How does Jenkins verify plugins before publishing for consumption?

Since plugins are created by the community, how does the Jenkins teams run security scans on the plugins before publishing the plugin for other users to consume? went through the following pages but did not find an answer to my specific question.

follow up is - what type of scans does the Jenkins team perform on the plugins as part of their security scans?

It depends on what you mean by “security scans on the plugins”.

If you mean “run spotbugs to report Java issues”, then that is a standard part of recent releases of the plugin pom and is part of plugin builds when they update to recent releases of the plugin pom. You can see the results of those reports on for plugins like git plugin, LDAP plugin, mailer plugin, and many more

If you mean “run spotbugs find-sec-bugs to report security specific Java issues”, then that is an optional check that is described in

If you mean “run Jenkins specific source code security checks”, then that is an optional check that is described in:

If you mean “run a dependency vulnerability scanner”, then that is not being run as far as I know.

If you mean something different than any of those items, please provide more details about what you mean by “does Jenkins run security scans on the plugins before publishing”.

Thanks for the reply Mark, it is helpful.
i’m looking to do OSS scanning and malware scanning, apologies for not clarifying that earlier.

do you know what is used to help make the Security Advisories report ? what type of tools are being used to detect these vulnerabilities?

The report is generated from a YAML data file. The data file provides the information and a template is used to format the information into that table layout.

I believe that the Jenkins security team uses multiple techniques to search for security bugs. When they detect a common pattern, they will consider placing that common pattern into the Java source code scanner tool mentioned earlier. They also accept security bug reports from security researchers around the world.

Got it. If possible, could you elaborate on ‘multiple techniques’, what type of techniques? I just want to know so I can understand how robust the security scanning is from Jenkins’ side.

Sorry, but I don’t know enough details of the techniques they use.

got it - thanks for your help Mark!