Fix Jenkins Pipeline 'Scripts Not Permitted to Use' / 'Script Not Yet Approved'
The Error: Script Not Yet Approved
Your Jenkins pipeline fails immediately with:
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException:
Scripts not permitted to use method groovy.json.JsonSlurper parseText java.lang.String
Or in the build log:
Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods
The pipeline refuses to run because a Groovy method call has not been approved by an administrator.
Root Cause
Jenkins runs pipeline scripts in a Groovy sandbox that restricts which classes and methods can be called. This is a security feature managed by the Script Security plugin. When a pipeline tries to call an unapproved method, Jenkins blocks execution and adds the signature to a pending approval queue.
This happens when:
- A pipeline uses Groovy methods not on the default whitelist
- A shared library calls restricted APIs
- Someone updated a pipeline to use a new Groovy class
- The Script Security plugin was updated and reset some approvals
Step-by-Step Fix
1. Approve the pending script signature
Go to Manage Jenkins > In-process Script Approval. You will see entries like:
Pending signature: method groovy.json.JsonSlurper parseText java.lang.String
Click Approve next to each pending signature. Re-run the pipeline.
Note: You may need to approve multiple signatures iteratively — each run may reveal the next unapproved call.
2. Approve signatures via the Jenkins Script Console
For bulk approvals or automation, use the Jenkins Script Console (Manage Jenkins > Script Console):
import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval
def approval = ScriptApproval.get()
approval.pendingSignatures.each { sig ->
approval.approveSignature(sig.signature)
println "Approved: ${sig.signature}"
}
3. Use pipeline-safe alternatives instead
Instead of approving raw Groovy, use Jenkins pipeline steps that are already whitelisted:
// INSTEAD OF: new groovy.json.JsonSlurper().parseText(json)
// USE:
def data = readJSON text: json
// INSTEAD OF: new URL("https://api.example.com").text
// USE:
def response = httpRequest url: 'https://api.example.com'
// INSTEAD OF: "ls -la".execute()
// USE:
sh(script: 'ls -la', returnStdout: true)
// INSTEAD OF: new File('/etc/config.yaml').text
// USE:
def content = readFile file: '/etc/config.yaml'
These pipeline steps (readJSON, httpRequest, sh, readFile) run safely within the sandbox.
4. Move complex logic to a shared library
Shared libraries can run outside the sandbox when configured as trusted:
// vars/parseConfig.groovy in your shared library
def call(String jsonText) {
def slurper = new groovy.json.JsonSlurper()
return slurper.parseText(jsonText)
}
Configure the library in Manage Jenkins > Configure System > Global Pipeline Libraries. Check Load implicitly and the library runs with full trust.
Then in your pipeline:
@Library('my-shared-lib') _
def config = parseConfig(readFile('config.json'))
5. Disable the sandbox (not recommended)
For Scripted Pipeline in a Jenkinsfile, you can uncheck Use Groovy Sandbox in the job configuration. This runs the entire pipeline with full permissions.
This is strongly discouraged because:
- Any user who can edit the Jenkinsfile gets full Jenkins access
- It bypasses all script security protections
- It is a common attack vector in Jenkins security audits
6. Pre-approve signatures in configuration-as-code
If you use Jenkins Configuration as Code (JCasC):
# jenkins.yaml
security:
scriptApproval:
approvedSignatures:
- "method groovy.json.JsonSlurper parseText java.lang.String"
- "method java.util.Base64$Encoder encodeToString byte[]"
This ensures approvals survive Jenkins restarts and are version-controlled.
Prevention Tips
- Prefer pipeline steps over raw Groovy —
readJSON,readYaml,readFile,writeFile,sh, andhttpRequestcover most needs without sandbox issues. - Use shared libraries for complex logic — they run trusted and keep Jenkinsfiles simple.
- Review approvals regularly —
/manage/in-process-script-approvalaccumulates signatures over time; audit them. - Test pipelines in a staging Jenkins before promoting to production to catch approval issues early.
- Pin your Script Security plugin version — upgrades can change the default whitelist and break existing pipelines.
Was this article helpful?
DevSecOps Lead
Security-first mindset in everything I ship. From zero-trust architectures to supply chain security, I make sure your pipeline doesn't become your weakest link.
Related Articles
Fix Jenkins Agent Disconnecting Randomly
Diagnose and fix Jenkins agents that go offline mid-build — resolve network timeouts, JVM heap issues, and SSH connection drops.
Jenkins Declarative Pipelines: The Complete Jenkinsfile Guide
Master Jenkins declarative pipelines — stages, steps, post actions, environment variables, credentials, parallel execution, and when conditions.
Jenkins Shared Libraries: Reusable Pipeline Code at Scale
Build and maintain Jenkins shared libraries — directory structure, global vars, custom steps, class-based libraries, testing, and versioning strategies.
Jenkins Declarative Pipelines: From Zero to Production CI/CD
How to write Jenkins declarative pipelines from scratch — stages, agents, environment variables, credentials, parallel execution, post conditions, and shared libraries. Practical Jenkinsfile patterns for real projects.
Jenkins Kubernetes Agents: Dynamic Build Pods for Scalable CI/CD
Configure Jenkins to dynamically spin up Kubernetes pods as build agents. Covers the Kubernetes plugin, pod templates, JNLP agents, multi-container pods, resource limits, and RBAC — so you never manage static build nodes again.
Docker Agents in Jenkins: Reproducible Builds Every Time
Run Jenkins pipeline stages inside Docker containers for clean, reproducible builds — agent configuration, custom images, Docker-in-Docker, and Kaniko alternatives.
More in Jenkins
View all →Jenkins Installation & Configuration: From Zero to First Pipeline
Install Jenkins on Ubuntu and Docker, configure security settings, manage plugins, and create your first freestyle and pipeline jobs step by step.