Jenkins Integration
Shield integrates with Jenkins to protect your build logs from secret exposure.
Prerequisites
Ensure Node.js 18+ is available on your Jenkins agents:
tools {
nodejs 'NodeJS-20'
}
Basic Declarative Pipeline
pipeline {
agent any
tools {
nodejs 'NodeJS-20'
}
stages {
stage('Setup') {
steps {
sh 'npm install -g @dotsetlabs/shield'
}
}
stage('Test') {
steps {
sh 'dotset run --mode redact -- npm test'
}
}
}
}
Using Jenkins Credentials
Shield auto-detects environment variables from Jenkins credentials:
pipeline {
agent any
environment {
DATABASE_URL = credentials('database-url')
API_KEY = credentials('api-key')
DOTSET_API_TOKEN = credentials('dotset-api-token')
}
stages {
stage('Setup') {
steps {
sh 'npm install -g @dotsetlabs/shield'
}
}
stage('Test') {
steps {
sh 'dotset run --mode redact -- npm test'
}
}
}
}
Store your secrets in Jenkins Credentials and reference them with credentials(). Shield will detect them from the environment.
Using withCredentials Block
For more control, use the withCredentials block:
pipeline {
agent any
stages {
stage('Setup') {
steps {
sh 'npm install -g @dotsetlabs/shield'
}
}
stage('Deploy') {
steps {
withCredentials([
string(credentialsId: 'aws-access-key', variable: 'AWS_ACCESS_KEY_ID'),
string(credentialsId: 'aws-secret-key', variable: 'AWS_SECRET_ACCESS_KEY'),
string(credentialsId: 'dotset-api-token', variable: 'DOTSET_API_TOKEN')
]) {
sh 'dotset run --mode redact -- ./deploy.sh'
}
}
}
}
}
Using with .env Files
Create a .env file from credentials:
stage('Test') {
steps {
withCredentials([
string(credentialsId: 'database-url', variable: 'DATABASE_URL'),
string(credentialsId: 'api-key', variable: 'API_KEY')
]) {
sh '''
echo "DATABASE_URL=$DATABASE_URL" > .env
echo "API_KEY=$API_KEY" >> .env
dotset run --mode redact -- npm test
'''
}
}
}
Docker Agent
If using Docker agents:
pipeline {
agent {
docker {
image 'node:20'
}
}
environment {
DOTSET_API_TOKEN = credentials('dotset-api-token')
}
stages {
stage('Setup') {
steps {
sh 'npm install -g @dotsetlabs/shield'
}
}
stage('Test') {
steps {
sh 'dotset run --mode redact -- npm test'
}
}
}
}
Scripted Pipeline
For scripted pipelines:
node {
stage('Checkout') {
checkout scm
}
stage('Setup') {
sh 'npm install -g @dotsetlabs/shield'
}
stage('Test') {
withCredentials([
string(credentialsId: 'database-url', variable: 'DATABASE_URL'),
string(credentialsId: 'dotset-api-token', variable: 'DOTSET_API_TOKEN')
]) {
sh 'dotset run --mode redact -- npm test'
}
}
}
Cloud Analytics
Link your project to track protection events:
environment {
DOTSET_API_TOKEN = credentials('dotset-api-token')
}
Create a credential of type “Secret text” in Jenkins for your Dotset API token.
Complete Example
pipeline {
agent any
tools {
nodejs 'NodeJS-20'
}
environment {
DOTSET_API_TOKEN = credentials('dotset-api-token')
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Install Dependencies') {
steps {
sh 'npm install -g @dotsetlabs/shield'
sh 'npm ci'
}
}
stage('Test') {
environment {
DATABASE_URL = credentials('database-url')
}
steps {
sh 'dotset run --mode redact -- npm test'
}
}
stage('Deploy') {
when {
branch 'main'
}
steps {
withCredentials([
string(credentialsId: 'aws-access-key', variable: 'AWS_ACCESS_KEY_ID'),
string(credentialsId: 'aws-secret-key', variable: 'AWS_SECRET_ACCESS_KEY')
]) {
sh 'dotset run --mode redact -- ./scripts/deploy.sh'
}
}
}
}
post {
always {
cleanWs()
}
}
}
