Jenkins
Jenkins projectCI/CD6 credentials
Initial Admin Password
jenkins / initial-admin-password
New Jenkins controllers generate an administrator unlock password during first startup. The setup wizard requires this password before plugin installation and first-user creation can continue.
Looks like
exampleXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
/var/lib/jenkins/secrets/initialAdminPassworddefault Linux package location documented by Jenkins
/var/jenkins_home/secrets/initialAdminPasswordofficial jenkins/jenkins Docker image home directory
Jenkins startup console log, between separator lines
Unlock Jenkins setup wizard administrator password field
Notes
This is not a reusable default login. It is a per-controller bootstrap secret used only to unlock the initial setup wizard, but leaked images, console logs, and copied JENKINS_HOME directories can preserve it long enough to matter during new deployments.
Local User / Administrator Password
jenkins / local-user-admin-password
Jenkins' own user database is the default security realm on modern Jenkins installations. Users, including the first administrator created during setup, authenticate with username/password credentials stored in per-user configuration under JENKINS_HOME.
Looks like
pattern<passwordHash>[^<]+</passwordHash>[^\s:@]+:[^\s:]+Location
$JENKINS_HOME/users/*/config.xmlper-user configuration for Jenkins' own user database
/loginJenkins web login for local users and administrators
/job/*/build, /script, /computer/*HTTP Basic authentication in older scripted-client flows
legacy scripts and integrations that embed real Jenkins passwords
Notes
There is no universal shipped Jenkins administrator login. The initial-admin-password is a generated setup unlock secret, then the first administrator account is created by the setup flow or by an operator. Modern scripted clients should use API tokens instead of real passwords, but real password Basic auth is still supported for password-based security realms.
System Credentials Store
jenkins / system-credentials-store
Jenkins stores global credentials such as secret text, usernames and passwords, secret files, and SSH private keys in the system credentials provider. The credentials file is encrypted with Jenkins controller secrets that also live under JENKINS_HOME.
Looks like
pattern<(secret|password|privateKey)>\\{?[A-Za-z0-9+/=]+\\}?</(secret|password|privateKey)>Location
$JENKINS_HOME/credentials.xmlsystem credentials provider configuration file
$JENKINS_HOME/secrets/master.keyunencrypted master key used to protect Jenkins encryption keys
$JENKINS_HOME/secrets/hudson.util.Secretcommon Jenkins secret key id used for generic secrets
controller backups, copied JENKINS_HOME directories, images
Notes
credentials.xml by itself usually contains encrypted values. The security boundary is the controller filesystem: if an attacker obtains credentials.xml together with secrets/master.key and the relevant files under $JENKINS_HOME/secrets, Jenkins' own APIs can decrypt stored credentials offline or inside a copied controller home.
User API Token
jenkins / user-api-token
Jenkins users can create API tokens and use them with HTTP Basic authentication for scripted clients. The token is supplied in place of the user's password for operations that require authorization.
Looks like
pattern[A-Za-z0-9]{20,}Location
scripts, Jenkins client configuration, curl/wget commands
JENKINS_USER, JENKINS_TOKEN, JENKINS_API_TOKENCI/CD tool configs and local credential helpers that call Jenkins
Notes
Jenkins documentation explicitly recommends API tokens over real user passwords for scripted clients. A leaked token has the permissions of the user that created it, so administrator-owned automation tokens are equivalent to administrative Jenkins access.
Inbound Agent Secret
jenkins / inbound-agent-secret
Jenkins inbound agents authenticate to the controller with a generated secret shown in the agent launch command. The secret is passed to agent.jar with the -secret argument together with the controller URL and agent name.
Looks like
pattern-secret\s+[A-Fa-f0-9]{32,}|-secret\s+[^\s]+Location
/computer/<agent-name>/agent page showing the inbound launch command to authorized users
service wrappers, scheduled tasks, systemd units, and launch scripts on agents
infrastructure-as-code or bootstrap scripts that start Jenkins agents
process listings and command logs that capture the agent.jar invocation
Notes
A leaked inbound-agent secret lets an attacker connect a process as that Jenkins agent if the controller accepts inbound connections for the node. The blast radius is the jobs and workspaces scheduled onto that agent, including secrets exposed to builds running there.
SSH Private Key Credential
jenkins / ssh-private-key-credential
Jenkins credential stores commonly hold SSH private keys for Git, deployment, agent launch, and infrastructure automation. The private key can be stored directly in Jenkins credentials or loaded from a file on the controller or agent.
Looks like
pattern-----BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY-----Location
$JENKINS_HOME/credentials.xmlencrypted private key material in the Jenkins credentials store
~/.ssh/id_*controller or agent filesystem keys referenced by jobs
Jenkins credential bindings and pipeline credentials
Jenkinsfiles and shared libraries that bind SSH credentials
Notes
Scope is defined outside Jenkins by the systems that trust the key: Git hosting, SSH targets, deployment bastions, or agent launchers. The Jenkins credential record may look like an ordinary encrypted XML value, but the decrypted private key often grants access beyond the Jenkins controller itself.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.