Jenkins Course
Plugins Overview
A fresh Jenkins install can barely do anything useful. Plugins are where the power lives — over 1,800 of them, covering everything from Git integration to Kubernetes deployments. This lesson is your map of the ecosystem.
This lesson covers
What plugins are → How Jenkins without plugins compares to Jenkins with plugins → The essential plugin categories → The 20 plugins every serious Jenkins setup uses → How to find and evaluate plugins
Plugins are extensions that add capabilities to Jenkins. They're written by the Jenkins community, by tool vendors, and by companies building internal integrations. Some are maintained by the Jenkins core team. Others are maintained by a single developer who may or may not respond to issues. Knowing which plugins to trust — and which to avoid — is as important as knowing which ones exist.
The Analogy
Jenkins without plugins is like a smartphone with no apps. The hardware is there, the OS is running, but you can't do much that's useful. Plugins are the apps. A plugin that connects Jenkins to Slack is like a Slack app on your phone. A plugin that integrates Docker is like a Docker management app. The base OS (Jenkins core) handles the fundamentals — plugins handle everything specific to your workflow.
Bare Jenkins vs Plugin-Powered Jenkins
Without plugins — Bare Jenkins
- No Git or SVN integration
- No Docker support
- No Slack or email notifications
- No Kubernetes agent support
- No pipeline syntax (Declarative)
- No credential store
- No test result publishing
- No Blue Ocean UI
With the right plugins
- Full Git, GitHub, GitLab, Bitbucket integration
- Build and run Docker containers
- Slack, Teams, and email notifications
- Scale builds across Kubernetes pods
- Declarative and Scripted pipeline syntax
- Encrypted credential management
- JUnit, TestNG, and coverage reports
- Modern pipeline visualisation UI
The Essential Plugin Categories
Jenkins plugins fall into distinct categories based on what they add. Understanding the categories helps you know where to look when you need a new capability.
Source Control Integration
These plugins connect Jenkins to your code repositories. Without them, Jenkins has no way to pull code, detect pushes, or post build status back to pull requests.
Git plugin
The foundation. Enables checkout scm, branch detection, and all Git operations inside pipelines. Almost certainly already installed.
GitHub plugin
Adds GitHub webhook support, PR status checks, and GitHub organisation scanning for Multibranch Pipelines.
GitLab plugin
Same as GitHub plugin but for GitLab — webhook integration, MR status updates, and project scanning.
Bitbucket Branch Source
Scans Bitbucket workspaces and repositories for Multibranch Pipeline discovery.
Pipeline and Build
These plugins provide the pipeline syntax and build infrastructure you've been using throughout Section II.
Pipeline (workflow-aggregator)
The meta-plugin that installs the entire Pipeline suite — Declarative syntax, Scripted syntax, shared libraries, and the Jenkinsfile engine.
Blue Ocean
A modern pipeline visualisation UI. Shows stages as a graphical flow, highlights failures visually, and makes pipeline editing approachable for non-experts.
Pipeline Stage View
Adds the stage view to classic Jenkins — shows each stage as a colour-coded column across build history.
Timestamper
Adds timestamps to every line of console output. Makes it easy to identify which step is slow without manual arithmetic.
Notifications and Reporting
The plugins that close the feedback loop — telling your team what passed, what failed, and where to look.
Slack Notification
Sends build notifications to Slack channels. The slackSend() step you've been using throughout Section II comes from this plugin.
Email Extension (emailext)
Rich HTML email notifications with attachments, dynamic recipients, and build log inclusion. Far more powerful than the built-in mail() step.
JUnit plugin
Parses JUnit XML test result files and publishes them to Jenkins. Tracks test trends across builds. The junit() step comes from this plugin.
HTML Publisher
Publishes HTML reports (coverage, performance, security) directly into the Jenkins build page as a clickable link.
Infrastructure and Cloud
These plugins extend how Jenkins provisions and manages build agents — from Docker containers to Kubernetes pods to cloud VMs.
Docker Pipeline
The docker.build(), docker.withRegistry(), and Docker agent support from Lesson 22 all come from this plugin.
Kubernetes plugin
Creates Jenkins agents as Kubernetes pods on demand and destroys them when builds finish. The pod template syntax from Lesson 23 comes from this plugin.
Amazon EC2 plugin
Spins up EC2 instances as Jenkins agents on demand and terminates them when idle. Cost-effective for variable build loads on AWS.
SSH Build Agents
Connects to static agents via SSH. The most common way to add a Linux or Mac build agent to Jenkins.
Security and Credentials
Security plugins harden Jenkins and extend how credentials are stored and used across the system.
Credentials Binding
The withCredentials() step from Lesson 18 comes from this plugin. Injects stored credentials as masked environment variables into pipeline steps.
Role-based Authorization Strategy
Adds named roles (admin, developer, viewer) to Jenkins' authorisation system. Covered in Lesson 29.
OWASP Markup Formatter
Prevents XSS attacks by sanitising user-supplied content in job descriptions and build parameters.
Audit Trail
Logs every configuration change, login, and administrative action to a file. Essential for compliance and incident investigation.
Evaluating a Plugin Before Installing It
Not all 1,800 plugins are equal. Before installing any plugin, spend two minutes checking these five signals:
Install count and age
50,000+ installs with years of history = battle-tested. 200 installs released last month = risk. Check at plugins.jenkins.io.
Last release date
No release in 2+ years is a yellow flag — it may not support current Jenkins versions or Java 21.
Open issues and security advisories
Check the GitHub repo for open issues and jenkins.io/security/advisories for known vulnerabilities.
