Jenkins is the most widely deployed CI/CD automation server, and it appears in virtually every DevOps interview. Questions range from basic concepts (jobs, agents, pipelines) to advanced topics (shared libraries, security hardening, distributed builds). This guide covers the 50 most common Jenkins interview questions with concise, accurate answers.
Quick reference
| Topic | Key concepts |
|---|---|
| Architecture | Master/agent, executor, workspace, build queue |
| Pipeline | Declarative vs Scripted, stages, steps, post |
| Jenkinsfile | Version-controlled pipeline definition |
| Plugins | 1800+ plugins, Plugin Manager, update center |
| Agents | Labels, Docker agents, Kubernetes agents |
| SCM | Git polling, webhooks, multibranch pipelines |
| Security | Role-Based Access, credentials store, secrets |
| Integrations | Slack, Docker, Kubernetes, SonarQube, Nexus |
Core concepts
1. What is Jenkins and what problem does it solve?
Jenkins is an open-source automation server written in Java. It solves the continuous integration and continuous delivery problem: automatically building, testing, and deploying code whenever developers push changes.
Without Jenkins (or a similar tool), teams manually build and test code—leading to "integration hell" when many developers merge changes simultaneously. Jenkins automates this workflow, providing fast feedback on every commit.
Key capabilities:
- Trigger builds on code push, schedule, or manual request
- Run tests in parallel across multiple agents
- Publish test reports, code coverage, and artifacts
- Deploy to staging or production environments
- Notify teams via Slack, email, or dashboards
2. Explain the Jenkins master–agent architecture.
| Component | Role |
|---|---|
| Master (Controller) | Schedules builds, dispatches work to agents, manages configuration, hosts UI and API |
| Agent (Node) | Executes build steps; communicates back to master via JNLP or SSH |
| Executor | A single build slot on an agent; one executor = one concurrent build |
| Workspace | Directory on the agent where build files are checked out and work is done |
The master never runs build steps itself (best practice). Multiple agents let you run many builds in parallel and use different OS/toolchains.
3. What is a Jenkins Pipeline?
A Pipeline is a suite of plugins that lets you define your entire CI/CD workflow as code in a Jenkinsfile, committed to your repository. Benefits:
- Durability — survives Jenkins restarts (pipelines resume after restart)
- Pausability — can wait for human input (
inputstep) - Visualisation — Blue Ocean and Stage View show each stage
- Version control — pipeline definition lives alongside application code
There are two syntaxes: Declarative (structured, recommended) and Scripted (Groovy DSL, more flexible).
4. What is a Jenkinsfile?
A Jenkinsfile is a text file, committed to your SCM repository, that defines a Jenkins Pipeline. It describes every stage of the CI/CD process:
pipeline {
agent any
stages {
stage('Build') {
steps {
sh 'mvn clean package -DskipTests'
}
}
stage('Test') {
steps {
sh 'mvn test'
}
}
stage('Deploy') {
steps {
sh './deploy.sh'
}
}
}
}
Storing the Jenkinsfile in the repo means every branch can have its own pipeline, and pipeline changes go through code review.
5. Declarative vs Scripted Pipeline — what's the difference?
| Aspect | Declarative | Scripted |
|---|---|---|
| Syntax | Structured (pipeline {} block) |
Pure Groovy DSL |
| Validation | Validated before run; syntax errors caught early | Errors only at runtime |
| Flexibility | Limited to supported directives | Full Groovy — any logic |
| Readability | High | Lower for complex logic |
| Error handling | post block |
try/catch/finally |
| Recommended | Yes (for most pipelines) | When declarative can't express the logic |
You can embed Scripted blocks inside Declarative using script {}:
stage('Conditional') {
steps {
script {
if (env.BRANCH_NAME == 'main') {
sh './promote.sh'
}
}
}
}
6. What are Pipeline stages and steps?
- Stage — a logical phase of the pipeline (Build, Test, Deploy). Stages appear as separate columns in the Stage View and Blue Ocean visualisation.
- Step — a single task within a stage (run a shell command, copy a file, call an API).
