Lack of Secure Authentication

This detector reports usage of simple or guessable passwords for admin accounts and use of built-in authentication methods as considered insecure.

Default Jenkins Security Realm allows you to choose from several options, if one of the following options is selected a misconfiguration issue will be reported.

Unsecure configuration for Security Realms:

Inadequate Identity and Access Management risks stem from the difficulties in managing the vast amount of identities spread across the different systems in the engineering ecosystem, from source control to deployment. The existence of poorly managed identities - both human and programmatic accounts - increases the potential and the extent of damage of their compromise.

Jenkins default authentication uses Spring Security, without any dedicated plugin or provider, Jenkins allows authentication by several different ways (WebUI, REST API, Jenkins CLI, CLI over SSH). The built-in authentication ways don’t implement best practices for password management and policies like password strength, password reuse, MFA.

Best practice for authentication is to not use built-in authentication methods and instead use centralized third-party SSO.

Ensure Jenkins instance is using a third party authentication mechanism that enables password policies that help to deny malicious access to the system.

The Security Realms to avoid are None or the weak "Jenkins' own user database". You should instead either choose "Delegate to servlet container" (if the container running your master node has a strong authentication service enabled), "LDAP" (if your organization has a standard LDAP directory like Active Directory as identity provider), or even the GitHub OAuth plugin to delegate user authentication to GitHub.

For robust authentication you could also add two-factor authentication provided by third-party plugins.