Jenkins
Discover controllers, agents/nodes, folders & jobs (freestyle, pipeline, multibranch), credentials & bindings, plugins, authorization strategy and **effective permissions** at execution time. Govern non-human identities (agents, tokens, pipelines) and stop risky actions before impact.
What the connector discovers
- Controllers, Nodes/Agents & Labels
Controller metadata, online/offline agents (inbound/JNLP/SSH), executor counts, labels, workspace hints and agent network posture.
- Folders, Jobs & Pipelines
Folders/multibranch pipelines, job types (freestyle, pipeline), SCM links, webhook endpoints, Jenkinsfile presence/paths, shared libraries.
- Credentials & Bindings (metadata)
Credentials store entries (IDs, types: username/secret, SSH keys, tokens — metadata only), uses/bindings in jobs/environments, rotation windows.
- Plugins & Versions
Installed plugins with versions, update availability and known risk hints; core version, crumb issuer/CSRF, remoting/CLI posture.
- Security & Authorization Strategy
Matrix/Role strategy, Overall/Read & SystemRead settings, anonymous access, user list (metadata), API token posture, script approval state (metadata).
- Effective Permissions
Identity (runner/token/pipeline) → permissions/policy → job/environment → allowed actions at time-of-execution.
Jenkins runs your build & release nerve center. Agents, tokens and pipelines can move code, secrets and artifacts at scale. ClarioSec adds **runtime governance**: drift-aware scoring, pre-execution controls and audit-grade narratives.
Drift-aware risk scoring
Baselines per controller/agent/job; peer groups by team; detect credential sprawl, privileged agents, risky webhook paths, outdated/vulnerable plugins and anomalous secret/env access in pipelines.
Pre-execution enforcement
Allow / Alert / Block / Approve with governed overrides. JIT approvals before secret binding, restrict jobs to safe labels, and block pipelines that violate guardrails (e.g., publishing to external URLs) unless approved.
Audit-grade narratives
Each decision yields **rule → reason → proof → control map** (SOC 2, GDPR, ISO/IEC 27001 & 42001, AI Act), including before/after permissions, affected jobs/nodes and owner context.
Connect Jenkins (controller)
ClarioSec uses the **Jenkins Remote Access API** (JSON/XML) with a **service account API token** and minimum read permissions. For self-managed or Kubernetes-based controllers, provide the base URL of each controller.
- 1) Create a service account
Create a dedicated Jenkins user with a read profile. Prefer Matrix/Role Strategy with Overall/Read, Job/Read, View/Read, Agent/Read, SystemRead and Credentials/View (from Credentials plugin).
- 2) Generate API token
User → Configure → API Token → Generate. Store token securely (shown once). Enforce token rotation policy within Jenkins.
- 3) Provide Base URL
e.g., https://jenkins.yourdomain or https://jenkins.yourdomain/jenkins. If behind a reverse proxy, ensure API is reachable and crumb issuer is enabled.
- 4) Add in ClarioSec
Open the Jenkins connector and paste Base URL, Username and API Token (stored per tenant). ClarioSec honors rate limits and pagination.
High-value signals via Remote Access API (metadata only):
- /api/json on root (views, jobs), /computer/api/json (agents/nodes, executors, labels)
- /pluginManager/api/json (plugins & versions), /systemInfo/api/json (core, security toggles)
- Credentials store metadata (IDs/types/usage) via Credentials API endpoints (no secret values)
- Job config & SCM links (read), multibranch sources, webhook endpoints (metadata)
Endpoint family: Remote Access API (JSON/XML), Credentials plugin API (metadata), Views/Jobs/Computer/Plugins/SystemInfo.
- Privileged & exposed agents
Inbound JNLP agents without TLS or broad labels; controllers allowing anonymous or wide Overall/Read; over-shared executors.
- Credential sprawl & weak rotation
Stale credentials, long-lived tokens, credentials bound in many jobs without owner attestations.
- Outdated/vulnerable plugins
Critical plugin updates pending; risky plugins with broad permissions loaded in production controllers.
- Webhook & publish exfiltration
Pipelines pushing artifacts/code to external endpoints without approvals; ownerless webhooks.
- JIT approvals for secret binding, external publish and privileged agent usage
- Automatic permission minimization & credential rotation guidance
- Enforce safe labels/runners and plugin hygiene on production controllers
- Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act
Ready to govern Jenkins agents, tokens and pipelines at runtime?
Move from CI/CD posture to provable behavior — identity → permission → action → narrative.