- Post — actions that run after stages complete, regardless of success/failure.
pipeline {
agent any
stages {
stage('Build') {
steps {
sh 'make'
archiveArtifacts artifacts: 'build/**/*.jar'
}
}
}
post {
always { echo 'Pipeline finished' }
success { slackSend message: '✅ Build passed' }
failure { mail to: 'team@example.com', subject: 'Build Failed' }
}
}
7. How do you trigger a Jenkins build?
| Trigger type | How to configure |
|---|---|
| SCM polling | pollSCM('H/5 * * * *') — Jenkins polls Git every 5 min |
| Webhook | GitHub/GitLab sends HTTP POST to Jenkins on push |
| Scheduled | cron('0 2 * * *') — build at 2 AM daily |
| Upstream build | upstream(upstreamProjects: 'other-job', threshold: SUCCESS) |
| Manual | Click "Build Now" in UI or call REST API |
| Parameterised | User provides values before build starts |
Webhooks are preferred over polling — they're instant and don't waste Jenkins resources.
8. What is a Jenkins agent label and how is it used?
Labels are tags assigned to agents that allow pipelines to request an agent with specific capabilities:
pipeline {
agent { label 'linux && docker' }
// ...
}
If you have agents tagged linux, windows, docker, gpu, etc., you can target the right environment per stage:
stage('Build Linux') {
agent { label 'linux' }
steps { sh 'make' }
}
stage('Build Windows') {
agent { label 'windows' }
steps { bat 'msbuild solution.sln' }
}
Pipeline advanced
9. How do you run pipeline stages in parallel?
stage('Test') {
parallel {
stage('Unit Tests') {
steps { sh 'pytest tests/unit' }
}
stage('Integration Tests') {
steps { sh 'pytest tests/integration' }
}
stage('Lint') {
steps { sh 'flake8 src/' }
}
}
}
Parallel stages run simultaneously on available executors, reducing total build time significantly. Use failFast: true to abort parallel branches when one fails.
10. How do you handle environment variables in Jenkins Pipelines?
| Source | How to use |
|---|---|
| Built-in | env.BUILD_NUMBER, env.BRANCH_NAME, env.WORKSPACE |
| Pipeline env block | environment { APP_ENV = 'prod' } |
| withEnv step | withEnv(['FOO=bar']) { sh 'echo $FOO' } |
| Credentials | withCredentials([string(credentialsId: 'token', variable: 'TOKEN')]) |
| Parameters | ${params.VERSION} from parameterised builds |
Built-in Jenkins variables table:
| Variable | Value |
|---|---|
BUILD_NUMBER |
Current build number |
BUILD_URL |
Full URL of this build |
JOB_NAME |
Name of the project |
WORKSPACE |
Absolute path to workspace |
GIT_COMMIT |
Current Git commit SHA |
BRANCH_NAME |
Branch being built (multibranch) |
CHANGE_ID |
Pull request number (if PR build) |
11. What is the post block in a Declarative Pipeline?
The post block defines steps that run after the pipeline (or a stage) completes:
post {
always { cleanWs() } // Always clean workspace
success { archiveArtifacts 'dist/**' }
failure { emailext to: 'dev@company.com', subject: "FAILED: ${env.JOB_NAME}" }
unstable { echo 'Tests failed but build compiled' }
aborted { echo 'Build was cancelled' }
changed { echo 'Build status changed from last run' }
fixed { echo 'Build recovered from failure' }
regression { echo 'Build went from passing to failing' }
}
always is crucial for cleanup — it runs even if the pipeline crashes.
12. How do you pass parameters to a Jenkins Pipeline?
pipeline {
parameters {
string(name: 'VERSION', defaultValue: '1.0.0', description: 'Release version')
booleanParam(name: 'DEPLOY_PROD', defaultValue: false, description: 'Deploy to production?')
choice(name: 'ENVIRONMENT', choices: ['dev', 'staging', 'prod'], description: 'Target environment')
password(name: 'DB_PASS', defaultValue: '', description: 'Database password')
}
stages {
stage('Deploy') {
when { expression { return params.DEPLOY_PROD } }
steps {
sh "deploy.sh --version ${params.VERSION} --env ${params.ENVIRONMENT}"
}
}
}
}
13. What is the when directive?
when conditionally runs a stage based on criteria:
stage('Deploy to Production') {
when {
branch 'main'
not { changeRequest() }
environment name: 'CI_ENV', value: 'jenkins'
// Combine with allOf/anyOf/not:
allOf {
branch 'main'
expression { return currentBuild.previousBuild?.result == 'SUCCESS' }
}
}
steps { sh './deploy-prod.sh' }
}
Common when conditions: branch, tag, changeRequest(), expression, environment, buildingTag, not, allOf, anyOf.
