As a distributed application, Bamboo's security is important. This page contains links to security-related information in the Bamboo documentation.
For information on how to report a security vulnerability in Bamboo and our policy on security advisories and patches, read Bamboo security advisories. A full list of security advisories that we have previously issued is also available on that page.
For information on Bamboo's internal security model, i.e. user management and permissions, please see Users and permissions.
Remote agent security considerations
Note the following security implications when enabling remote agents for Bamboo:
- Encryption needs to be enabled on JMS and HTTP connections. The following data is encrypted:
- login credentials for version control repositories (JMS)
- build logs (JMS)
- build artifacts (HTTP)
- Agent authorization should be enabled, see Agent authentication for more information. If it's not enabled, unauthorized parties will be allowed to install new remote agents, compromising the version control repository credentials.
- Agent secure token should be enabled. If it's not enabled, malicious users can send multiple approval requests for rogue agents which could lead to one of them being mistakenly accepted by a Bamboo administrator. See Security token verification.
As with all services, we strongly recommend that you do not open up agent JMS communication port on a public or untrusted network unless you want to use it. Creating remote agents is Disabling and enabling remote agents support by default.
The following pages contain information on how to configure Bamboo features that can permit/forbid access to the Bamboo application.
- Agent authentication
- Bamboo cookies
- Best practices for Bamboo security
- Securing your remote agents
- Serialization protection methods
- Configuring XSRF protection
- Managing trusted keys
- System-wide encryption
- Repository-stored Bamboo Specs security
- Encrypting database password
- Encrypting passwords in server.xml
- Securing Bamboo against potential SSRF attacks
Other security resources