New stages UI not masking sensitive information even when using withCredentials or withSonarQubeEnv

Hi,
I know that maybe it is not the right channel and I should open a bug for this. But I do not really know which plugin/component is responsible of this.

I have noticed that the new UI does not mask sensitive information… which is masked correctly in the pipeline logs.

First example using curl wrapped with a withCredentials:

Jenkins curl withCredentials mask 2025-12-18 1823262403×315 94.2 KB

As you can see the Authorization header is masked correctly in the pipeline logs, but not on the UI. Obviously I had to hide it to share the screenshot, but it is there.

Second example using the sonar scanner wrapped with withSonarQubeEnv:

Jenkins curl withSonarQube mask 2025-12-18 1824143277×126 84.1 KB

The sonar.login parameter is masked in the logs but not in the UI. Same story here, I had to hide it.

I am pretty sure there are other cases as well.

Is there anything I am doing wrong or there is an issue with the UI?

Thanks,
Giovanni

Jut adding some extra information here.

I have identified the plugin: Pipeline Graph View
I was kinda already sure it was this one, but I wanted to double check first.

I have found a similar issue opened on Github: Password not redacted in ConsoleLogCard with keeper-secrets-manager · Issue #1045 · jenkinsci/pipeline-graph-view-plugin · GitHub
I think what I have highlighted in my post and this issue, could potentially share the same root problem.
The issue was Opened the 27th of October and nothing has been done so far to address it.

I think this is a major security concern, so I have disabled the plugin till this is not fixed properly.
I would suggest anyone using this plugin to check if they are affected and disable the it in case they are.

Thanks,
Giovanni

Unfortunately, it looks like this is happening even with the Pipeline: Stage View plugin and it looks like it is a know issue.

There is an old Stackoverflow question: https://stackoverflow.com/questions/65702270/jenkins-pipeline-stage-view-plugin-does-not-mask-passwords

Which links to this bug https://issues.jenkins.io/browse/JENKINS-59214 that has been migrated here: [JENKINS-59214] BlueOcean UI and pipeline steps view (FlowGraphTable ) reveal sensitive data · Issue #20581 · jenkinsci/jenkins · GitHub

I will try to follow the suggestions in the comment but it is not great that the secrets are masked in the logs but not in the UI…

Thanks,
Giovanni

I think the problem you encounter is that groovy interpolates your secrets when you’re using double quotes for the sh step. That means that the PASSWD is replaced with the actual password before the sh step is instantiated.

withCredentials([string(credentialsId: 'mysecret', variable: 'PASSWD')]) {
  sh "curl -u user:$PASSWD <url>"
}

If you use single quotes

withCredentials([string(credentialsId: 'mysecret', variable: 'PASSWD')]) {
  sh 'curl -u user:$PASSWD <url>' 
}

Then the shell will interpolate the env variable at when it executes the script and in the UI you will not see the password.

Thanks @mawinter69, this is what I have seen in the stuff I linked as well. I am giving it a try but to be honest I was expecting the logs and the UI to behave in the same way… here the confusion.