Maintainer
Plugins maintained by the Jenkins core team or large companies (CloudBees, Red Hat, Google) tend to be well-maintained. Single-volunteer plugins may go unmaintained.
Dependency count
A plugin that depends on 15 other plugins brings 15 potential failure points. Prefer plugins with fewer dependencies where the feature set is equivalent.
Auditing All Installed Plugins From the Terminal
The scenario:
You've just taken over a Jenkins instance with 90 installed plugins. Before the next maintenance window, you need to identify which plugins are outdated, which are disabled but still installed, and generate a baseline report. You want this from the terminal — not a manual browser audit.
Tools used:
- jenkins-cli.jar — Jenkins' command-line tool. Download from your Jenkins at
/jnlpJars/jenkins-cli.jar. - list-plugins — CLI command that prints all installed plugins with version and update availability marker.
- groovy CLI command — runs a Groovy script against the live Jenkins instance, giving access to the full plugin API.
- Jenkins.instance.pluginManager — the Groovy object representing Jenkins' plugin manager, exposing all installed plugins, their versions, active status, and update availability.
# Quick list — the (*) marker means an update is available for that plugin
java -jar jenkins-cli.jar \
-s http://jenkins-master-01:8080 \
-auth admin:your-api-token \
list-plugins
# Full audit via Groovy script — shows version, active status, and update availability
java -jar jenkins-cli.jar \
-s http://jenkins-master-01:8080 \
-auth admin:your-api-token \
groovy = << 'EOF'
import jenkins.model.Jenkins
def pm = Jenkins.instance.pluginManager
println "=== INSTALLED PLUGINS AUDIT ==="
println String.format("%-40s %-15s %-10s %-10s", "Plugin", "Version", "Active", "Update?")
println "-" * 80
pm.plugins.sort { it.shortName }.each { plugin ->
def hasUpdate = pm.hasUpdate(plugin)
def status = plugin.isActive() ? "YES" : "DISABLED"
def update = hasUpdate ? "AVAILABLE" : "-"
println String.format("%-40s %-15s %-10s %-10s",
plugin.shortName, plugin.version, status, update)
}
// Summary
def total = pm.plugins.size()
def disabled = pm.plugins.count { !it.isActive() }
def outdated = pm.plugins.count { pm.hasUpdate(it) }
println "\n=== SUMMARY ==="
println "Total installed: ${total}"
println "Disabled: ${disabled}"
println "Updates available: ${outdated}"
EOFWhere to practice: Run list-plugins against your local Jenkins Docker instance first. Then paste the Groovy script body directly into the Script Console at http://localhost:8080/script — you'll see the full audit table immediately. Save a baseline: java -jar jenkins-cli.jar ... list-plugins > plugin-audit-$(date +%Y%m%d).txt. Full plugin API docs at plugins.jenkins.io.
=== INSTALLED PLUGINS AUDIT === Plugin Version Active Update? -------------------------------------------------------------------------------- blueocean 1.27.4 YES AVAILABLE cobertura 1.17 DISABLED AVAILABLE credentials 1319.v7eb... YES - credentials-binding 657.v2b... YES AVAILABLE docker-workflow 1.26 YES AVAILABLE git 4.12.0 YES AVAILABLE github 1.37.3 YES - kubernetes 3845.v7b... YES - matrix-auth 3.2.2 YES AVAILABLE pipeline-stage-view 2.33 YES - slack 2.48 YES AVAILABLE timestamper 1.26 YES - workflow-aggregator 596.v8c21... YES - ws-cleanup 0.45 YES - === SUMMARY === Total installed: 14 Disabled: 1 Updates available: 6
What just happened?
- The audit table covers everything in one view — plugin name, version, whether it's active, and whether an update exists. This is the baseline for any maintenance window or handover conversation.
cobertura: DISABLED— installed but not active. It's consuming disk space and potentially causing confusion. Either re-enable it if it's needed or uninstall it. Disabled plugins nobody uses should be removed.- 6 plugins have updates available — including
git,credentials-binding,slack, andmatrix-auth. Cross-reference these against the security advisories page to identify which are security-critical vs feature updates. pm.hasUpdate(plugin)— checks the plugin manager's update cache, which is refreshed daily or when you click "Check now" in the UI. If the results seem stale, trigger a refresh first.- Version strings like
3845.v7b...— these are incrementals-style versions. The number before the dot is a build counter, not a semantic version. Higher = newer. Some plugins use this instead of traditional semver.
The 20 Plugins Every Serious Jenkins Setup Uses
These appear in almost every production Jenkins installation. If your Jenkins is missing any of these, it probably should have them.
Teacher's Note
Install only what you actually use. A Jenkins with 30 well-chosen plugins is healthier than one with 150 plugins half of which nobody remembers installing.
Practice Questions
1. What is the plugin ID of the meta-plugin that installs the complete Jenkins Pipeline suite including Declarative syntax?
2. Which plugin provides the withCredentials() step that injects stored Jenkins credentials as masked environment variables?
3. In the Jenkins Groovy script console, which property of Jenkins.instance gives you access to all installed plugin information?
Quiz
1. Before installing a new Jenkins plugin, what five signals should you check to evaluate its quality?
2. The plugin audit shows cobertura: DISABLED. What does this mean and what should you do?
3. Which plugin provides the docker.build() and docker.withRegistry() steps used in Lesson 22?
Up Next · Lesson 27
Plugin Management
Installing, updating, pinning, and auditing plugins — the operational skills that keep a Jenkins with 80 plugins stable and secure.