Hiding passwords in Jenkins Pipeline log output without using WithCredentials

Question

I have a parametrized Jenkins pipeline based on a Jenkinsfile. Some of the parameters contain sensitive passwords that I don't want to appear in the job's build logs.

So my question is: can I somehow register a String within the Jenkinsfile that is then replaced - by let's say ********** - whenever it appears in the log output?

I am aware of the withCredentials step, but I can't use it, since the credentials are not stored in the Jenkins credentials store (but provided as parameters at runtime).

I found this answer here https://stackoverflow.com/a/42372859/1549950 and tried it like this:

def secrets = [
    [password: firstPassword, var: 'SECRET'],
    [password: secondPassword, var: 'SECRET'],
    [password: thirdPassword, var: 'SECRET']
]

node() {
    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: secrets]) {
        // my stages containing steps...
    }
}

Where firstPassword, secondPassword, thirdPassword are variables containing my passwords. But still I get the content of firstPassword... displayed plain text in the log output.

I have the Mask Password plugin installed on my Jenkins in version 2.12.0.

Basically I am searching for something like this: https://issues.jenkins-ci.org/browse/JENKINS-27486 - ticket is resolved, but no sample snippet of final implementation is given.

Answer 1

Actually I don't know why this didn't work in the first place, but here is the solution to the problem.

Define an array with secrets that you want to hide like this:

def splunkPassword = 'verySecretPa55w0rd'
def basicAuthPassword = 'my8asicAuthPa55w0rd'

def getSecrets() {
    [
            [password: splunkPassword, var: 'SECRET'],
            [password: basicAuthPassword, var: 'SECRET']
    ]
}

Disclaimer: I don't know whether the SECRET value has an important role, copy and pasted it from some snippet and it works as expected :)

Afterwards, you can wrap any calls in your scripted pipeline like this:

node {
    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: getSecrets()]) {
        stage 'First Stage' { ... }
        stage 'Second Stage' { ... }
    }
}

All passwords provided in the getSecrets() array will then be masked like this in your build output:

SPLUNK_PASSWORD: ********
BASIC_AUTH_ADMIN_PASSWORD: ********

Answer 2

I think you are looking for JENKINS-36007?