GoCD security relies on server-agent trust relationships, TLS encryption, role-based access control, plugin security, and secure secret management in pipelines. As a continuous delivery platform focused on complex workflows, protecting the deployment pipeline is critical.
<!-- Example GoCD server TLS configuration -->
<!-- /etc/go/cruise-config.xml -->
<server>
<security>
<ssl>
<certificate>
<key>/etc/go/ssl/server.key</key>
<cert>/etc/go/ssl/server.crt</cert>
</certificate>
</ssl>
</security>
</server>
# Secure agent registration with verification token
# On GoCD server
cat /var/lib/go-server/registration-token
# On agent (during registration)
export GO_SERVER_URL=https://gocd-server.example.com:8154/go
export AGENT_REGISTRATION_TOKEN=<token-from-server>
# Auto-approve agents (use with caution)
# /etc/go/agent-auto-approval.json
{
"agents": ["agent-uuid-1", "agent-uuid-2"]
}
# /etc/default/go-agent configuration
GO_SERVER_URL=https://gocd-server.example.com:8154/go
AGENT_JVM_MAX_MEM=512m
AGENT_JVM_MIN_MEM=128m
<!-- LDAP authentication configuration -->
<security authConfigs="ldap">
<authConfigs>
<authConfig id="ldap" pluginId="ldap-authentication">
<configuration>
<property>
<key>Url</key>
<value>ldap://ldap.example.com:389</value>
</property>
<property>
<key>ManagerDN</key>
<value>cn=admin,dc=example,dc=com</value>
</property>
</configuration>
</authConfig>
</authConfigs>
</security>
<!-- Role configuration example -->
<roles>
<role name="admins">
<policy>
<allow>
<operation type="admin">.*</operation>
</allow>
</policy>
</role>
<role name="developers">
<policy>
<allow>
<operation type="view">.*</operation>
<operation type="operate">pipeline-group-1</operation>
</allow>
</policy>
</role>
<role name="deployers">
<policy>
<allow>
<operation type="view">.*</operation>
<operation type="operate">production-pipelines</operation>
</allow>
</policy>
</role>
</roles>
<!-- Pipeline group permissions -->
<pipeline group="production-pipelines">
<authorization>
<view>
<role>admins</role>
<role>deployers</role>
</view>
<operate>
<role>admins</role>
</operate>
</authorization>
</pipeline>
# List installed plugins
curl -u admin:password http://localhost:8153/go/api/admin/plugin_info
# Check for plugin updates
curl -u admin:password http://localhost:8153/go/api/admin/plugins
# GoCD pipeline with secure variables (config-repo)
pipelines:
deploy-production:
environment_variables:
# Use GoCD secrets or external secret manager
DB_PASSWORD: {{SECRET:db_password}}
API_KEY: {{SECRET:api_key}}
stages:
- deploy:
jobs:
deploy:
tasks:
- exec:
command: ./deploy.sh
# Secure config-repo configuration
config_repos:
- repo: https://github.com/example/gocd-pipelines.git
plugin: yaml.config.plugin
configuration:
url: https://github.com/example/gocd-pipelines.git
branch: main
# Use deploy keys with minimum permissions
private_key: /etc/go/deploy-key
<!-- Environment configuration -->
<environments>
<environment name="DEV">
<pipelines>
<pipeline name="dev-pipeline" />
</pipelines>
<agents>
<agent uuid="dev-agent-1" />
</agents>
</environment>
<environment name="PROD">
<pipelines>
<pipeline name="prod-pipeline" />
</pipelines>
<agents>
<agent uuid="prod-agent-1" />
</agents>
</environment>
</environments>
# GoCD server logs
sudo tail -f /var/log/go-server/go-server.log
# GoCD agent logs
sudo tail -f /var/log/go-agent/go-agent.log
# Audit logs (via API)
curl -u admin:password http://localhost:8153/go/api/admin/security/auth_configs
# Check server status
sudo systemctl status go-server
# Check agent status
sudo systemctl status go-agent
# Review active connections
sudo ss -tulpn | grep -E ':8153|:8154'
# Check for failed logins
grep -i "failed\|denied\|unauthorized" /var/log/go-server/*.log | tail -20
# Backup GoCD configuration
sudo tar -czf gocd-backup-$(date +%Y%m%d).tar.gz \
/var/lib/go-server \
/etc/go
# Store backups securely
# Encrypt and transfer to secure backup location
# Check GoCD version
go-server --version 2>/dev/null || /usr/share/go-server/bin/go-server --version 2>/dev/null
# Check server status
sudo systemctl status go-server
# Check agent status
sudo systemctl status go-agent
# Verify listening ports
sudo ss -tulpn | grep -E ':8153|:8154'
# Review TLS configuration
openssl s_client -connect localhost:8154 -tls1_2 </dev/null 2>/dev/null | head -10
# Check security configuration
grep -R "security\|auth\|ssl\|tls" /etc/go /var/lib/go-server/config 2>/dev/null | head -30
# List installed plugins
curl -u admin:password -s http://localhost:8153/go/api/admin/plugin_info 2>/dev/null | jq '.[] | {id, pluginId, enabled}'
# Review recent audit events
curl -u admin:password -s http://localhost:8153/go/api/admin/security/audit 2>/dev/null | jq '.[] | {action, username, timestamp}' | head -20
# Check agent connections
curl -u admin:password -s http://localhost:8153/go/api/agents 2>/dev/null | jq '._embedded.agents[] | {uuid, hostname, build_state}'