8

We're running Jenkins with multibranch pipeline plugin attached to GitHub organization's repository with Jenkinsfile in some of its branches. Jenkins has access to multiple other agents & nodes where it deploys code after it's successfully built.

The problem: I want to prevent other devs from running builds with modified Jenkinsfile in their branches and pull requests.

  • Solution 1: when statement in Jenkinsfile: poor security. Anyone can modify it, remove the when clause and break production.
  • Solution 2: locked files on repo: not available on GitHub. I'm seriously considering moving to GitLab because they have this function.
  • Solution 3: seperate job in Jenkins for deployment: overkill. I think there should be a Pipeline-ish solution for this.

How can I make sure that the used Jenkinsfile is authentic and not modified? Is there any solution to this that I'm missing? I want this to be secure enough to prevent anyone with push access from intentionally breaking things, e. g. git pre-push hooks are not a solution.

Andrew Dunai
  • 3,061
  • 19
  • 27
  • isn't it a question of security of jenkins (who could run this job) and/or target system (that should reject deployment from unknown sources) ? If it will be managed by code that do deployment - then any dev could hack it. – daggett Jun 13 '17 at 10:26
  • @daggett right. But I'm looking for a way of preventing any devs (except the privileged ones) from building using custom `Jenkinsfile`. One (possible) solution I was thinking of is to make Jenkins somehow use `Jenkinsfile` from target branch of pull request (or the `master` branch), not the source one. – Andrew Dunai Jun 13 '17 at 11:19
  • 2
    Did you ever arrive at a solution for this? I'm in a similar situation where I want to prohibit arbitrary code from being run by my Jenkinsfile – bearrito Feb 14 '18 at 16:58
  • yeah, same here, seems like a common ask, anyone come up with a decent solution yet? i feel like should be an option on the github-org plugin... – tony_k Sep 25 '21 at 01:44

2 Answers2

3

You can use Custom Script mode under Build Configuration section in the configuration of the multibranch project, this way the jenkinsfile in the different branches will not be used but what you either define in the job configuration by selecting pipeline script in Definition section and preventing the developers to modify the jenkins job configuration, or you can specify any file to be the jenkins file in basically any repository by selecting Pipeline script from SCM.

For example non of our repositories have a jenkinsfile, there is only one jenkinsfile for all of our projects that only I update and lives in a separate repository.

Gergely Toth
  • 6,638
  • 2
  • 38
  • 40
  • Just a note: if you put your Jenkinsfile outside the repo you are testing with, you will break any and all tooling that tries to "detect" the environment. An example might be code coverage (cause that's where it's bitten me). Lots of coverage tools look at environment variables like GIT_BRANCH. If you checkout some other repo for your jenkinsfile, then it will have the wrong value for GIT_BRANCH and jenkins doesn't seem to update that environment when you change it in the pipeline. – apanzerj Apr 17 '18 at 18:19
  • @Gergely Toth where are you seeing those options on the Multibranch Pipeline configuration page? – user55691 Jun 19 '19 at 17:34
1

I'm facing the same problem right now, this Jenkins Plugin probably could help us: Remote Jenkinsfile Provider Plugin

I've got the below sentence from their docs:

With this plugin you can define/set Jenkins files from another repository while still able to use MultiBranch Pipeline Project features. This way you will be able to centralize all Jenkins files in another repository where you can review or restrict changes and use MultiBranch Pipeline for multi branched repositories.

So, you might have other repo where you store the Jenkinsfile and give access only for the right people to change it.

I'll probably give it a try in the next weeks.

Marcus Vinicius N. Bondezan
  • 101
  • 1
  • 7