: false, noDefaultExcludes: false, patternSeparator: '[, ]+',
remoteDirectory: '', remoteDirectorySDF: false, removePrefix: '', sourceFiles: '')],
usePromotionTimestamp: false, useWorkspaceInPromotion: false, verbose: false)])
...

相关问题

Passing credentials to Shell Script
Unable to interpolate sensitive environment variables
传递凭证帐号密码给 Shell 脚本
jenkins 传递凭证给Shell 脚本命令

Jenkins Pipeline Warning: A secret was passed to "sshPublisher" using Groovy String interpolation, which is insecure.

EnvironmentJenkins 2.462.2Problem DescriptionI am working...

最后修改:2024 年 10 月 10 日 10 : 35 AM
© 允许规范转载
如果觉得文章帮助了您,您可以随意赞赏。