Jenkins setup:
Jenkins: 2.443
OS: Linux - 6.5.0-15-generic
Java: 17.0.10 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.3.1-1.0
authentication-tokens:1.53.v1c90fd9191a_b_
authorize-project:1.7.1
bootstrap5-api:5.3.2-3
bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9
branch-api:2.1144.v1425d1c3d5a_7
build-timeout:1.32
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.0.2
cloud-stats:336.v788e4055508b_
cloudbees-folder:6.901.vb_4c7a_da_75da_3
command-launcher:107.v773860566e2e
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.11.0-95.v22a_d30ee5d36
configuration-as-code:1775.v810dc950b_514
credentials:1319.v7eb_51b_3a_c97b_
credentials-binding:657.v2b_19db_7d6e6d
data-tables-api:1.13.8-2
display-url-api:2.200.vb_9327d658781
docker-commons:439.va_3cb_0a_6a_fb_29
docker-java-api:3.3.4-86.v39b_a_5ede342c
docker-plugin:1.5
docker-workflow:572.v950f58993843
durable-task:547.vd1ea_007d100c
echarts-api:5.4.3-2
email-ext:2.104
font-awesome-api:6.5.1-2
git:5.2.1
git-client:4.6.0
git-server:114.v068a_c7cc2574
github:1.37.3.1
github-api:1.318-461.v7a_c09c9fa_d63
github-branch-source:1772.va_69eda_d018d4
github-checks:554.vb_ee03a_000f65
gradle:2.9
gson-api:2.10.1-15.v0d99f670e0a_7
instance-identity:185.v303dc7c645f9
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.16.1-373.ve709c6871598
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.9-1
jdk-tool:73.vddf737284550
jjwt-api:0.11.5-77.v646c772fddb_0
jnr-posix-api:3.1.18-1
job-dsl:1.87
joda-time-api:2.12.7-29.v5a_b_e3a_82269a_
jquery3-api:3.7.1-1
jsch:0.2.16-86.v42e010d9484b_
json-api:20240205-27.va_007549e895c
json-path-api:2.9.0-33.v2527142f2e1d
junit:1256.v002534a_5f33e
ldap:711.vb_d1a_491714dc
lockable-resources:1232.v512d6c434eb_d
mailer:463.vedf8358e006b_
matrix-auth:3.2.1
matrix-project:822.824.v14451b_c0fd42
mina-sshd-api-common:2.12.0-90.v9f7fb_9fa_3d3b_
mina-sshd-api-core:2.12.0-90.v9f7fb_9fa_3d3b_
okhttp-api:4.11.0-172.vda_da_1feeb_c6e
pam-auth:1.10
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-github-lib:42.v0739460cda_c4
pipeline-groovy-lib:704.vc58b_8890a_384
pipeline-input-step:489.v4b_70b_ff92d67
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2175.v76a_fff0a_2618
pipeline-model-definition:2.2175.v76a_fff0a_2618
pipeline-model-extensions:2.2175.v76a_fff0a_2618
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2175.v76a_fff0a_2618
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.8.0
prism-api:1.29.0-13
resource-disposer:0.23
scm-api:683.vb_16722fb_b_80b_
script-security:1313.v7a_6067dc7087
snakeyaml-api:2.2-111.vc6598e30cc65
ssh-credentials:308.ve4497b_ccd8f4
ssh-slaves:2.948.vb_8050d697fec
sshd:3.322.v159e91f6a_550
structs:337.v1b_04ea_4df7c8
timestamper:1.26
token-macro:400.v35420b_922dcb_
trilead-api:2.133.vfb_8a_7b_9c5dd1
variant:60.v7290fc0eb_b_cd
workflow-aggregator:596.v8c21c963d92d
workflow-api:1291.v51fd2a_625da_7
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3853.vb_a_490d892963
workflow-durable-task-step:1322.v63864b_7a_e384
workflow-job:1400.v7fd111b_ec82f
workflow-multibranch:773.vc4fe1378f1d5
workflow-scm-step:415.v434365564324
workflow-step-api:657.v03b_e8115821b_
workflow-support:865.v43e78cc44e0d
ws-cleanup:0.45
config.yaml
credentials:
system:
domainCredentials:
- credentials:
- gitHubApp:
appID: ${GH_APP_ID}
description: ${GH_ID_DESC}
id: ${GH_ID_DESC}
privateKey: ${GH_APP_KEY}
jenkins:
authorizationStrategy:
globalMatrix:
permissions:
- "GROUP:Overall/Administer:authenticated"
- "USER:Job/Read:anonymous"
- "USER:Overall/Read:anonymous"
numExecutors: 1
securityRealm:
local:
allowsSignup: false
enableCaptcha: false
users:
- id: ${JENKINS_ADMIN_ID}
password: ${JENKINS_ADMIN_PASSWORD}
security:
queueItemAuthenticator:
authenticators:
- global:
strategy: triggeringUsersAuthorizationStrategy
jobs:
- file: /startup/job.groovy
unclassified:
location:
url: ${URL}
timestamper:
allPipelines: false
elapsedTimeFormat: "'<b>'HH:mm:ss.S'</b> '"
systemTimeFormat: "'<b>'HH:mm:ss'</b> '"
job.groovy
organizationFolder("${ORG}") {
organizations {
github {
credentialsId("${GH_ID_DESC}")
repoOwner("${OWNER}")
traits {
gitHubBranchDiscovery {
strategyId(3)
}
gitHubPullRequestDiscovery {
strategyId(1)
}
gitHubForkDiscovery {
strategyId(1)
trust {
gitHubTrustPermissions()
}
}
}
}
}
triggers {
periodicFolderTrigger {
interval('1d')
}
}
orphanedItemStrategy {
discardOldItems {
numToKeep(1)
}
}
}
docker-compose.yml
version: '3'
services:
jenkins:
build:
context: .
dockerfile: Dockerfile
args:
- DOCKER_GROUP_ID
container_name: jenkins-controller
environment:
- TZ=America/Denver
- JENKINS_OPTS="--logfile=/var/log/jenkins/jenkins.log"
- JENKINS_ADMIN_ID
- JENKINS_ADMIN_PASSWORD
- GH_APP_KEY
- GH_APP_ID
- GH_ID_DESC
- ORG
- OWNER
- URL
- EUT
- TESTER
ports:
- '8080:8080'
- '50000:50000'
volumes:
- jenkins-data:/var/jenkins_home
- jenkins-log:/var/log/jenkins
- /dev/bus/usb:/dev/bus/usb
- /var/run/docker.sock:/var/run/docker.sock
volumes:
jenkins-data:
jenkins-log:
I’ve got some jobs in public repositories so I’m using the “From users with Admin or Write permission” Trust Strategy in my organization configuration.
The problem is that the Dockerfile doesn’t seem to be considered a “trusted file” by Jenkins. Non-admin users are able to open pull requests that include changes to the Dockerfile and the Jenkins job accepts those changes and runs the job which is dangerous if a user puts some malicious stuff int he Dockerfile.
Is there any way to include Dockerfiles (or any other files) in the Trust Strategy that’s applied to Jenkinsfiles?