Jenkinsdevops~5 mins

Script approval and sandbox in Jenkins - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes Jenkins runs scripts that need special permission to keep your system safe. Script approval and sandbox help control which scripts can run automatically and which need manual approval.

When you add a new Groovy script to a Jenkins pipeline and it uses commands Jenkins does not trust by default

When you want to prevent unsafe scripts from running automatically in your Jenkins jobs

When you want to allow safe scripts to run without manual approval by using the sandbox mode

When you need to approve specific scripts or script signatures manually to allow them to run

When you want to keep your Jenkins environment secure while still allowing custom automation

Commands

This command runs a Groovy script on Jenkins using the Jenkins CLI. If the script uses unapproved methods, Jenkins will block it and require approval.

Terminal

java -jar jenkins-cli.jar -s http://localhost:8080 groovy = < script.groovy

Expected OutputExpected

ERROR: Scripts not permitted to use method java.lang.Runtime exec java.lang.String Please approve this signature in the script approval page.

This command approves a specific script signature manually via Jenkins script approval REST API, allowing scripts using this method to run.

Terminal

curl -X POST http://localhost:8080/scriptApproval/approve -d 'signature=method java.lang.Runtime exec java.lang.String' --user admin:admin123

Expected OutputExpected

Approved signature: method java.lang.Runtime exec java.lang.String

→

-X POST - Send data to approve the script signature

→

--user admin:admin123 - Authenticate as admin to approve scripts

Run the same Groovy script again after approval. Now it should run without errors because the script signature is approved.

Terminal

java -jar jenkins-cli.jar -s http://localhost:8080 groovy = < script.groovy

Expected OutputExpected

Script executed successfully.

Key Concept

If you remember nothing else from this pattern, remember: Jenkins blocks unsafe scripts until you approve their signatures or run them in sandbox mode.

Common Mistakes

Trying to run a Groovy script with unapproved methods without approving them first

Jenkins blocks the script for security, causing errors and stopping the job

Manually approve the script signatures in Jenkins script approval or run the script in sandbox mode if safe

Approving all scripts blindly without checking their safety

This can allow unsafe scripts to run and harm your Jenkins environment

Review each script signature carefully before approving to keep Jenkins secure

Summary

Run Groovy scripts in Jenkins and watch for script approval errors.

Approve script signatures manually to allow safe scripts to run.

Use sandbox mode to run scripts safely without manual approval.