Mask Passwords Plugin

Skip to end of metadata
Go to start of metadata

This plugin allows masking passwords that may appear in the console

Plugin Information

Plugin ID mask-passwords Changes In Latest Release
Since Latest Release
Latest Release
Latest Release Date
Required Core
Dependencies
2.7.3 (archives)
Apr 30, 2015
1.420
Source Code
Issue Tracking
Pull Requests
Maintainer(s)
GitHub
Open Issues
Pull Requests
Romain Seguy (id: rseguy)
Usage Installations 2014-Jun 3314
2014-Jul 3463
2014-Aug 3542
2014-Sep 3769
2014-Oct 3922
2014-Nov 3961
2014-Dec 4068
2015-Jan 4228
2015-Feb 4418
2015-Mar 4741
2015-Apr 4842
2015-May 4890

About this plugin

This plugin allows masking passwords that may appear in the console, including the ones defined as build parameters. This often happens, for example, when you use build steps which can't handle passwords properly. Take a look at the following example.

Before

Consider you're using an Invoke Ant build step to run an Ant target. This target requires a password to achieve its goal. You would end up having a job configuration like this:

Of course, you could have created a variable to store the password and use this variable in the build step configuration so that it doesn't appear as plain text. But you would still end with a console output like this:

After

When activating the Mask passwords option in a job, the builds' Password Parameters (or any other type of build parameters selected for masking in Manage Hudson > Configure System) are automatically masked from the console. Furthermore, you can also safely define a list of static passwords to be masked (you can also define a list of static password shared by all jobs in Jenkins' main configuration screen). As such, the passwords don't appear anymore as plain text in the job configuration (plus it is ciphered in the job configuration file):

Once done, new builds will have the passwords masked from the console output:

User guide

First, go to Jenkins' main configuration screen (Manage Hudson > Configure System) and select, in the Mask Passwords - Configuration section, which kind of build parameters have to be automatically masked from the console output:

Notice that, as of version 2.7, you can also define global passwords (defined as pairs of name/password) that can be accessed across all jobs.

Then, for a specific job, activate the Mask passwords option in the Build Environment section to mask passwords from the console:

  1. All the password parameters defined for the job will be automatically hidden.
  2. For each other kind of password (that is, static ones) that may appear in the console output, add an entry (by clicking on the Add button) and set the Password field.
    You may additionally set the Name field. If you do so, the password will then be available as a standard variable. It is then possible to refer to this password using this variable rather than keying it in a field which is not ciphered. Take a look at the screenshots above for an example.

Version history

Version 2.7.5 (not yet release)

Version 2.7.3 (29/04/2015)

  • Fixed issue #12161: Env-inject vars could have been not masked because of plugins loading order
  • Fixed issue #14687: password exposed unencrypted in HTML source

Version 2.7.2 (12/07/2011)

  • Fixed issue #11934: Once a job config was submitted, new/updated global passwords were not masked
  • Implemented issue #11924: Improved global passwords-related labels

Version 2.7.1 (10/27/2011)

  • Fixed issue #11514: When migrating from an older version of the plugin, NullPointerExceptions were preventing the jobs using Mask Passwords to load
  • Fixed issue #11515: Mask Passwords global config was not actually saved when no global passwords were defined

Version 2.7 (10/20/2011)

  • Implemented issue #11399: It is now possible to define name/password pairs in Jenkins' main configuration screen (Manage Hudson > Configure System)

Version 2.6.1 (05/26/2011)

  • Fixed a bug which was emptying the console output if there was no password to actually mask

Version 2.6 (04/29/2011)

  • Added a new type of build parameter: Non-Stored Password Parameter
  • Blank passwords are no more masked, avoiding overcrowding the console with stars

Version 2.5 (03/11/2011)

  • New configuration screen (in Manage Hudson > Configure System) allowing to select which build parameters have to be masked (Password Parameter are selected by default)
  • Fixed a bug which was preventing to mask passwords containing regular expressions' meta-characters or escape sequences

Version 2.0 (02/23/2011)

  • Builds' Password Parameters are now automatically masked.

Version 1.0 (09/01/2010)

  • Initial release

Labels

plugin-misc plugin-misc Delete
plugin-buildwrapper plugin-buildwrapper Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.