DevOpsil
Jenkins
84%
Needs Review

Fix Jenkins Pipeline 'Scripts Not Permitted to Use' / 'Script Not Yet Approved'

Amara OkaforAmara Okafor4 min read

The Error: Script Not Yet Approved

Your Jenkins pipeline fails immediately with:

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException:
Scripts not permitted to use method groovy.json.JsonSlurper parseText java.lang.String

Or in the build log:

Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods

The pipeline refuses to run because a Groovy method call has not been approved by an administrator.

Root Cause

Jenkins runs pipeline scripts in a Groovy sandbox that restricts which classes and methods can be called. This is a security feature managed by the Script Security plugin. When a pipeline tries to call an unapproved method, Jenkins blocks execution and adds the signature to a pending approval queue.

This happens when:

  1. A pipeline uses Groovy methods not on the default whitelist
  2. A shared library calls restricted APIs
  3. Someone updated a pipeline to use a new Groovy class
  4. The Script Security plugin was updated and reset some approvals

Step-by-Step Fix

1. Approve the pending script signature

Go to Manage Jenkins > In-process Script Approval. You will see entries like:

Pending signature: method groovy.json.JsonSlurper parseText java.lang.String

Click Approve next to each pending signature. Re-run the pipeline.

Note: You may need to approve multiple signatures iteratively — each run may reveal the next unapproved call.

2. Approve signatures via the Jenkins Script Console

For bulk approvals or automation, use the Jenkins Script Console (Manage Jenkins > Script Console):

import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval

def approval = ScriptApproval.get()
approval.pendingSignatures.each { sig ->
    approval.approveSignature(sig.signature)
    println "Approved: ${sig.signature}"
}

3. Use pipeline-safe alternatives instead

Instead of approving raw Groovy, use Jenkins pipeline steps that are already whitelisted:

// INSTEAD OF: new groovy.json.JsonSlurper().parseText(json)
// USE:
def data = readJSON text: json

// INSTEAD OF: new URL("https://api.example.com").text
// USE:
def response = httpRequest url: 'https://api.example.com'

// INSTEAD OF: "ls -la".execute()
// USE:
sh(script: 'ls -la', returnStdout: true)

// INSTEAD OF: new File('/etc/config.yaml').text
// USE:
def content = readFile file: '/etc/config.yaml'

These pipeline steps (readJSON, httpRequest, sh, readFile) run safely within the sandbox.

4. Move complex logic to a shared library

Shared libraries can run outside the sandbox when configured as trusted:

// vars/parseConfig.groovy in your shared library
def call(String jsonText) {
    def slurper = new groovy.json.JsonSlurper()
    return slurper.parseText(jsonText)
}

Configure the library in Manage Jenkins > Configure System > Global Pipeline Libraries. Check Load implicitly and the library runs with full trust.

Then in your pipeline:

@Library('my-shared-lib') _
def config = parseConfig(readFile('config.json'))

For Scripted Pipeline in a Jenkinsfile, you can uncheck Use Groovy Sandbox in the job configuration. This runs the entire pipeline with full permissions.

This is strongly discouraged because:

  • Any user who can edit the Jenkinsfile gets full Jenkins access
  • It bypasses all script security protections
  • It is a common attack vector in Jenkins security audits

6. Pre-approve signatures in configuration-as-code

If you use Jenkins Configuration as Code (JCasC):

# jenkins.yaml
security:
  scriptApproval:
    approvedSignatures:
      - "method groovy.json.JsonSlurper parseText java.lang.String"
      - "method java.util.Base64$Encoder encodeToString byte[]"

This ensures approvals survive Jenkins restarts and are version-controlled.

Prevention Tips

  • Prefer pipeline steps over raw GroovyreadJSON, readYaml, readFile, writeFile, sh, and httpRequest cover most needs without sandbox issues.
  • Use shared libraries for complex logic — they run trusted and keep Jenkinsfiles simple.
  • Review approvals regularly/manage/in-process-script-approval accumulates signatures over time; audit them.
  • Test pipelines in a staging Jenkins before promoting to production to catch approval issues early.
  • Pin your Script Security plugin version — upgrades can change the default whitelist and break existing pipelines.
Share:

Was this article helpful?

Amara Okafor
Amara Okafor

DevSecOps Lead

Security-first mindset in everything I ship. From zero-trust architectures to supply chain security, I make sure your pipeline doesn't become your weakest link.

Related Articles

More in Jenkins

View all →

Discussion