View Source

{excerpt}This plugin allows masking passwords that may appear in the console{excerpt}

h1. About this plugin

This plugin allows masking passwords that may appear in the console, including the ones defined as build parameters. This often happens, for example, when you use build steps which _can't_ handle passwords properly. Take a look at the following example.

h2. Before

Consider you're using an *Invoke Ant* build step to run an Ant target. This target requires a password to achieve its goal. You would end up having a job configuration like this:


Of course, you could have created a variable to store the password and use this variable in the build step configuration so that it doesn't appear as plain text. But you would still end with a console output like this:


h2. After

When activating the *Mask passwords* option in a job, the builds' *Password Parameters* (or any other type of build parameters selected for masking in *Manage Hudson* > *Configure System*) are automatically masked from the console. Furthermore, you can also safely define a list of static passwords to be masked (you can also define a list of static password shared by all jobs in Jenkins' main configuration screen). As such, the passwords don't appear anymore as plain text in the job configuration (plus it is ciphered in the job configuration file):


Once done, new builds will have the passwords masked from the console output:


h1. User guide

First, go to Jenkins' main configuration screen (*Manage Hudson* > *Configure System*) and select, in the *Mask Passwords - Configuration* section, which kind of build parameters have to be automatically masked from the console output:


Notice that, as of version 2.7, you can also define global passwords (defined as pairs of name/password) that can be accessed across all jobs.

Then, for a specific job, activate the *Mask passwords* option in the *Build Environment* section to mask passwords from the console:
# All the password parameters defined for the job will be automatically hidden.
# For each other kind of password (that is, static ones) that may appear in the console output, add an entry (by clicking on the *Add* button) and set the *Password* field.
You may additionally set the *Name* field. If you do so, the password will then be available as a standard variable. It is then possible to refer to this password using this variable rather than keying it in a field which is not ciphered. Take a look at the screenshots above for an example.

h1. Version history

h2. Version 2.8 (18/10/2015)

* (+) Implement SimpleBuildWrapper in order to support Workflow project type ([27392@issue])

h2. Version 2.7.4 (29/07/2015)

* (x) Password parameters were insensitive
* (x) "Mask passwords" build wrapper was generating insensitive environment variables

Fixed issues (to be investigated and updated):
* Masking of global password parameters in EnvInject ([25821@issue])
* Masked Passwords are shown as input parameters in Build pipeline plugin ([16516@issue])

h2. Version 2.7.3 (29/04/2015)

* Fixed [12161@issue]: EnvInject vars could have been not masked because of plugins loading order
* Fixed [14687@issue]: password exposed unencrypted in HTML source

h2. Version 2.7.2 (12/07/2011)

* Fixed [11934@issue]: Once a job config was submitted, new/updated global passwords were not masked
* Implemented [11924@issue]: Improved global passwords-related labels

h2. Version 2.7.1 (10/27/2011)

* Fixed [11514@issue]: When migrating from an older version of the plugin, {{NullPointerException{}}}s were preventing the jobs using Mask Passwords to load
* Fixed [11515@issue]: Mask Passwords global config was not actually saved when no global passwords were defined

h2. Version 2.7 (10/20/2011)

* Implemented [11399@issue]: It is now possible to define name/password pairs in Jenkins' main configuration screen (*Manage Hudson* > *Configure System*)

h2. Version 2.6.1 (05/26/2011)

* Fixed a bug which was emptying the console output if there was no password to actually mask

h2. Version 2.6 (04/29/2011)

* Added a new type of build parameter: *Non-Stored Password Parameter*
* Blank passwords are no more masked, avoiding overcrowding the console with stars

h2. Version 2.5 (03/11/2011)

* New configuration screen (in *Manage Hudson* > *Configure System*) allowing to select which build parameters have to be masked (*Password Parameter* are selected by default)
* Fixed a bug which was preventing to mask passwords containing regular expressions' meta-characters or escape sequences

h2. Version 2.0 (02/23/2011)

* Builds' *Password Parameter{*}s are now automatically masked.

h2. Version 1.0 (09/01/2010)

* Initial release