如何从 Jenkins 管道控制台输出中隐藏 APIKey 等参数

Question

当我在 stage 中执行脚本时，如何隐藏某些参数或****它们。

产生我想隐藏的输出的命令是：

sh "./wsagent_execute.sh -s -apiKey ${WHITESOURCE_API_KEY} -projectToken ${WHITESOURCE_PROJECT_TOKEN} -C ${configPath} -d ${directoryPath} -logLevel info"

我想隐藏的参数是-apiKey和-projectToken。我该怎么做？

Answer 1

这些键是在管道中计算的还是静态的？您可以尝试在 Jenkins 中像使用凭据一样使用它，并且在日志中看不到它们的值。

Answer 2

如果您在 Jenkins 凭据中使用秘密定义，Jenkins 会自动为您屏蔽它并在日志中显示为 ****

假设您已经在 jenkins 凭据中定义了您的 apiKey，其 ID 为：apikey。比你可以像下面的例子那样在你的管道上使用它。

可以找到更多详细信息here

node() {
   withCredentials([string(credentialsId: 'apikey', variable: 'TOKEN')]) {
      sh "./wsagent_execute.sh -s -apiKey $TOKEN -projectToken ${WHITESOURCE_PROJECT_TOKEN} -C ${configPath} -d ${directoryPath} -logLevel info"
   }
}

如果您对此不满意，请使用 mask password 或类似插件

Answer 3

如果您从保管库中获取凭据，则可以使用 Mask Passwords 插件。它没有声明它支持管道，但实际上它支持。


pipeline {
    agent any

    stages {
      stage('doing something') {
        steps {
          script {
            def current_nano = "1616407597607795668"
            sh label: "Now you see it", script: "echo ${current_nano}"
            maskPasswords(varPasswordPairs: [[password: current_nano, var: 'IGNORE']]) {
              sh label: "Now you don't", script: "echo ${current_nano}"
            }
          }
        }
      }
    }
}

输出：

[Pipeline] Start of Pipeline
[Pipeline] node
Running on Jenkins in /var/jenkins_home/workspace/
[Pipeline] {
[Pipeline] stage
[Pipeline] { (doing something)
[Pipeline] script
[Pipeline] {
[Pipeline] sh (Now you see it)
+ echo 1616407597607795668
1616407597607795668
[Pipeline] maskPasswords
[Pipeline] {
[Pipeline] sh (Now you don't)
+ echo ********
********
[Pipeline] }
[Pipeline] // maskPasswords
[Pipeline] }
[Pipeline] // script
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

如何从 Jenkins 管道控制台输出中隐藏 APIKey 等参数

How to hide parameters such as APIKey from Jenkins pipeline console output

unix

linux

shell

jenkins

jenkins-pipeline