14. How do you use the input step?
input pauses the pipeline and waits for human approval:
stage('Approve Production Deploy') {
steps {
timeout(time: 1, unit: 'HOURS') {
input message: 'Deploy to production?',
ok: 'Deploy',
submitter: 'devops-leads',
parameters: [
choice(name: 'TARGET', choices: ['us-east-1', 'eu-west-1'])
]
}
}
}
timeout prevents the pipeline from blocking indefinitely. submitter restricts who can approve.
15. What are Shared Libraries in Jenkins?
Shared Libraries allow you to centralise reusable pipeline code across multiple Jenkinsfiles:
shared-library/
vars/
deployApp.groovy # Global variable/function
buildDocker.groovy
src/
com/example/
Utils.groovy # Class-based helpers
resources/
config/default.yaml # Static resources
vars/deployApp.groovy:
def call(Map config) {
sh "kubectl set image deployment/${config.name} app=${config.image}"
}
In Jenkinsfile:
@Library('my-shared-lib') _
pipeline {
stages {
stage('Deploy') {
steps { deployApp name: 'api', image: "registry/api:${env.BUILD_NUMBER}" }
}
}
}
Configured in Jenkins → Manage Jenkins → System → Global Pipeline Libraries.
Agents and executors
16. How do you run pipeline stages in a Docker container?
pipeline {
agent {
docker {
image 'node:20-alpine'
args '-v /tmp:/tmp'
reuseNode true
}
}
stages {
stage('Build') {
steps { sh 'npm ci && npm run build' }
}
}
}
Or per-stage:
stage('Test') {
agent { docker { image 'python:3.12' } }
steps { sh 'pytest' }
}
The Docker agent eliminates tool installation on agents — the container brings its own environment.
17. How do you run Jenkins agents on Kubernetes?
Using the Kubernetes plugin, Jenkins spins up a Pod per build and tears it down when done:
pipeline {
agent {
kubernetes {
yaml '''
apiVersion: v1
kind: Pod
spec:
containers:
- name: maven
image: maven:3.9-eclipse-temurin-17
command: [cat]
tty: true
- name: docker
image: docker:dind
securityContext:
privileged: true
'''
}
}
stages {
stage('Build') {
steps {
container('maven') { sh 'mvn package' }
}
}
stage('Docker Build') {
steps {
container('docker') { sh 'docker build -t myapp .' }
}
}
}
}
Benefits: elastic scaling, ephemeral agents, no "it works on my agent" problems.
18. What is a Jenkins executor?
An executor is a single build slot on an agent. If an agent has 3 executors configured, it can run 3 builds simultaneously. Executors can be configured in:
- Jenkins UI: Manage Jenkins → Nodes → Configure Node → # of executors
- Declarative agents: agents report their executor count on connection
Best practice: set the master controller to 0 executors so it never runs build steps.
19. How do you handle credentials securely in Jenkins?
Never hardcode secrets in Jenkinsfiles. Use the Credentials plugin:
withCredentials([
usernamePassword(credentialsId: 'docker-hub',
usernameVariable: 'DOCKER_USER',
passwordVariable: 'DOCKER_PASS'),
string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN'),
file(credentialsId: 'kubeconfig', variable: 'KUBECONFIG'),
sshUserPrivateKey(credentialsId: 'ssh-key', keyFileVariable: 'SSH_KEY')
]) {
sh 'docker login -u $DOCKER_USER -p $DOCKER_PASS'
sh 'sonar-scanner -Dsonar.login=$SONAR_TOKEN'
}
Jenkins masks credential values in console output automatically. Credentials are stored encrypted in $JENKINS_HOME/credentials.xml.
For secrets from external stores, use plugins for HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.
Jobs and builds
20. What types of Jenkins jobs exist?
| Job type | Description |
|---|---|
| Freestyle | GUI-configured job, limited reproducibility |
| Pipeline | Jenkinsfile-based, single branch |
| Multibranch Pipeline | Auto-discovers branches/PRs, creates sub-jobs per branch |
| Organisation Folder | Scans entire GitHub org/Bitbucket project for repos with Jenkinsfiles |
| Multi-configuration (Matrix) | Runs same job with different parameter combinations |
| Folder | Organisational container for other jobs |
Prefer Multibranch Pipeline for most projects — it automatically builds feature branches and PRs.
21. What is a Multibranch Pipeline and how does it work?
A Multibranch Pipeline job scans a repository and automatically creates a sub-pipeline for each branch or pull request that contains a Jenkinsfile. When a branch is deleted, its Jenkins job is automatically removed.
Typical setup:
mainbranch → runs full pipeline including deployfeature/*branches → run build and test only- Pull requests → run build, test, and static analysis; report status back to GitHub
// Jenkinsfile on feature branch
pipeline {
agent any
stages {
stage('Build') { steps { sh 'mvn package' } }
stage('Test') { steps { sh 'mvn test' } }
// No deploy stage on feature branches
}
}
22. How do you archive artifacts in Jenkins?
post {
success {
archiveArtifacts artifacts: 'target/*.jar, dist/**', fingerprint: true
publishHTML target: [
reportDir: 'build/reports/tests',
reportFiles: 'index.html',
reportName: 'Test Report'
]
junit 'target/surefire-reports/**/*.xml'
}
}
archiveArtifacts stores files on the Jenkins controller after the build. junit publishes test results to the build page. Artifacts are retained according to the job's build retention policy.
23. What is a Jenkins build number and build status?
- Build number — auto-incrementing integer (
BUILD_NUMBER). Never resets unless explicitly changed. - Build status values:
| Status | Meaning |
|---|---|
| SUCCESS | All steps passed |
| UNSTABLE | Build succeeded but tests failed (common with JUnit) |
| FAILURE | Build step failed (non-zero exit code) |
| ABORTED | Manually cancelled or timed out |
| NOT_BUILT | Stage skipped (e.g., when condition false) |
24. How do you configure build retention in Jenkins?
In job configuration or via Jenkinsfile:
options {
buildDiscarder(logRotator(
numToKeepStr: '10', // Keep last 10 builds
daysToKeepStr: '30', // Keep builds from last 30 days
artifactNumToKeepStr: '5' // Keep artifacts for last 5 builds
))
}
Without retention policies, Jenkins disk usage grows unbounded.
Plugins and integrations
25. What are the most important Jenkins plugins?
| Category | Plugin | Purpose |
|---|---|---|
| Pipeline | Pipeline, Blue Ocean | Pipeline execution and visualisation |
| SCM | Git, GitHub, Bitbucket | Source code management integration |
| Credentials | Credentials Binding | Secret management |
| Agents | Kubernetes, Docker | Dynamic agent provisioning |
| Build tools | Maven Integration, Gradle | Build tool wrappers |
| Testing | JUnit, Cobertura, Allure | Test reporting and coverage |
| Code quality | SonarQube Scanner | Static analysis |
| Artifact | Nexus Artifact Uploader | Push to Nexus/Artifactory |
| Notifications | Slack, Email Extension | Build notifications |
| Config | Configuration as Code (JCasC) | Jenkins config in YAML |
26. What is the Jenkins Configuration as Code (JCasC) plugin?
JCasC lets you define Jenkins configuration in a jenkins.yaml file — master configuration, credentials, plugins, agents, and more:
jenkins:
systemMessage: "Production Jenkins — managed by JCasC"
numExecutors: 0
securityRealm:
local:
allowsSignup: false
authorizationStrategy:
roleBased:
roles:
global:
- name: "admin"
permissions: ["Overall/Administer"]
assignments: ["alice", "bob"]
credentials:
system:
domainCredentials:
- credentials:
- usernamePassword:
id: "docker-hub"
username: "myuser"
password: "${DOCKER_PASS}" # From environment variable
Benefits: Jenkins configuration is version-controlled, reproducible, and infrastructure-as-code.
27. How do you integrate Jenkins with GitHub?
- Webhook: In GitHub repo → Settings → Webhooks → Add webhook → Jenkins URL
/github-webhook/ - GitHub app or token: Store PAT in Jenkins Credentials
- Multibranch Pipeline or Organisation Folder pointing to GitHub repo
- Status checks:
githubNotify context: 'ci/jenkins', status: 'SUCCESS'reports back to PR
pipeline {
triggers { githubPush() }
stages {
stage('Build') {
steps { sh 'make' }
}
}
post {
always {
script {
def status = currentBuild.result == 'SUCCESS' ? 'SUCCESS' : 'FAILURE'
githubNotify context: 'Jenkins CI', status: status
}
}
}
}
28. How does Jenkins integrate with Docker?
Three common patterns:
- Build Docker images inside pipeline:
sh 'docker build -t myapp:${BUILD_NUMBER} .'
sh 'docker push myapp:${BUILD_NUMBER}'
- Run steps inside a container (Docker agent):
agent { docker { image 'node:20' } }
- Docker-in-Docker (DinD) for building images when Jenkins itself runs in Docker — requires privileged container or socket mount:
docker run -v /var/run/docker.sock:/var/run/docker.sock jenkins/jenkins
29. How do you integrate Jenkins with SonarQube?
environment {
SONAR_HOST = 'http://sonarqube:9000'
}
stage('Code Quality') {
steps {
withSonarQubeEnv('SonarQube-Server') {
sh 'mvn sonar:sonar'
}
timeout(time: 2, unit: 'MINUTES') {
waitForQualityGate abortPipeline: true
}
}
}
waitForQualityGate pauses the pipeline until SonarQube has analysed the code and reports pass/fail based on Quality Gate rules.
Security
30. How do you secure Jenkins?
Authentication and authorisation:
- Enable security (Jenkins → Manage Jenkins → Security)
- Use LDAP or Active Directory for SSO instead of local accounts
- Install Role Strategy Plugin for fine-grained RBAC
- Disable anonymous access
- Require HTTPS (reverse proxy with Nginx/Apache or SSL termination)
Credentials:
- Store all secrets in Jenkins Credentials (never in Jenkinsfiles)
- Use Vault or cloud secret managers for production secrets
- Rotate credentials regularly
Build isolation:
- Run builds as a non-root user
- Use ephemeral Docker/Kubernetes agents
- Sandbox script execution (Groovy Sandbox)
Network:
- Put Jenkins behind a reverse proxy
- Restrict agent-to-master security (enable agent → master security)
- Use firewall rules to restrict who can reach the Jenkins UI
31. What is the Jenkins Groovy Sandbox?
The Groovy Sandbox restricts what Scripted pipelines can do — dangerous operations like file access, network calls, and reflection require in-process script approval by an administrator.
Declarative pipelines are sandboxed by default. The script {} block inside Declarative is also sandboxed.
To use a non-sandboxed library method, an admin must approve it via Manage Jenkins → In-Process Script Approval.
32. What is the "agent → master security" subsystem?
Agents run code submitted by builds, and a compromised agent could send malicious commands to the master. The Agent → Master Security subsystem restricts what commands agents can execute on the master:
- Prevents agents from reading arbitrary master files
- Prevents agents from writing to sensitive directories
- Enabled by default in Jenkins 2.x
Configure in: Manage Jenkins → Security → Agent → Master Security.
Plugins and best practices
33. What is the Blue Ocean plugin?
Blue Ocean is a modern Jenkins UI that visualises Pipeline runs as a series of connected stages, making it easier to understand build flow, identify failures, and navigate logs. Features:
- Visual pipeline editor for creating Declarative Pipelines
- Colour-coded stage view (green/red/yellow)
- Drill-down into individual step logs
- Pull request and branch overview
- Activity feed per pipeline
Note: As of 2024, Blue Ocean is in maintenance mode — the Jenkins team is integrating its UI improvements into the classic Jenkins UI.
34. How do you restart Jenkins without downtime?
- Safe restart: Waits for current builds to finish:
http://jenkins-url/safeRestart - Immediate restart:
http://jenkins-url/restart - Reload from disk:
http://jenkins-url/reload— reloads config without restarting - CLI:
java -jar jenkins-cli.jar -s http://jenkins-url safe-restart
In Groovy/pipeline: Jenkins.instance.safeRestart()
35. How do you back up Jenkins?
What to back up ($JENKINS_HOME):
config.xml— master configurationjobs/*/config.xml— job configurationscredentials.xml— encrypted credentialsplugins/— installed pluginssecrets/master.key— encryption key (critical!)
Backup strategies:
- ThinBackup plugin — scheduled automated backup
- File system snapshot (EBS snapshot if on AWS)
- Git-committed
jenkins.yamlwith JCasC (infrastructure-as-code approach)
Never back up without secrets/master.key — credentials are unrecoverable without it.
36. How do you upgrade Jenkins?
- Back up
$JENKINS_HOME - Check Jenkins LTS release notes for breaking changes
- Update
jenkins.waror Docker image tag - Restart Jenkins
- Go to Manage Jenkins — update any flagged plugins
- Run a test build to verify
Using Docker: simply change the image tag and redeploy. Jenkins data persists on the volume.
# docker-compose.yml
services:
jenkins:
image: jenkins/jenkins:2.462.3-lts # Update tag here
volumes:
- jenkins_home:/var/jenkins_home
CI/CD patterns
37. How do you implement a Blue-Green deployment with Jenkins?
stage('Blue-Green Deploy') {
steps {
script {
def activeColor = sh(script: "get-active-slot.sh", returnStdout: true).trim()
def newColor = activeColor == 'blue' ? 'green' : 'blue'
sh "deploy.sh --slot ${newColor} --image myapp:${env.BUILD_NUMBER}"
sh "health-check.sh --slot ${newColor}"
// Switch load balancer
sh "switch-lb.sh --to ${newColor}"
}
}
}
38. How do you implement a Canary deployment?
stage('Canary Deploy (10%)') {
steps {
sh 'kubectl set image deployment/api-canary app=api:${BUILD_NUMBER}'
sh 'kubectl scale deployment/api-canary --replicas=1' // 10% of 10 pods
sleep 300 // Wait 5 min
sh './check-error-rate.sh --threshold 1'
}
}
stage('Full Rollout') {
when { expression { return currentBuild.result == null } }
steps {
sh 'kubectl set image deployment/api app=api:${BUILD_NUMBER}'
}
}
39. How do you roll back a failed deployment with Jenkins?
stage('Deploy') {
steps {
script {
try {
sh "helm upgrade --install myapp ./chart --set image.tag=${env.BUILD_NUMBER}"
sh "./smoke-test.sh"
} catch (e) {
echo "Deploy failed, rolling back..."
sh "helm rollback myapp 0" // 0 = previous release
throw e
}
}
}
}
Or use post { failure { sh 'helm rollback myapp 0' } }.
40. What is a Jenkins Shared Library best practice?
| Practice | Why |
|---|---|
| Treat shared lib as a product — tests, versioning | Prevents breaking consumers |
Use @Library('name@version') to pin version |
Avoid unintentional breaking changes |
Keep vars/ functions simple |
Call into src/ classes for complex logic |
Unit test with JenkinsPipelineUnit |
Test pipeline logic without running Jenkins |
Document each var with vars/*.txt |
Jenkins auto-generates documentation |
Monitoring and troubleshooting
41. How do you monitor Jenkins?
| Tool/Method | What it monitors |
|---|---|
| Jenkins metrics plugin | Exposes Prometheus endpoint at /prometheus |
| Grafana dashboard | Queue length, executor utilisation, build duration, failure rate |
| CloudWatch/Datadog | System metrics (CPU, memory, disk) |
| Jenkins Monitoring plugin | JVM heap, garbage collection, threads |
| Audit Trail plugin | Who did what in Jenkins (for security) |
Key Prometheus metrics:
jenkins_job_duration_seconds— build durationjenkins_executor_count_value— total executorsjenkins_executor_in_use_value— busy executorsjenkins_queue_size_value— queued builds
42. How do you debug a failing Jenkins Pipeline?
- Check console output — click the build → Console Output
- Check workspace files — add
sh 'ls -la'or use workspace browser - Print environment:
sh 'env | sort' - Enable verbose output:
sh(script: '...', returnStdout: true)to capture output - Check agent connection: Manage Jenkins → Nodes → agent logs
- Replay — modify and re-run a pipeline without committing via "Replay" option
- Enable timestamps via
timestamps {}wrapper:
options {
timestamps()
timeout(time: 30, unit: 'MINUTES')
}
43. What causes a Jenkins Pipeline to hang?
| Cause | Fix |
|---|---|
Waiting for input with no timeout |
Wrap input in timeout() |
| Long-running test suite | Set timeout at pipeline or stage level |
| Deadlocked agent | Check agent logs; kill and respawn |
| Git clone stalled | Set GIT_TIMEOUT or use checkout step timeout |
| External service unresponsive | Add timeout to HTTP call or polling loop |
options {
timeout(time: 1, unit: 'HOURS')
}
44. How do you clean up Jenkins workspace?
post {
always {
cleanWs() // Requires ws-cleanup plugin
}
}
Or selectively:
cleanWs(patterns: [[pattern: 'target/**', type: 'INCLUDE']])
Without cleanup, workspaces accumulate on agents and fill disk. Schedule periodic cleanup via Jenkins → Manage Jenkins → System → Workspace cleanup or periodic builds with only cleanup tasks.
Jenkins vs alternatives
45. Jenkins vs GitHub Actions — when to use which?
| Factor | Jenkins | GitHub Actions |
|---|---|---|
| Hosting | Self-hosted (full control) | Cloud-hosted (GitHub manages) |
| Cost | Infrastructure cost only | Free for public repos; paid minutes for private |
| Setup | Significant initial setup | Zero setup — just add .github/workflows/ |
| Plugin ecosystem | 1800+ plugins | 20,000+ marketplace actions |
| Flexibility | Maximum — any language, any tool | High — but limited to what actions provide |
| Scalability | Manual (add agents) | Auto-scales (GitHub-hosted runners) |
| Best for | Complex enterprise pipelines, on-prem | New projects, open source, GitHub-native workflows |
46. Jenkins vs GitLab CI — when to use which?
| Factor | Jenkins | GitLab CI |
|---|---|---|
| Architecture | Separate CI server | Built into GitLab |
| Config | Jenkinsfile (Groovy DSL) | .gitlab-ci.yml (YAML) |
| Agents | Jenkins agents (permanent or dynamic) | GitLab Runners (Docker, Kubernetes, shell) |
| Pipeline visualisation | Blue Ocean / Stage View | GitLab pipeline graph |
| Integration | Plugins for everything | Native GitLab (MR, Registry, Deployments) |
| Best for | Existing Jenkins users, complex needs | Teams already on GitLab |
Practical/scenario questions
47. How would you design a Jenkins pipeline for a microservices application?
For a system with 5 microservices, each in its own repo:
- Per-repo Multibranch Pipeline with its own Jenkinsfile
- Shared Library with common stages: build, test, docker-build, helm-deploy
- Parallel test execution within each pipeline
- Conditional deploy: deploy to staging on
develop, to prod onmainwith manual approval - Organisation Folder scanning the entire GitHub org for Jenkinsfiles
// Jenkinsfile using shared library
@Library('company-pipeline-lib') _
microservicePipeline(
name: 'user-service',
dockerRepo: 'registry.company.com',
helmChart: 'charts/user-service',
prodApprovers: 'devops-leads'
)
48. A build is working locally but failing in Jenkins — how do you diagnose?
- Compare environments:
sh 'java -version && mvn -v && node -v'— tool version mismatch? - Check PATH: Jenkins may have different PATH than developer shell
- Check working directory:
sh 'pwd'— is code checked out where expected? - Check permissions: agent user may lack access to file/network
- Check network: agent may be behind proxy or firewall blocking downloads
- Clean workspace: stale cached files from previous builds can cause issues
- Check secret injection: credentials not bound will appear as empty variables
- Enable verbose:
mvn -Xornpm install --verbose
49. How do you implement secrets rotation in Jenkins?
- Update the secret in your external store (Vault/AWS Secrets Manager)
- Update the Jenkins credential via REST API or Credentials plugin:
curl -X POST "http://jenkins/credentials/store/system/domain/_/credential/my-token/updateSubmit" \ -u admin:$JENKINS_TOKEN \ --data-urlencode 'json={"stapler-class":"...", "secret":"new-secret"}' - Or automate via JCasC — update
jenkins.yaml→ apply → Jenkins reloads credentials - Trigger a new build to pick up the new secret
Jenkins never exposes secrets in logs or REST API responses.
