Back to the course
Test yourself

Jenkins foundations, done right

Final exam · 44 questions · answers explained as you pick
Jenkins basics
11 questions
01Continuous integration mainly gives a team…
Incorrect — that is version control; CI builds and tests it.
Correct — a broken change is caught in minutes, on a shared server.
Incorrect — that is continuous deployment, a later stage.
Incorrect — unrelated to what CI is.
02Continuous delivery differs from continuous integration in that it…
Correct — CI stops at a tested build; CD can release it.
Incorrect — CD still relies on the tested build from CI.
Incorrect — CD is a practice, not a tool replacement.
Incorrect — schedule is unrelated to the CI/CD distinction.
03In a healthy Jenkins, the controller should…
Incorrect — that is exactly what to avoid.
Incorrect — it stores all config in JENKINS_HOME.
Correct — builds run on agents; the controller is the brain.
Incorrect — never expose it unprotected.
04Why must builds never run on the controller?
Incorrect — speed is not the reason; security is.
Correct — keep builds on disposable agents to contain a poisoned build.
Incorrect — plugins do not enforce this — you must.
Incorrect — agents are exactly where builds should run.
05The single most important day-one hardening step is to…
Correct — a fresh Jenkins often defaults to running builds on the controller.
Incorrect — more plugins is more attack surface.
Incorrect — the opposite of hardening.
Incorrect — never expose it unprotected.
06Everything Jenkins knows (jobs, history, credentials) lives in…
Incorrect — Jenkins uses the filesystem, not an external DB by default.
Correct — persist it on a volume or lose the whole instance.
Incorrect — agents hold only transient workspaces.
Incorrect — plugins add features; they do not store your jobs.
07On first boot, the initial admin password is…
Incorrect — there is a generated password gating setup.
Incorrect — it is a random generated value, not a default.
Correct — so nobody can claim your fresh instance first.
Incorrect — it appears in the container/service log.
08A Multibranch Pipeline job…
Correct — new branch, new pipeline, no clicking.
Incorrect — it handles many branches automatically.
Incorrect — the config is the repo’s Jenkinsfile.
Incorrect — it is a pipeline job type.
09Freestyle jobs are discouraged for real projects because they…
Incorrect — they can; the issue is where config lives.
Correct — pipeline-as-code keeps the definition in the repo.
Incorrect — Jenkins is open-source; no license issue.
Incorrect — run speed is not the distinction.
10Agents that connect inbound (JNLP/WebSocket) are useful when…
Incorrect — the controller must be reachable regardless.
Incorrect — the opposite — agents keep builds off it.
Correct — the agent initiates the connection instead.
Incorrect — unrelated to plugins.
11Ephemeral agents (a fresh container/VM per build) improve security by…
Correct — nothing carries over between builds.
Incorrect — they run off the controller, as agents.
Incorrect — unrelated to testing.
Incorrect — the point is a fresh, unshared workspace.
11 questions · explanations appear as you answer
Pipelines as code
11 questions
01Why prefer declarative over scripted pipelines?
Incorrect — scripted still works; declarative is just the better default.
Correct — less sprawl and a smaller security surface.
Incorrect — speed is not the difference.
Incorrect — both can; the difference is structure.
02The three backbone blocks of a declarative pipeline are…
Incorrect — those are stage names, not the syntax backbone.
Incorrect — useful, but not the required core.
Correct — where it runs, its phases, and the commands in each.
Incorrect — not the declarative structure.
03agent { docker { image 'node:22-alpine' } } gives you…
Correct — no "install Node on the agent" drift.
Incorrect — unrelated to the controller.
Incorrect — that is the credentials store.
Incorrect — it is a build environment, not a deploy.
04The post block exists to…
Incorrect — that is the agent block.
Correct — so reporting survives a failing build.
Incorrect — secrets come from the credentials store.
Incorrect — that is the triggers block.
05Independent stages (lint, unit, scan) should be…
Incorrect — they are valuable checks.
Incorrect — they should run on every change.
Correct — keeps feedback fast.
Incorrect — that hides which check failed.
06A sh step fails the build when its command…
Correct — exit 0 = success, anything else = failure. That is the whole contract.
Incorrect — stderr output alone does not fail a step.
Incorrect — that is a timeout, a separate mechanism.
Incorrect — length is irrelevant.
07Secrets must NOT go in the environment{} block because it…
Incorrect — it is plain text, not encrypted.
Correct — use the credentials store via withCredentials/credentials().
Incorrect — not the reason; exposure in the repo is.
Incorrect — it holds strings fine — that is the problem for secrets.
08The when directive lets a stage…
Incorrect — that is retry/options, not when.
Incorrect — that is the parallel block.
Correct — e.g. deploy only on main.
Incorrect — that is the agent block.
09A webhook trigger is better than SCM polling because it…
Correct — faster and less load than polling.
Incorrect — you should secure the webhook with a shared secret.
Incorrect — unrelated to triggering.
Incorrect — it still queues normally.
10In Jenkins cron, the H (hash) in cron('H 2 * * *') means…
Incorrect — H picks a minute, not "every hour".
Correct — avoids a 2:00 stampede across jobs.
Incorrect — H is not a priority flag.
Incorrect — it schedules; it does not halt.
11Parameters turn a pipeline into…
Incorrect — parameters are unrelated to job type.
Incorrect — not about speed.
Correct — one Jenkinsfile handles staging and production.
Incorrect — secrets come from the credentials store.
