Problem Statement
How does Jenkins manage sensitive credentials securely?
Explanation
Jenkins Credentials plugin provides centralized, secure storage for secrets including passwords, API tokens, SSH keys, certificates, and secret files. Credentials are encrypted on master and stored securely, never exposed in logs or console output. Each credential has a unique ID used to reference it in jobs and pipelines without revealing the actual secret.
Credential types include Username with password (for basic auth), Secret text (API tokens, passwords), Secret file (configuration files with secrets), SSH Username with private key (for Git/SSH access), Certificate, and Docker server credentials. Credentials have scope (System-wide available to Jenkins, or Global available to jobs) and can be restricted to specific folders or jobs.
Usage in pipelines: withCredentials block provides temporary access to credentials as environment variables. Example: withCredentials([usernamePassword(credentialsId: 'github-creds', usernameVariable: 'USER', passwordVariable: 'PASS')]) { sh 'git push https://$USER:$PASS@github.com/repo.git' }. Use credential IDs, never hardcode secrets in Jenkinsfile. Integration with external secret management systems (HashiCorp Vault, AWS Secrets Manager) available through plugins. Understanding secure credential management prevents secret exposure.
