Description
By default, Jenkins credentials are stored under the global scope. Global scope credentials are accessible by all Jenkins jobs, which increases the risk of credential theft by executing a malicious job in the instance.
Remediations
Avoid setting credentials with the global scope. Instead, limit the scope of credentials so it would be accessible only on jobs where it is required.
To limit the scope of Jenkins credentials using folder scopes:
- Install the Folders plugin. (https://plugins.jenkins.io/cloudbees-folder/).
- Create a folder for each group of pipelines that require access to a set of credentials, and move the pipelines to the folder.
- Create the credentials and set it with the folder’s scope.
To limit the scope of Jenkins credentials using user scopes:
Follow the instructions in the link below.
https://docs.cloudbees.com/docs/admin-resources/latest/pipelines/user-scoped-creds#_adding_user_scoped_credentials_to_your_user_account