Execution of the Jenkinsfile from the repository could expose credentials to end-user (for example create custom pipeline with using credentials in test stage and echo those creds as base64-encoded to build console).
Probably the only way to control the scripted pipeline with repo configuration - is to read config file (json, yaml or configslurper for some dynamics) from the repo without access to the pipeline steps.
It could look like this: Job with pipeline script:
@Library('mpl') _
MPLStrict {
git = [url, creds, ...] // repo configs
pipeline = 'pipeline_name' // pipeline to execute, if not set - get it from the repo config
}
In this step it will load the config file, parse it, and execute the required pipeline.
As result we need a common interface for that in MPL to allow to fortify the pipeline.
Execution of the Jenkinsfile from the repository could expose credentials to end-user (for example create custom pipeline with using credentials in test stage and echo those creds as base64-encoded to build console).
Probably the only way to control the scripted pipeline with repo configuration - is to read config file (json, yaml or configslurper for some dynamics) from the repo without access to the pipeline steps.
It could look like this: Job with pipeline script:
In this step it will load the config file, parse it, and execute the required pipeline.
As result we need a common interface for that in MPL to allow to fortify the pipeline.