Suppress irrelevant Jenkins security warnings


Security warnings for Jenkins and its plugins appear at the top of the "Manage Jenkins" page (/manage), but some of them aren't applicable to our installations. For example, these two warnings show consistently despite the fact that we've upgraded to not-vulnerable versions of the plugins in question and confirmed that any required mitigation has already been performed on build-jenkins and test-jenkins:

  • GitHub Pull Request Builder 1.42.0: GitHub access tokens stored in in build.xml

  • Environment Injector Plugin 2.1.5: Exposure of sensitive build variables stored by EnvInject 1.90 and earlier

To avoid training ourselves to ignore security warnings on this page, we should hide these two warnings on these servers. This is normally possible via an admin form, but we currently can't post changes to that form due to some CSRF bug (and the changes wouldn't survive an Ansible rebuild of the server anyway). So we should add the capability to suppress individual warnings to the jenkins-configuration repository. Code points of interest:

The relevant Jenkins code to use in the configuration groovy seems to be UpdateSiteWarningsConfiguration (see Unfortunately, this doesn't seem to be implemented in the Configuration as Code plugin either, so we can't use that as a reference (

Steps to Reproduce


Current Behavior


Expected Behavior


Reason for Variance


Release Notes


User Impact Summary

Your pinned fields
Click on the next to a field label to start pinning.




Jeremy Bowman