Hiding passwords in Jenkins Pipeline log output without using WithCredentials

Actually I don't know why this didn't work in the first place, but here is the solution to the problem.

Define an array with secrets that you want to hide like this:

def splunkPassword = 'verySecretPa55w0rd'def basicAuthPassword = 'my8asicAuthPa55w0rd'def getSecrets() {    [            [password: splunkPassword, var: 'SECRET'],            [password: basicAuthPassword, var: 'SECRET']    ]}

Disclaimer: I don't know whether the SECRET value has an important role, copy and pasted it from some snippet and it works as expected :)

Afterwards, you can wrap any calls in your scripted pipeline like this:

node {    wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: getSecrets()]) {        stage 'First Stage' { ... }        stage 'Second Stage' { ... }    }}

All passwords provided in the getSecrets() array will then be masked like this in your build output:

SPLUNK_PASSWORD: ********BASIC_AUTH_ADMIN_PASSWORD: ********

I think you are looking for JENKINS-36007?

Update 26 May 2020

The workaround below stopped working for me recently. My guess is that something changed in a recent Jenkins update. I was trying to avoid installing another plugin, but I eventually gave up and installed the Mask Passwords plugin.

I used the following syntax for use with parameters:

parameters {    string(name: 'USERNAME', defaultValue: '', description: 'Username')    password(name: 'PASSWORD', defaultValue: '', description: 'Password')}

Then in the build stage:

steps {    script {        wrap([$class: 'MaskPasswordsBuildWrapper',              varPasswordPairs: [                  [password: "${USERNAME}", var: 'USR'],                  [password: "${PASSWORD}", var: 'PSW']              ]        ]) {            sh '''                echo "Username: ${USERNAME}"                echo "Password: ${PASSWORD}"            '''        }    }}

The original workaround is below, in case anyone else tries to go down the same path.

I've discovered a workaround that is a bit of a hack, but seems to work well. The trick is to use withCredentials, but override the variable with a parameter.

Here's an example which uses the environment directive's credentials() helper method to populate an environment variable, then overrides the two additional environment variables that are automatically defined (and masked in the logs).

First, create a dummy Username with password Credentials. The Username and Password values don't matter, we just need a Credential to use as a placeholder. Enter an ID such as dummy-credentials.

Then define an environment variable using the dummy credentials, and override the automatically defined variables with the parameters (MYUSERNAME and MYPASSWORD in this example):

environment {    MY_CREDS = credentials('dummy-credentials')    MY_CREDS_USR = "${params.MYUSERNAME}"    MY_CREDS_PSW = "${params.MYPASSWORD}"}

Use the MY_CREDS_USR and MY_CREDS_PSW environment variables wherever you need to reference the secrets. Their contents will be masked in the console log.

sh '''    echo "Username: ${MY_CREDS_USR}"    echo "Password: ${MY_CREDS_PSW}"'''