Issue No 1:
Octopus Deploy Plugin stores credentials in plain text
SECURITY-957 / CVE-2019-1003071
Octopus Deploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
Issue No 2:
Is the plugin work with Jenkins PipeLine, all our groovy pipeline stored in code, we not working with basic UI tasks.
The credential issue can be resolved by making use of the Mask Passwords Jenkins plugin. EDIT This only hides the password within the UI and build logs, we’ve made a change to the plugin itself that resolves the storing of plain text passwords in the global config file.
Currently, the plugin does not work with PipeLine, however, you can use it with the CLI e.g.