Subscribe to the Non-Human & AI Identity Journal

Jenkins Credentials

Jenkins credentials are secrets stored for use by builds and pipelines, including passwords, tokens, keys, and certificates. They are meant to be injected into jobs without exposing values in logs, but the security model still depends on the trustworthiness of the controller and its privileged operators.

Expanded Definition

Jenkins credentials are secret values stored inside Jenkins so pipelines and jobs can authenticate to source control, artifact registries, cloud APIs, deployment targets, and internal services. In practice, they function as non-human identities because the build system is acting with execution authority, not a person. The security question is not just where the secret is stored, but who can read it, where it is injected, and whether the controller, plugins, and administrators are trustworthy enough to handle it. The control model is still evolving across vendors, but the core principle aligns with the OWASP Non-Human Identity Top 10: treat pipeline secrets as privileged workload credentials, not convenience settings.

Jenkins credentials are often confused with simple configuration values or deployment variables, but they require stricter handling because they can be reused automatically across many jobs, branches, and environments. Their exposure risk increases when credentials are bound too broadly, copied into shared libraries, or revealed to users with script execution rights. The most common misapplication is treating Jenkins credentials as harmless build metadata, which occurs when teams grant broad job access and assume masking in logs is equivalent to access control.

Examples and Use Cases

Implementing Jenkins credentials rigorously often introduces operational friction, requiring teams to balance pipeline convenience against tighter scoping, rotation, and auditability.

  • A deployment pipeline uses a short-lived cloud token to push an image to a registry, following the static-versus-dynamic secret guidance in Ultimate Guide to NHIs — Static vs Dynamic Secrets instead of hard-coding long-lived keys.
  • A release job reads database credentials from Jenkins only during a controlled stage, limiting exposure after the task completes and avoiding reuse in unrelated jobs.
  • A security team reviews whether a shared folder of jobs can retrieve the same secret, using the access concerns described in Guide to the Secret Sprawl Challenge to identify overbroad distribution.
  • A build scans code in a public repository and must ensure the credential never appears in console output, archived artifacts, or environment dumps, consistent with the testing and governance principles in the OWASP Non-Human Identity Top 10.
  • A platform team replaces static API keys with ephemeral credentials for a pipeline that deploys to multiple clouds, reducing standing exposure when a job is compromised.

These patterns become especially important in CI/CD systems that integrate with internal platforms, where a single credential may authorize far more than the job author realizes.

Why It Matters in NHI Security

Jenkins credentials matter because they are often the easiest path from a compromised pipeline to high-value infrastructure. If an attacker can read a credential, hijack a plugin, or abuse an overly privileged operator account, the build system becomes a launch point for lateral movement, secret extraction, or production deployment abuse. NHI security teams should assume Jenkins is a workload identity issuer, not just an automation server, and apply least privilege, segregation of duties, rotation, and access review accordingly. The 2024 Non-Human Identity Security Report found that 88.5% of organisations say their non-human IAM practices lag behind or merely match their human IAM efforts, which helps explain why CI/CD secrets remain under-governed.

The risk is amplified when secrets are shared through weak channels or left in long-lived form, because Jenkins often becomes the central repository for build-time access. That is why the report’s finding that 23.7% of organisations share secrets through insecure methods such as email or messaging applications is directly relevant to pipeline operations. Organisational failures usually become visible only after a build compromise, a suspicious deployment, or exposed logs reveal that the pipeline itself has become the identity problem.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-02 Covers secret exposure and improper workload credential handling in pipelines.
NIST CSF 2.0 PR.AC-1 Addresses identity and credential management for systems and services.
NIST SP 800-63 Provides identity assurance concepts that inform credential strength and lifecycle handling.

Use strong, lifecycle-managed credentials for Jenkins jobs and replace long-lived secrets where possible.