NashTech Insights

How to mask secrets in Jenkins

Naincy Kumari
Naincy Kumari
Table of Contents
data codes through eyeglasses

In today’s fast-paced development environments, continuous integration and continuous deployment (CI/CD) pipelines have become integral to the software development lifecycle. Jenkins, a popular automation server, plays a crucial role in orchestrating these pipelines. However, with the increasing importance of security, it’s essential to handle sensitive information, such as API keys, passwords, and tokens, with care. In this blog, we will explore how to mask secrets in Jenkins to ensure that our pipeline remains secure.

Why Masking Secrets Matters?

Exposing sensitive information in plain text within Jenkins configurations can lead to unauthorized access, data breaches, and potential security vulnerabilities. So, to avoid these things its best practice to mask these secrets an keep it secure. By masking secrets, we can prevent unauthorized personnel from viewing or misusing these critical credentials.

Let’s see how to mask secrets in Jenkins.

Steps to mask secrets in Jenkins:

Step 1: Firstly we need to install mask password plugin in Jenkins. Move to “Manage Jenkins” section and proceed to “Manage Plugins.” Search to find the Mask Passwords plugin.


After locating the plugin, install it and then select “Download now and install after restart.” 

install plugin

Once the installation is complete, we are good to proceed now.

Step2: As our plugin is ready to use, we can now use the MaskPasswordsBuildWrapper within our Jenkins pipelines. 

Here I want to mask my build parameter in Jenkins. So, for this I have created a parameter ‘GITHUB_PASSWORD’ and I need to mask this so that its value doesn’t appear in jenkins console output. 

Following is the pipeline script which will mask this build parameter.



        password(name: 'GITHUB_PASSWORD', defaultValue: '', description: 'Enter your GitHub Password')



pipeline {

    agent any

    stages {

        stage('Masking_Secrets') {

            steps {


                SECRET = params.GITHUB_PASSWORD

                wrap([$class: 'MaskPasswordsBuildWrapper', 

                     varPasswordPairs: [[password: SECRET]]]) { 

                sh "echo ${SECRET}"







This script contains the MaskPasswordsBuildWrapper which will mask the ‘GITHUB_PASSWORD’.

Step3: Run the pipeline and test it. I will pass build parameter here to verify masking.

jenkins build

Console output of this build:

masked secret

Here we can see the password is successfully masked. This is how we can mask the important credentials which can lead to unauthorized access.


In this blog, we learnt how we can mask secrets in Jenkins. By following the best practices outlined in this guide, we can ensure that sensitive information remains protected from unauthorized access. Remember that security is an ongoing effort, so regularly review and update your practices to stay ahead of potential threats. By incorporating these measures, we can contribute to a more secure and efficient CI/CD pipeline.

Naincy Kumari

Naincy Kumari

Leave a Comment

Your email address will not be published. Required fields are marked *

Suggested Article

%d bloggers like this: