Skip to content
Latchkey

Jenkins Secret Not Masked in Logs - Fix Credentials Binding Masking

Jenkins masks the exact value of a bound credential in the console, but only when the literal value appears. Interpolating it into a Groovy string, transforming it, or echoing a derived form can leak the secret because the masker no longer sees the original bytes.

What this error means

A credential bound via withCredentials shows up in plaintext in the build log (or in a warning about a secret in a Groovy string). The masking that normally replaces it with **** did not apply because the value was reshaped before it printed.

Jenkins console
+ echo Deploying with token ghp_REALSECRETVALUE   # leaked!
Warning: A secret was passed to "sh" using Groovy String interpolation,
which is insecure. Use single quotes and shell variables instead.

Common causes

Secret interpolated in a Groovy double-quoted string

Using "$PASS" (Groovy interpolation) bakes the value into the command string before the shell runs, so it can appear in the log and bypass reliable masking.

Echoing or transforming the secret

Printing the secret, or base64/encoding it before use, produces a value the masker does not recognize, so the derived form is shown in the clear.

How to fix it

Reference the secret as a shell variable, not Groovy interpolation

Use single quotes so the shell - not Groovy - expands the variable, keeping the literal value out of the command string.

Jenkinsfile
withCredentials([string(credentialsId: 'gh-token', variable: 'TOKEN')]) {
  sh 'curl -H "Authorization: Bearer $TOKEN" https://api.example.com'  // single quotes
}

Never print or reshape the secret

  1. Do not echo credentials or pass them through set -x blocks.
  2. Avoid encoding/transforming the secret before use; masking only matches the original value.
  3. Heed the "secret passed using Groovy String interpolation" warning - switch to single-quoted shell expansion.

How to prevent it

  • Always expand secrets as shell variables with single-quoted sh scripts.
  • Never echo, log, or transform a bound credential.
  • Rotate any credential that appears unmasked in a build log.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →