As helpful as Jenkins, it is another attack vector within your ecosystem. In most cases, it will contain your service accounts, PAT tokens, usernames and passwords; essentially all the keys to your kingdom. It is a critical part of your infrastructure. You could store these credentials in Hashicorp's Vault, but it would be introducing a complexity within your estate if you don't already use it; though it would allow for better audit and credential management.

When these build servers get hacked... and they probably will as security is hard, things go bad. See news articles, eg:

It is essential to keep systems patched and updated, don't expose them to the internet if you don't have to.

How to read secrets?

There will always be a time when you somehow manage to lose a credential or a key. A few reasons I've heard is that a person has now left the company and he had it on his local machine, or it's somewhere within all the emails but seems to have gone walkabout. Sometimes it's not feasible to try recovering these credentials, sometimes it's just easier to reverse them within Jenkins.

This is how you do it:

Browse to Jenkins credentials, this could be within a folder or sub-directory.

Click to modify a credential you are looking to recover.

Right click on the 'Password' field and copy the hash as show in the image.

Head over to the Jenkins Script Console and paste the code below, adding your recovered hash.

... and there is your super secret password.

It's as simple as that.

Please take security seriously and rotate your credentials regularly. It's really easy if you can automate all the things and you really should automate all the things!