Jenkins Script Console
Jenkins features a nice Groovy script console which allows one to run arbitrary Groovy scripts within the Jenkins master runtime or in the runtime on agents.
It is very important to understand all of the following points because it affects the integrity of your Jenkins installation. The Jenkins Script Console:
- Access is controlled by the
RunScriptspermission. Older versions of the Matrix Authorization Strategy Plugin allow non-Admin users to be granted this permission. Matrix Authorization Strategy Plugin version 1.5 and later fixed this issue. If any authorization strategy allows this permission to be granted to users other than Admins, then extreme care should be taken not to allow non-admins.
- Is a web-based Groovy shell into the Jenkins runtime. Groovy is a very powerful language which offers the ability to do practically anything Java can do including:
- Create sub-processes and execute arbitrary commands on the Jenkins master and agents.
- It can even read files in which the Jenkins master has access to on the host (like
- Decrypt credentials configured within Jenkins.
- Offers no administrative controls stop a User (or Admin) once they are able to execute the Script Console from affecting all parts of the Jenkins infrastructure. Granting a normal Jenkins user Script Console Access is essentially the same as giving them Administer rights within Jenkins.
- Can configure any Jenkins setting. It can disable security, reconfigure security, even open a backdoor on the host operating system completely outside of the Jenkins process. Due to the mission critical importance many organizations place on Jenkins in their infrastructure this point is especially important because it would allow an attacker to move laterally within infrastructure with little effort.
- Is so powerful because it was originally intended as a debugging interface for Jenkins developers but has since grown into an interface used by Jenkins Admins to configure Jenkins and debug Jenkins runtime issues.
Because of the power offered by the Jenkins Script Console, Jenkins and its agents should never be run as the
root user (on Linux) or system administrator on any other flavor of OS. Videos linked in this wiki page demonstrate and discuss security warnings.
Be sure to secure your Jenkins instance using known good community practices.
Table of Contents
The Jenkins Script Console can run either on the master or any configured agents.
Running Script Console on the master
This feature can be accessed from "Manage Jenkins" > "Script Console". Or visit the sub-URL
/script on your Jenkins instance.
Running Script Console on agents
Visit "Manage Jenkins" > "Manage Nodes". Select any node to view the status page. In the menu on the left, a menu item is available to open a "Script Console" on that specific agent.
Run scripts from master Script Console on agents
It's also possible to run scripts from the master Script Console on individual agents. The following script is an example running a script on agents from the master Script Console.
A Jenkins Admin can execute groovy scripts remotely by sending an HTTP POST request to
/script/ url or
Also, Jenkins CLI offers the possibility to execute groovy scripts remotely using
groovy command or execute groovy interactivelly via
groovysh. However, once again curl can be used to execute groovy scripts by making use of bash Command Substitution. In the following example
somescript.groovy is a groovy script in the current working directory.
If security is configured in Jenkins, then curl can be provided options to authenticate using the
curl --user option.
Remote access with CSRF protection enabled
There's an extra step which must be performed to configure Jenkins via the Script Console when CSRF Protection is enabled. The extra step is to get a CSRF token. The token provides an extra security measure in Jenkins to ensure the script console is not being configured from an unauthorized source. It basically comes down to a two step process.
- Authenticate and get a CSRF token for submitting script console scripts.
- Authenticate and use the CSRF token when submitting script console scripts.
Here's an example. Get a CSRF token.
More examples of getting a CSRF token can be found in the Remote access API wiki page.
Then use the
mytoken environment variable to submit the token along with your authentication to the script console.
Additionally, you can
curl the root of the Jenkins API to determine if CSRF protection is enabled.
The above command will return
false. If CSRF protection is enabled then it will return
Shortcut key on script console to submit
You can submit a script without mouse. Jenkins has a shortcut key which enables to submit with keyboard.