11 questions · explanations appear as you answer
Building real pipelines
11 questions
01The "fail fast" ordering principle means…
Correct — a compile error should not wait behind a 10-minute e2e suite.
Incorrect — that removes the signal entirely.
Incorrect — parallel helps, but ordering + early stop is the point.
Incorrect — the opposite of fail-fast safety.
02To get a proper test-results view instead of scrolling logs, you…
Incorrect — raw echo is just more log text.
Correct — Jenkins renders counts, trends, and failures.
Incorrect — that is not a test report.
Incorrect — that removes testing.
03Archiving artifacts is mainly for…
Incorrect — images belong in a registry, not Jenkins archives.
Incorrect — never archive secrets — archives are downloadable.
Correct — download exactly what a build produced later.
Incorrect — that is a deploy stage, not archiving.
04Container images produced by a build should go to…
Incorrect — that fills JENKINS_HOME; images belong elsewhere.
Correct — archive only small reports/manifests in Jenkins.
Incorrect — the workspace is transient.
Incorrect — images are not env values.
05Where do pipeline secrets live?
Correct — never in the Jenkinsfile or repo.
Incorrect — that is plain text in the repo.
Incorrect — that commits the secret to version control.
Incorrect — the log is exactly where they must not appear.
06withCredentials protects a secret by…
Incorrect — it scopes exposure; it does not encrypt the workspace.
Correct — the secret exists for those steps and nowhere else.
Incorrect — the opposite of what it does.
Incorrect — never print a secret.
07Log masking is best-effort, so you must never…
Incorrect — you should use it — that is the safe path.
Incorrect — referencing by id is correct.
Correct — base64-ing or partially printing it leaks it.
Incorrect — that is exactly where they belong.
08A shared library exists to…
Correct — a fix or new security step is written once, adopted everywhere.
Incorrect — that is a registry/artifact repo.
Incorrect — secrets still come from the store.
Incorrect — unrelated to the controller.
09Importing a shared library without a version tag is risky because…
Incorrect — it loads — off the default branch.
Correct — pin a tag (@v3) so adoption is deliberate.
Incorrect — speed is not the issue.
Incorrect — the risk is silent behavior change, not exposure.
10The security value of a shared library is that…
Incorrect — hiding is not the benefit; centralized review is.
Incorrect — speed is not the security point.
Correct — instead of chasing forty hand-rolled Jenkinsfiles.
Incorrect — it does not encrypt anything.
11A test step ending in "|| true" is dangerous because it…
Correct — a green light that never means anything is worse than no CI.
Incorrect — it does not; it masks the exit code.
Incorrect — unrelated.
Incorrect — it affects the exit code, not the build stage.
11 questions · explanations appear as you answer
Operating Jenkins
11 questions
01The majority of Jenkins security vulnerabilities live in…
Incorrect — the JRE is not where most Jenkins CVEs are.
Correct — third-party plugin code, running with full privileges, is the real surface.
Incorrect — core has far fewer issues than the plugin ecosystem.
Incorrect — agents are a concern, but plugins are the CVE hotspot.
02The highest-value plugin habit is to…
Correct — a lean, current plugin set beats most other hardening.
Incorrect — that maximizes attack surface.
Incorrect — stale plugins are how RCEs get exploited.
Incorrect — that hides the security warnings you need.
03Many serious Jenkins plugin CVEs are especially dangerous because they are…
Incorrect — many are remotely reachable.
Incorrect — many need no auth at all.
Correct — an unauthenticated attacker can run code — patch promptly.
Incorrect — they are not cosmetic; they are RCE-class.
04Configuration as Code (JCasC) describes Jenkins config as…
Incorrect — that is exactly what it replaces.
Correct — reproducible and reviewable via pull requests.
Incorrect — JCasC is a YAML file, not a DB.
Incorrect — JCasC is config, applied by a plugin.
05A security benefit of JCasC is that…
Correct — you see who changed security settings and when.
Incorrect — secrets must stay out of the YAML.
Incorrect — it configures them; it does not remove risk on its own.
Incorrect — JCasC is configuration, not execution.
06Secrets in a JCasC YAML should be…
Incorrect — the YAML is in Git — never inline secrets.
Incorrect — encoding is not protection; still exposed.
Correct — the value comes from env/secret store, not the file.
Incorrect — private does not make plaintext secrets safe.
07Restoring Jenkins after a disaster requires protecting…
Incorrect — plugins reinstall; your jobs and secrets do not.
Correct — state + configuration together rebuild the instance.
Incorrect — ephemeral agents hold no durable state.
Incorrect — irrelevant to recovery.
08A backup you have never restored is…
Correct — discovering a broken backup during an outage is the worst time.
Incorrect — an untested backup can silently be unusable.
Incorrect — agents are not the thing you back up.
Incorrect — Jenkins does not verify your backups.
09A JENKINS_HOME backup file must be treated as sensitive because it…
Incorrect — size is not the security concern.
Incorrect — plugins are public; that is not the issue.
Correct — encrypt it, store off-host, rotate on leak.
Incorrect — irrelevant.
10Ephemeral (per-build) agents are more secure than static agents because…
Incorrect — they do not — they are disposable agents.
Correct — a fresh container/pod per build, destroyed after.
Incorrect — they still use scoped credentials.
Incorrect — they run the full build/test.
11Standing up a fresh Jenkins quickly and consistently is enabled by…
Correct — apply the file, restore the state, and you are back.
Incorrect — exactly the snowflake JCasC eliminates.
Incorrect — JCasC captures plugin config too.
Incorrect — irrelevant to recovery.
11 questions · explanations appear as you answer