From acde5c5334ad4ea9da261435077961bf9d1399b3 Mon Sep 17 00:00:00 2001 From: pcowley Date: Wed, 11 Dec 2024 14:26:52 -0700 Subject: [PATCH 1/2] SECURITY ISSUE: JENKINS_HOME.gitignore must ignore credentials.xml, as that file may contain encrypted secrets. --- JENKINS_HOME.gitignore | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/JENKINS_HOME.gitignore b/JENKINS_HOME.gitignore index 2516c09949..ac2d028a33 100644 --- a/JENKINS_HOME.gitignore +++ b/JENKINS_HOME.gitignore @@ -4,11 +4,12 @@ # http://jenkins-ci.org/ # https://wiki.jenkins-ci.org/display/JENKINS/Administering+Jenkins # -# Note: secret.key is purposefully not tracked by git. This should be backed up -# separately because configs may contain secrets which were encrypted using the -# secret.key. To back up secrets use 'tar -czf /tmp/secrets.tgz secret*' and -# save the file separate from your repository. If you want secrets backed up -# with configuration, then see the bottom of this file for an example. +# Note: secret.key and credentials.xml are purposefully not tracked by git. +# They should be backed up separately because configs may contain secrets which +# were encrypted using the secret.key. To back up secrets use +# 'tar -czf /tmp/secrets.tgz secret*' and save the files separate from your +# repository. If you want secrets backed up with configuration, then see the +# bottom of this file for an example. # Ignore all JENKINS_HOME except jobs directory, root xml config, and # .gitignore file. @@ -40,7 +41,12 @@ jobs/**/*workspace # Security warning: If secrets are included with your configuration, then an # adversary will be able to decrypt all encrypted secrets within Jenkins -# config. Including secrets is a bad practice, but the example is included in +# config. + +# Ignore credentials.xml, as it can contain encrypted secrets. +**/credentials.xml + +# Including secrets is a bad practice, but the example is included in # case someone still wants it for convenience. Uncomment the following line to # include secrets for decryption with repository configuration in Git. From 64c9a7b29a77690f81224cf775c18140920a8147 Mon Sep 17 00:00:00 2001 From: pcowley Date: Wed, 11 Dec 2024 17:25:02 -0700 Subject: [PATCH 2/2] Modified jenkins .gitignore to include job config files. Job config.xml files contain important configuration data, sometimes including `` which is literally code. Code needs to be version controlled. --- JENKINS_HOME.gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/JENKINS_HOME.gitignore b/JENKINS_HOME.gitignore index ac2d028a33..9803840ab3 100644 --- a/JENKINS_HOME.gitignore +++ b/JENKINS_HOME.gitignore @@ -18,10 +18,11 @@ !/.gitignore !/*.xml -# Ignore all files in jobs subdirectories except for folders. +# Ignore all files in jobs subdirectories except for folders and job config. # Note: git doesn't track folders, only file content. jobs/** !jobs/**/ +!jobs/**/config.xml # Uncomment the following line to save next build numbers with config.