Pipeline scm step plugin writing credentials to jenkins host as xml files

Jenkins setup:

Jenkins Version - 2.414.3

Jenkins is running as a docker container volume mounted to host and port mapped to port 80 on host and 8080 on container.

My issue is a generic issue, i can not completely get the list of all plugins. but ican share the plugin version of workflow step scm plugn.

recently noticed that it is writing the service principal credentials and secrets to a file in the host machine. This is not something we expect and can cause security incidents and vulnerabilities.

Please have a look at this.

file is under jenkins_home/jobs/<job_name>/branches//builds//build.xml

Please follow the guidelines listed in “Reporting security vulnerabilities” when reporting a potential vulnerability.

In this case, I suspect that you may be placing the service principal credentials in the job definition as a string instead of using the Jenkins credentials plugin to manage the service principal credential. If that is the case, then the solution is to define a Jenkins credential with the value of the service principal credentials and use that Jenkins credential in the job definition.

In all cases, discussions of potential security issues are best done by following the reporting guidelines.

No @MarkEWaite. we use azure credential plugin to refer the sp for authorization.

something similar to this example here

withCredentials([azureServicePrincipal(‘credentials_id’)]) {
sh ‘az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET -t $AZURE_TENANT_ID’

Azure Credentials | Jenkins plugin

i willd efinitely raise a security concern in above link