Jenkins setup:
we are planning Jenkins for using our CI/CD pipelines.
we would like to review the Jenkins security report like VAPT, DAST, penetrating testing as part of our process
Can you please send the security report for particular Jenkins version
Jenkins docker image version : jenkins/jenkins:2.452.3-jdk17
url : https://hub.docker.com/layers/jenkins/jenkins/2.452.3-jdk17/images/sha256-f4fcb66a1c6b834e5b04bd585d054b0ae0b37990337f4203bd83d237461f17ce
No, we can’t, or rather, we won’t.
The Jenkins security team documentation says:
Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire. We will not respond to such queries.
You can review the vulnerabilities reported in that particular Jenkins version by reviewing the Jenkins security advisories. You can also see the list of vulnerabilities by running that Jenkins version and looking at the warning that will be displayed from that Jenkins version.