Jenkins Secret Not Masked in Logs - Fix Credentials Binding Masking
Jenkins masks the exact value of a bound credential in the console, but only when the literal value appears. Interpolating it into a Groovy string, transforming it, or echoing a derived form can leak the secret because the masker no longer sees the original bytes.
What this error means
A credential bound via withCredentials shows up in plaintext in the build log (or in a warning about a secret in a Groovy string). The masking that normally replaces it with **** did not apply because the value was reshaped before it printed.
+ echo Deploying with token ghp_REALSECRETVALUE # leaked!
Warning: A secret was passed to "sh" using Groovy String interpolation,
which is insecure. Use single quotes and shell variables instead.Common causes
Secret interpolated in a Groovy double-quoted string
Using "$PASS" (Groovy interpolation) bakes the value into the command string before the shell runs, so it can appear in the log and bypass reliable masking.
Echoing or transforming the secret
Printing the secret, or base64/encoding it before use, produces a value the masker does not recognize, so the derived form is shown in the clear.
How to fix it
Reference the secret as a shell variable, not Groovy interpolation
Use single quotes so the shell - not Groovy - expands the variable, keeping the literal value out of the command string.
withCredentials([string(credentialsId: 'gh-token', variable: 'TOKEN')]) {
sh 'curl -H "Authorization: Bearer $TOKEN" https://api.example.com' // single quotes
}Never print or reshape the secret
- Do not
echocredentials or pass them throughset -xblocks. - Avoid encoding/transforming the secret before use; masking only matches the original value.
- Heed the "secret passed using Groovy String interpolation" warning - switch to single-quoted shell expansion.
How to prevent it
- Always expand secrets as shell variables with single-quoted
shscripts. - Never echo, log, or transform a bound credential.
- Rotate any credential that appears unmasked in a build log.