50. What are common Jenkins anti-patterns to avoid?
| Anti-pattern | Problem | Solution |
|---|---|---|
| Freestyle jobs with no code | Not reproducible; hard to audit | Use Pipeline + Jenkinsfile in SCM |
| Secrets in Jenkinsfile or env vars | Secrets leak in console, git history | Use Credentials Binding plugin |
| Building on master node | Master can be overloaded; security risk | Set master executors to 0 |
| No build timeouts | Hung builds consume executors forever | Add timeout() at pipeline level |
| Ignoring plugin updates | Security vulnerabilities accumulate | Update plugins monthly |
| Storing artefacts forever | Disk fills up | Configure build discarder |
| Monolithic Jenkinsfile (1000+ lines) | Hard to maintain | Extract to Shared Library |
| No parallel stages | Slow pipelines | Parallelise independent stages |
Common mistakes
| Mistake | Fix |
|---|---|
| Committing credentials to Jenkinsfile | Use Jenkins Credentials Binding |
Using sh on Windows agents |
Use bat or powershell on Windows |
| Not cleaning workspace between builds | Add cleanWs() in post { always } |
| Running on master executor | Set master to 0 executors |
| Polling SCM too frequently | Use webhooks instead of polling |
Ignoring post { failure } |
Always handle failures explicitly |
| Not pinning Shared Library version | Use @Library('lib@v1.2') |
| Large number of retained builds | Configure buildDiscarder |
Jenkins vs other CI/CD tools
| Tool | Hosting | Config format | Best for |
|---|---|---|---|
| Jenkins | Self-hosted | Jenkinsfile (Groovy) | Complex enterprise pipelines |
| GitHub Actions | Cloud | YAML | GitHub-native projects |
| GitLab CI | Cloud/self-hosted | YAML | GitLab-native projects |
| CircleCI | Cloud/self-hosted | YAML | Fast setup, orbs ecosystem |
| TeamCity | Self-hosted | GUI/Kotlin DSL | JetBrains ecosystem |
| Buildkite | Hybrid | YAML | Large-scale, elastic agents |
| ArgoCD | Self-hosted | GitOps | Kubernetes-native CD |
| Tekton | Kubernetes | YAML/CRDs | Cloud-native pipelines |
FAQ
Q: Jenkins LTS vs weekly release — which should I use in production?
LTS (Long-Term Support) releases receive security fixes and critical bug fixes for 52 weeks. Use LTS in production — weekly releases may have regressions. LTS cadence is approximately every 12 weeks.
Q: Can Jenkins run without agents — just the master?
Technically yes (enable executors on master), but it's a security and stability risk. The master handles scheduling, UI, and API traffic — adding build load stresses these functions and creates a risk that a bad build crashes the controller. Always use dedicated agents.
Q: How do you handle flaky tests in Jenkins?
Use the Flaky Test Handler plugin or post-processing to track flaky tests. Retry at the step level with retry(3) { sh 'pytest' }. Mark jobs UNSTABLE (not FAILURE) for flaky tests using catchError(buildResult: 'UNSTABLE', stageResult: 'UNSTABLE'). Track flakiness trends in dashboards.
Q: What is the difference between checkout scm and git step?checkout scm checks out the repository that triggered the build (using the job's SCM configuration) — it works correctly with Multibranch Pipelines, preserving branch/PR information. git url: '...' is a simpler step that just clones a URL. Use checkout scm in Multibranch Pipelines.
Q: How many executors should each agent have?
Typically set executors = number of CPU cores for CPU-bound builds. For I/O-bound builds (downloading dependencies, waiting on external services), you can set 2× CPU cores. Monitor executor utilisation — if agents are idle, reduce; if queue is long, add agents or executors.
Q: How do you test a Jenkinsfile without committing it?
- Replay feature — edit and re-run the last build's Jenkinsfile in the UI (no commit needed)
- Jenkins Pipeline Unit — unit test pipeline logic in JUnit (for Shared Libraries)
- Declarative Linter —
curl --data-urlencode "jenkinsfile=$(< Jenkinsfile)" http://jenkins/pipeline-model-converter/validate - Sandbox environment — a test Jenkins instance that mirrors production