Plugin hygiene & attack surface
Where the CVEs really live.
Plugins are what make Jenkins do anything — Git integration, Docker, credentials, the pipeline DSL itself are all plugins. They are also, by a wide margin, where Jenkins’ security risk lives: the overwhelming majority of Jenkins CVEs are in plugins, not the core. Every plugin is third-party code running with Jenkins’ full privileges, so the plugin list is your real attack surface, and keeping it small and current is the single highest-value Jenkins security control.
Keep it small and current
Two habits cover most of the risk. First, minimize: install only plugins you actually use, and periodically prune ones you do not — every plugin removed is attack surface removed. Second, update on a schedule: Jenkins’ update centre flags plugins with known vulnerabilities, and a monthly patch pass closes the CVEs that scanners (and attackers) look for. Treat a plugin with a security warning like an unpatched server.
# Manage Jenkins → Plugins shows available security updates.# via the CLI you can audit what is installed and its version:$ jenkins-plugin-cli --list # what is installed# Manage Jenkins → "Manage Plugins" → Updates tab flags known-vulnerable plugins