Mask Credentials in Jenkins Plugin

I’m currently writing a Jenkins plugin that executes performance measurement runs ( and afterwards provides access to the measurement run logs via own Action, for example in peass-ci-plugin/ at 10b37a03928d8d8fddf87511cfe32072012d3448 · jenkinsci/peass-ci-plugin · GitHub.

While this works technically correct, it does not mask credentials that have been provided to the run. So if I got a configuration like this:

    stage('Measure Performance') {
            steps {
                withCredentials([usernamePassword(credentialsId: 'PW1', passwordVariable: 'PASSWORD', usernameVariable: 'USER')]) {
                    measure VMs: 2, iterations: 3, properties: "-PmavenPassword=$PASSWORD -PmavenUser=$USER",

the value of password will be printed out in the logs directly. Since the logs contain of several repeated VM starts, printing all logs directly to the Jenkins console is no solution. Therefore, the plugin also needs to mask the password for the logs, i.e. I somehow need the Pattern that is used for credentials replacement by the credentials plugin.

As far as I see it, I can get the Pattern by in perform-methods in my Builder like public boolean perform(final AbstractBuild<?, ?> build, final Launcher launcher, final BuildListener listener) (which take the AbstractBuild), if I run SecretBuildWrapper.getPatternForBuild((AbstractBuild<?, ?>) build) from the credentials-binding-plugin. But this perform method is not called in my regular method perform(final Run<?, ?> run, final FilePath workspace, final EnvVars env, final Launcher launcher, final TaskListener listener) if I use a pipeline script (for classical jobs, it seems to work).

I also tried using Recorder instead of Builder: I added another build step, which is a recorder with a different symbol, and implemented its perform method. Unfortunately, the same behavior appears: Methods having an AbstractBuild in the signature are not called.

Is there any way to get the Pattern to mask the credentials, or some other way to achieve that credentials are masked in the additional logs?

Probably the easiset way would be to not pass the credentials as strings to your plugin, but use the credentials API (so you just pass a credentials id).

Thanks a lot!

Passing the credentials separately solved the problem: