Lack of Secure Authorization

This detector reports unsecured authentication configuration on a Jenkins instance.

It is required Jenkins plugin Configuration-as-Code installed to run.

You can configure authentication and authorizations in Jenkins using the Security Realm and Authorization configurations. The Security Realm configuration defines how users are authenticated while the Authorization configuration defines which users or groups can access which aspects of Jenkins and to what extent.

It is important to secure your Jenkins instance by setting up authentication and authorization mechanisms to prevent unauthorized access and ensure that only authorized users can access Jenkins and perform actions based on their permissions.

There are several security vulnerabilities that can arise from weak authorization configurations in Jenkins.

Check Authorization configuration and change to a non-weak setting. This task is done by a Jenkins administrator at Security section under Configure Global Security option.

Following Authorization options are consider unsecured and should not be used in a production environment:

At least one of the following options provided by Matrix Authorization Strategy Plugin should be configured:

or extends Authorization configuration using plugins as Role-based Authorization Strategy Plugin which allows you to define roles with specific permissions and assign them to users or groups.