Managing Script Security

Script security plugin provides increased flexibility to execute commands and do processing comes increased importance of being able to control security on the scripts that developer executes

Script Checking

When a Jenkins administrator creates a script or includes a script in a configuration and saves it, the script is automatically approved and added to an approved list. Those scripts in the approved list can be run by anyone. If a non-administrator tries to run a script and it is not one in the approved list, then it is prohibited from running until/ unless approved by an administrator.

The reason for this is that, unlike filling in web forms, scripts can (attempt to) do any arbitrary operations, including referencing internal objects in Jenkins. This could be a security risk as well as a technical risk, depending on what the script is trying to do.

An example of a script that needs to be approved is shown below screenshot.

Script Approval

If a non-administrator tries to run a script that needs approval, Jenkins will prohibit running it. It will also add a notice about the need for approval to a queue, for an administrator to review. An administrator can then log in to Jenkins and go to Manage Jenkins → “In-process Script Approval.” An alert of the form “scripts pending approval” will be waiting for the administrator.

Groovy Sandboxing

While the script approval mechanism provides a good sign-off mechanism to validate scripts, approving every new script from a non-administrator can become laborious and unmanageable over time. To help with simplifying that burden, Jenkins 2 also supports the ability to run scripts in a Groovy Sandbox. This is enabled by checking the Use Groovy Sandbox option at the bottom of the pipeline script text window.

The basic idea here is that there are a set of “whitelisted” methods maintained by Jenkins. This means that these methods are deemed to be safe to use in any script. If the option to use the Groovy Sandbox is selected and the script only makes use of methods in the whitelist that are known as safe, the script is allowed to run without approval. This saves the extra overhead of requiring an administrator to approve it.

However, if any of the methods in the script are not in the whitelist, then the script is not allowed to run and an error is flagged in below screenshot. In that case, the method is queued for approval by the administrator—just as the scripts are in the regular script approval process mentioned above.