Jenkins manages secrets through its Credentials plugin and external integrations, while vulnerability scanning is handled by dedicated plugins that integrate SAST, SCA, DAST, and container scanning tools directly into pipelines.
Jenkins provides comprehensive capabilities for both secrets management and vulnerability scanning through its extensive plugin ecosystem. Secrets are managed via the built-in Credentials plugin and can be extended with enterprise-grade integrations, while security scanning is implemented through specialized plugins that bring tools like SonarQube, OWASP Dependency-Check, Checkmarx, and container scanners into your CI/CD pipelines. This plugin-based approach allows teams to build security directly into their automation workflows.
Jenkins' native credential management is built on the Credentials plugin, which stores sensitive data in encrypted form on the Jenkins controller. The system supports multiple credential types including secret text, username/password pairs, secret files, SSH keys, and certificates . These credentials are made available to jobs through environment variables or direct binding, with automatic masking in console logs to prevent exposure. However, it's important to understand that Jenkins' encryption is not foolproof—any user with Script Console access or filesystem access to the master key can decrypt stored credentials, making it unsuitable for highly sensitive production environments without additional safeguards .
For production environments requiring robust security, several plugins integrate with enterprise secrets management platforms. The Keeper Secrets Manager plugin allows retrieval of secrets from Keeper vault using Keeper Notation syntax, placing values into environment variables or files . The Infisical plugin provides dynamic secrets with automatic rotation, complete audit logs, and fine-grained access control . The CyberArk Conjur Secrets plugin supports both JWT and API key authentication, enabling central secrets management with automatic rotation and segregation of duties . The Fortanix DSM plugin similarly integrates with Fortanix Data Security Manager for secure key management .
Vulnerability scanning in Jenkins is typically layered across the software development lifecycle: Software Composition Analysis (SCA) for dependency scanning in the commit/build phase, Static Application Security Testing (SAST) for code analysis, Dynamic Application Security Testing (DAST) in test environments, and container/IaC scanning during packaging and deployment . Each layer is implemented through specialized plugins that integrate scanning tools and report results back to Jenkins.
Checkmarx Plugin: Performs automatic source code analysis without requiring compilation, identifying security vulnerabilities, compliance issues, and business logic problems. Results are displayed with trends in the Jenkins interface .
OWASP Dependency-Check Plugin: Scans project dependencies for known vulnerabilities (CVEs), generating detailed reports integrated into the Jenkins build page .
SonarQube Scanner: Provides SAST capabilities with quality gates that can block builds when critical issues are found .
NeuVector Vulnerability Scanner: Scans container images and registries for vulnerabilities, supporting both standalone and controller/scanner modes with parallel scanning for large-scale operations .
Vigilnz Security Plugin: Comprehensive plugin supporting SCA, SAST, SBOM, DAST, container scanning, IaC scanning, and secret scanning within a single integration .
Effective vulnerability management requires automated gates that prevent vulnerable code from reaching production. In SonarQube, you can define quality gates that fail builds when critical or blocker issues are detected . The Dependency-Check plugin can be configured to fail builds based on CVSS score thresholds. The NeuVector plugin allows setting fail thresholds for high and medium severity vulnerabilities . These gates can be combined with post-build notifications to alert teams via Slack, email, or other channels when security issues are found.
For organizations using containers, image scanning is critical. The NeuVector plugin supports two modes: standalone mode runs the scanner within a Docker container, while controller/scanner mode uses an external controller for centralized management. It supports multiple registry providers including Docker Hub, AWS ECR, and others . The plugin can perform large-scale parallel scanning (up to 2000 concurrent scans with NeuVector 5.4.3+) and provides detailed vulnerability reports integrated into the Jenkins build page .
To maximize security, avoid hardcoding credentials in Jenkinsfiles—always use credentials binding . Implement role-based access control to restrict who can view or modify credentials . Regularly audit and rotate credentials, removing those no longer needed . For scanning, layer multiple tools (SAST + SCA + DAST + container) to catch different vulnerability types . Store all scan reports as build artifacts for audit trails and compliance . Finally, consider using Infrastructure as Code with Jenkins Configuration as Code to version-control your security settings .