Jenkins credentials stored with global scope

Threat

Compromised credentials

Severity

High

Description

By default, Jenkins credentials are stored under the global scope. Global scope credentials are accessible by all Jenkins jobs, which increases the risk of credential theft by executing a malicious job in the instance.

Remediations

Avoid setting credentials with the global scope. Instead, limit the scope of credentials so it would be accessible only on jobs where it is required.

To limit the scope of Jenkins credentials using folder scopes:

  1. Install the Folders plugin. (https://plugins.jenkins.io/cloudbees-folder/).
  2. Create a folder for each group of pipelines that require access to a set of credentials, and move the pipelines to the folder.
  3. Create the credentials and set it with the folder’s scope.

To limit the scope of Jenkins credentials using user scopes:
Follow the instructions in the link below.
https://docs.cloudbees.com/docs/admin-resources/latest/pipelines/user-scoped-creds#_adding_user_scoped_credentials_to_your_user_account

Cider Security has been acquired by Palo Alto Networks