Advancing Security: Jenkins Content Security Policy (CSP) Project Progress

Bruno Verachten November 1, 2024

Security is a core focus at Jenkins, and through the Content Security Policy (CSP) grant from the Alpha-Omega Foundation, we’re reinforcing our commitment to the stability and safety of our community. After weeks of progress, collaboration, and technical challenges, it’s time to share where we are and what’s next.

Why CSP Matters

With Jenkins as a crucial tool for thousands worldwide, securing its ecosystem is essential. CSP, a modern web security protocol, helps shield applications from injection attacks like cross-site scripting (XSS). This project, supported by Alpha-Omega, represents a three-month push to integrate and enhance CSP across Jenkins, thanks to the dedication of developers Shlomo Dahan and Yaroslav Afenkin, and the oversight of Basil Crow and myself.

Milestones and Achievements

Acceptance Testing Success

One of our most significant milestones has been the dramatic improvement in our Acceptance Test Harness (ATH) results. Starting from a challenging position, we’ve achieved remarkable progress:

Initial CSP compatibility testing showed numerous issues.
Current status: Only 5 remaining failures in restrictive mode.
Represents a major step toward full CSP implementation.

Plugin Modernization Campaign

Our team has systematically worked through the Jenkins plugin ecosystem, modernizing and securing critical components. Key highlights include:

High-Impact Releases

We’ve successfully updated and released over 20 widely used plugins with improved CSP compatibility, including:

Core plugins like Maven, Subversion, and JUnit.
Critical workflow components such as the Branch APIand Workflow Support plugins.
Popular visualization tools like the ECharts API plugin.

jQuery Modernization

A special focus has been placed on modernizing jQuery usage across plugins, with notable improvements:

Upgrading plugins from jQuery 1.x to 3.x.
Removing inline JavaScript.
Implementing modern event-handling patterns.

Community Impact

This initiative isn’t just about code changes — it’s about building a more secure foundation for the entire Jenkins community. Our work has:

Enhanced security for thousands of Jenkins installations worldwide.
Provided a clear path forward for plugin maintainers.
Created examples for future CSP implementations.

Looking Forward

As we move into the second phase of this project, we’re focusing on:

Completing the remaining critical plugin updates.
Finalizing CSP scanner tooling for automated vulnerability detection.
Creating comprehensive documentation for maintainers and users.
Preparing for a potential expanded project in 2025.

Get Involved

We welcome community participation in this important security initiative. You can help by:

Testing your plugins with CSP enabled.
Reporting any CSP-related issues you encounter.
Contributing to plugin modernization efforts.

For more information about the CSP implementation project or to get involved, visit our CSP documentation page.

Special thanks to Basil Crow for technical leadership, Shlomo Dahan and Yaroslav Afenkin for the hard work, Daniel Beck for his CSP-flaw-finding tool, and the Alpha-Omega Foundation for making this work possible through their generous grant.

About the author

Bruno Verachten

Bruno is a father of two, husband of one, geek in denial, beekeeper, permie and a Developer Relations for the Jenkins project. He’s been tinkering with continuous integration and continuous deployment since 2013, with various products/tools/platforms (Gitlab CI, Circle CI, Travis CI, Shippable, Github Actions, …), mostly for mobile and embedded development.
He’s passionate about embedded platforms, the ARM&RISC-V ecosystems, and Edge Computing. His main goal is to add FOSS projects and platforms to the ARM&RISC-V architectures, so that they become as boring as X86_64.
He is also the creator of miniJen, the smallest multi-cpu architectures Jenkins instance known to mankind.