Jenkins Encrypted Credentials
Detects Jenkins-encrypted credential values in the {base64...} format used by Jenkins credentials.xml and similar configuration files. Mirrors Snaffler rule KeepJenkinsByName.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: the combination of <password> XML tags and the {base64} encrypted format is highly specific to Jenkins credential storage. False positives are extremely unlikely given the structural constraints.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF
- Data categories
- credentials
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
<password>\{[A-Za-z0-9+/=]{20,}\}</password>Corroborative evidence keywords
com.cloudbees.plugins.credentials, <privateKey>, BapSshPublisher, <id>
Proximity: 300 characters
Should match
<password>{AQAAABAAAAAQ1q2w3e4r5t6y7u8i9o0p1a2b3c4d5e6f7g8h9i0j1k}</password>— Jenkins encrypted secret<password>{AQAAABAAAAAQabcdefghijklmnopqrstuvwxyz0123456789ABCDEF==}</password>— Base64 padded Jenkins secret<password>{AQAAABAAAAAQ/abc+def/ghi+jkl/mnopqrstuvwxyz0123456789==}</password>— Jenkins secret with + and / base64 chars
Should not match
<password>changeme</password>— Plaintext password, not the {…} encrypted form<password>{short}</password>— Too short (under 20 chars in braces)
Known false positives
- XML files that happen to use <password> tags with curly-brace-wrapped values in non-Jenkins contexts such as custom configuration schemas. Mitigation: Require proximity to Jenkins-specific identifiers (com.cloudbees.plugins.credentials, privateKey, BapSshPublisher) to confirm Jenkins context.
- Test or sample Jenkins configuration files with placeholder encrypted values. Mitigation: Template exclusion keywords at 65-tier catch common placeholder/example markers.