Apache Groovy scripts can be executed on the Jenkins controller and agents through various mechanisms including:
Groovy plugin when using the "Execute system Groovy script" step
Scripts are powerful and useful tools but they must be managed carefully to ensure that they are not used to compromise your installation:
Limit the people to whom the Overall/Administer permission is granted. This allows people to use the Script Console. This authorization allows one to type in and execute an Apache Groovy script in a largely unrestricted environment so it should only be available to highly trusted, sophisticated users.
The Script Security plugin provides two facilities that allow users with lesser permissions (such as Job/Configure or Job/Build) to run scripts that may be associated with plugins or their applications:
Jenkins maintains a list of "approved" scripts that cannot do any damage. If a user attempts to run a script that is not approved, the script is blocked until an administrator reviews the script and approves it using the Manage Jenkins » In-process Script Approval screen. See the In-process Script Approval documentation for more information. In most cases, you should use the Approve assuming permissions check option rather than the simple Approve option.
Groovy scripts can be run in the Groovy Sandbox without approval. Each method call, object construction, and field access is checked against a list of allowed operations. If the script attempts to call any operations that are not allowed, it is killed and the unallowed operation is added to an approval queue. An administrator can approve that operation and then the script can be rerun.
Scripts written in languages other than Groovy can be run by an administrator or must be approved by an administrator; the sandbox is only for Groovy scripts.
Users can disable the Groovy sandbox. The entire script must be approved by the administrator unless it is in the list of administrator-managed list of approved scripts.
See Script Security plugin for more information.
Please submit your feedback about this page through this quick form.
Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?
See existing feedback here.