Jenkins Rules (J01-J30)
30 rules for Jenkinsfile (Declarative & Scripted). Deducts from the Security Score.
Credentials & Secrets (J01-J05)
| ID | Sev | Pts | Description | Fix |
|---|
| J01 | CRIT | 4 | Shell command with Groovy string interpolation | Change sh "${var}" to sh '${var}' with withCredentials |
| J02 | CRIT | 4 | No withCredentials block for secret usage | Wrap secret usage in withCredentials([...]) { } |
| J03 | HIGH | 3 | Hardcoded credentials in Jenkinsfile | Store in Jenkins Credentials and use withCredentials |
| J04 | HIGH | 3 | Echo or println leaking secrets | Remove echo/println containing credential variables |
| J05 | MED | 3 | writeFile with secret content | Use Jenkins credentials binding instead of file-based secrets |
Sandbox & Code Execution (J06-J10)
| ID | Sev | Pts | Description | Fix |
|---|
| J06 | CRIT | 4 | Groovy sandbox bypass attempt | Remove sandbox bypass constructs - use approved methods |
| J07 | HIGH | 3 | No timeout on pipeline or stages | Add timeout(time: 30, unit: 'MINUTES') to options |
| J08 | MED | 3 | No build discarder for log rotation | Add buildDiscarder(logRotator(numToKeepStr: '10')) |
| J09 | HIGH | 3 | Pipeline replay not disabled | Add disableReplay() to pipeline options block |
| J10 | HIGH | 3 | Using agent any without restriction | Replace agent any with agent { label 'build-node' } |
Shared Libraries & Dependencies (J11-J15)
| ID | Sev | Pts | Description | Fix |
|---|
| J11 | CRIT | 4 | Shared library loaded without version pinning | Pin to specific version: @Library('lib@v1.2.3') |
| J12 | MED | 3 | No input validation for pipeline parameters | Validate and sanitize all params before shell use |
| J13 | MED | 2 | No post-build cleanup | Add cleanWs() in post { always { } } block |
| J14 | HIGH | 3 | Running on master/built-in node | Use agent { label 'build-node' } instead |
| J15 | MED | 3 | No post-failure handling | Add post { failure { notify } always { cleanup } } |
Security Controls (J16-J20)
| ID | Sev | Pts | Description | Fix |
|---|
| J16 | CRIT | 4 | bat command with string interpolation | Use bat with single quotes and withCredentials |
| J17 | HIGH | 3 | Docker agent using latest tag | Pin Docker agent image to specific version |
| J18 | MED | 3 | No input submitter restriction | Add submitter: 'admin,deployers' to input step |
| J19 | MED | 2 | Archiving sensitive artifacts | Exclude sensitive files from archiveArtifacts |
| J20 | HIGH | 3 | Building fork PRs without restriction | Disable fork PR builds or use sandbox |
Best Practices (J21-J25)
| ID | Sev | Pts | Description | Fix |
|---|
| J21 | MED | 3 | No retry on deployment stages | Add retry(2) on deployment and external service stages |
| J22 | MED | 2 | No resource locking for deployments | Add lock(resource: 'deploy-prod') around deploy stage |
| J23 | LOW | 2 | No durability hint for pipeline performance | Add durabilityHint('PERFORMANCE_OPTIMIZED') to options |
| J24 | MED | 2 | No parallel execution for independent stages | Run independent stages in parallel {} block |
| J25 | MED | 3 | No error handling with catchError or try-catch | Use catchError or try-catch for non-critical stages |
Advanced Security (J26-J30)
| ID | Sev | Pts | Description | Fix |
|---|
| J26 | HIGH | 4 | Using script block in declarative pipeline | Minimize script blocks - use declarative steps |
| J27 | MED | 3 | No notification on pipeline status change | Add slackSend or emailext in post { failure { } } |
| J28 | HIGH | 3 | Unstash or stash containing secrets | Never stash sensitive files - use withCredentials per stage |
| J29 | MED | 2 | No when condition for stage execution | Add when { branch 'main' } conditions for deploy stages |
| J30 | MED | 3 | No JNLP agent security restriction | Restrict agent connections with security realm settings |
Total: 30 rules across 6 sections. All deduct from the Security Score.