- Windows / Linux : Ctrl + Enter
- Mac : Command + Enter
Video Tutorials and additional learning materials
Here are some recorded videos on the Jenkins Script Console:
- Jenkins World 2017: Mastering the Jenkins Script Console - 44 minutes - sample usage and security discussion
- LA Jenkins Area Meetup 2016 - Hacking on Jenkins Internals - Jenkins Script Console - 39 minutes - sample usage
To expand your ability to write script console scripts the following references are recommended:
- Learn Groovy - Learning Groovy is useful for more than writing scripts for the Script Console. Groovy is also relevant for other features of Jenkins like Pipelines and shared pipeline libraries, the Groovy Plugin, the Job DSL plugin, and many other plugins which utilize Groovy (see section "Plugins enabling Groovy usage" in this wiki page).
Example Groovy scripts
Out of date scripts
Due to the nature of Groovy scripts accessing Jenkins source code directly, Script Console scripts are easily out of date from the Jenkins source code. It is possible to run a script and get exceptions because public methods and interfaces in Jenkins core or Jenkins plugins have changed. Keep this in mind when trying out examples. Jenkins is easily started from a local development machine via the following command:
Use CTRL+C to stop Jenkins. It is not recommended to try Script Console examples in a production Jenkins instance.
The following repositories offer solid examples of Groovy scripts for Jenkins.
- CloudBees jenkins-scripts repository.
- Jenkins CI jenkins-scripts repository under the
scriptler/directory (scripts for the Scriptler Plugin).
- Sam Gleske's jenkins-script-console-scripts repository.
- Sam Gleske's jenkins-bootstrap-shared repository under the
Write Groovy scripts for Jenkins with Code completion - The gist of this is to create a Maven project within your IDE and to depend on org.jenkins-ci.main:jenkins-core (and any other plugins that you expect present). You can then write a Groovy script with code completion of Jenkins API objects and methods.
Plugins enabling Groovy usage
Config File Provider Plugin — Adds the ability to provide configuration files (i.e., settings.xml for maven, XML, groovy, custom files, etc.) loaded through the Jenkins UI which will be copied to the job's workspace.
Global Post Script Plugin — Execute a global configured groovy script after each build of each job managed by the Jenkins.
This is typical for cases when you need to do something based on a shared set of parameters, such as triggering downstream jobs managed by the same Jenkins or remote ones based on the parameters been passed to the parameterized jobs.
Notice: jython script support removed since 1.1.0
Groovy plugin — This plugin adds the ability to directly execute Groovy code.
Groovy Postbuild Plugin — This plugin executes a groovy script in the Jenkins JVM. Typically, the script checks some conditions and changes accordingly the build result, puts badges next to the build in the build history and/or displays information on the build summary page.
Matrix Groovy Execution Strategy Plugin — A plugin to decide the execution order and valid combinations of matrix projects.
Pipeline Classpath Step Plugin — Pipeline DSL step to add path to the groovy classpath
Scriptler Plugin — Scriptler allows you to store/edit groovy scripts and execute it on any of the slaves/nodes... no need to copy/paste groovy code anymore.
SnowGlobe Plugin — This plugin provides the ability to define Infrastructure as Code. Create, update and tear down clusters of related docker containers for builds, testing or continuous delivery.
Snowglobe plugin for Jenkins
This allows Jenkins jobs to control a SnowGlobe instance (see https://nirima.github.io/SnowGlobe/).
The operations are relatively simple:
snowglobe_clone createAction: true, sourceId: 'ci-template', targetId: 'new-globe-name'
snowglobe_set_variables globeId: 'my-globe', variables: 'key="value"'
data = snowglobe_get_variables globeId: 'my-globe'
snowglobe_apply createAction: true, globeId: 'my-globe'
data = snowglobe_state createAction: false, globeId: 'my-globe'
snowglobe_clone remove: true, globeId: 'my-globe'
Remove: set to true to also remove the SnowGlobe after destruction.
In all cases - createAction controls whether to add an action to the build, which will also remove the globe when the CI build is complete.