Skip to content
Latchkey

Jenkins "Scripts not permitted to use method" - Script Security

The Groovy sandbox in Script Security blocked a method call your pipeline made. Sandboxed scripts may only use approved signatures; an admin must approve the call, or the code must run as a trusted shared library.

What this error means

A script {} block or shared-library call fails with RejectedAccessException: Scripts not permitted to use method/staticMethod/new <signature>. The pipeline ran up to that call, then was halted by the sandbox.

Jenkins console
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException:
Scripts not permitted to use staticMethod
org.codehaus.groovy.runtime.DefaultGroovyMethods toJson java.lang.Object

Common causes

Sandboxed pipeline calls an unapproved signature

Pipelines defined in the Jenkins UI run in the Groovy sandbox. Any method, constructor, or field not on the approved list is rejected with this exception - by design, to stop arbitrary code execution.

Reflective or low-level Groovy/Java calls

Calls like Class.forName, getMetaClass, raw JsonSlurper/toJson, or System access are commonly blocked because they can escape the sandbox.

How to fix it

Approve the signature (admin)

  1. Run the pipeline once so the rejected signature is captured.
  2. Go to Manage Jenkins → In-process Script Approval.
  3. Review and approve the exact pending signature - approve deliberately, not blanket.

Move logic into a trusted global shared library

Global shared libraries configured by an admin run outside the sandbox, so they can use methods sandboxed pipelines cannot. Put the helper there instead of approving many ad-hoc signatures.

Shared library
// vars/parseJson.groovy in a trusted global library
def call(String text) {
  return new groovy.json.JsonSlurperClassic().parseText(text)
}

Prefer sandbox-safe built-ins

Many needs have an approved pipeline step: use readJSON/writeJSON (Pipeline Utility Steps) instead of raw JsonSlurper, and sh(returnStdout: true) instead of reflective process calls.

How to prevent it

  • Keep reusable logic in trusted shared libraries rather than inline sandboxed scripts.
  • Use plugin-provided steps (readJSON, writeYaml) that are already sandbox-safe.
  • Review script-approval requests deliberately; do not approve unknown signatures blindly.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →