Jenkins

Jenkins #

Jenkins is a highly extensible automation server used for CI/CD, release engineering, infrastructure automation, and legacy enterprise workflows.

Overview #

Jenkins pipelines are commonly defined with a Jenkinsfile committed to the repository. A Jenkins controller coordinates jobs, plugins, credentials, and build history, while agents run workloads on Linux, Windows, macOS, containers, or Kubernetes pods. Jenkins is powerful, but it requires active operations ownership.

Best use cases #

  • Complex enterprise automation with many deployment targets and custom integrations.
  • Legacy applications that need specialized build agents, tools, or network access.
  • Hybrid environments where workloads run across on-premises systems and cloud platforms.
  • Teams with existing Jenkins expertise and governance for plugins, credentials, and agents.
  • Highly customized release flows that hosted CI systems cannot easily model.

Minimal pipeline example # 

pipeline {
  agent any

  stages {
    stage('Test') {
      steps {
        sh 'npm ci'
        sh 'npm test'
      }
    }

    stage('Build') {
      when {
        branch 'main'
      }
      steps {
        sh 'docker build -t example/app:${BUILD_NUMBER} .'
      }
    }
  }
}

Secrets handling #

  • Store secrets in the Jenkins Credentials store or an integrated secret manager such as HashiCorp Vault or cloud key vaults.
  • Use withCredentials bindings so credentials are scoped to the smallest necessary stage or step.
  • Avoid passing secrets on command lines that can be captured by process listings or logs.
  • Restrict who can create, update, view, or use credentials through role-based access controls.
  • Rotate credentials regularly and remove unused credentials from folders, jobs, and shared libraries.

Deployment options #

  • Deploy with shell scripts, Ansible, Terraform, OpenTofu, Helm, kubectl, cloud CLIs, or custom plugins.
  • Use Kubernetes agents for elastic build capacity and isolated job execution.
  • Publish build artifacts to artifact repositories such as Nexus, Artifactory, S3-compatible storage, or container registries.
  • Promote immutable artifacts through environments with manual input steps, change tickets, or external approval systems.
  • Pair Jenkins CI with Argo CD or Flux for GitOps-based Kubernetes delivery.

Security considerations #

  • Keep Jenkins core and plugins patched, and remove plugins that are unused or no longer maintained.
  • Use controller-to-agent isolation; do not run untrusted jobs on the controller.
  • Lock down script approval, job configuration permissions, credentials, folders, and administrative access.
  • Prefer ephemeral agents for risky workloads and isolate agents by trust boundary.
  • Back up Jenkins configuration and credentials securely, and audit changes to jobs and shared libraries.
  • DevSecOps — Add scanning, signing, and policy checks to Jenkins pipelines.
  • GitOps — Use Jenkins for CI while GitOps tools reconcile Kubernetes state.
  • Kubernetes — Run Jenkins agents on Kubernetes and deploy container workloads.
  • Infrastructure as Code — Validate and promote infrastructure changes through Jenkins.
  • CI/CD Security Best Practices — Harden credentials, plugins, agents, and deployment permissions.