Intermediate 3 min · June 21, 2026

Jenkins Pipeline Basics: Write Production-Grade CI/CD That Won't Burn You at 3 AM

Q: What's the difference between Declarative and Scripted Jenkins Pipeline?

Declarative uses a structured block syntax (pipeline, stages, steps) that's easier to read and write. Scripted uses full Groovy code with node, stage, and steps blocks. Use Declarative for most projects; use Scripted when you need dynamic parallel branches or complex conditional logic that Declarative's `when` block can't handle.

Q: How do I pass variables between stages in a Declarative pipeline?

Use the `environment` block to define variables at pipeline level, or use `script { }` blocks to set variables that are scoped to the stage. For cross-stage persistence, use `env` (e.g., `env.MY_VAR = 'value'`) — but be careful: `env` variables are strings and serialized.

Q: How do I handle credentials in a Jenkins Pipeline?

Store credentials in Jenkins (Manage Jenkins > Manage Credentials). Use `withCredentials` step to bind them to variables inside a block. Never hardcode secrets in the Jenkinsfile. Example: `withCredentials([string(credentialsId: 'my-api-key', variable: 'API_KEY')]) { sh 'curl -H "Authorization: $API_KEY" ...' }`.

Q: Why does my pipeline fail with 'NotSerializableException'?

This happens in Scripted pipelines when a variable holds a non-serializable object (e.g., a custom class instance). Jenkins tries to serialize the pipeline state to survive restarts. Fix: annotate the method with `@NonCPS` if it doesn't need to survive restarts, or convert the object to a serializable type (e.g., use `String` instead of `GString`).

Jenkins Pipeline basics explained with real production patterns.

Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.

✓ Production

production tested

June 21, 2026

last updated

1,577

articles · all by Naren

● Production Incident 🔎 Debug Guide

⚡Quick Answer

A Jenkins Pipeline is a set of steps defined in a Jenkinsfile that automates building, testing, and deploying your code. Use Declarative syntax for most projects; switch to Scripted only when you need complex logic that Declarative can't express.

✦ Definition~90s read

What is Jenkins Pipeline Basics?

A Jenkins Pipeline is a suite of plugins that lets you define your entire CI/CD process as code in a Jenkinsfile. It supports two syntaxes: Declarative (structured, easier) and Scripted (flexible, Groovy-based). Pipelines survive Jenkins restarts and can be version-controlled.

★

Think of a Jenkins Pipeline as a recipe card for your software.

Plain-English First

Think of a Jenkins Pipeline as a recipe card for your software. The recipe lists steps: 'mix ingredients' (checkout code), 'bake at 350°F' (run tests), 'let cool' (deploy). You write the recipe once, check it into version control, and Jenkins follows it every time. If the recipe breaks, you fix the card, not the oven.

Most Jenkins pipelines I see in production are a house of cards. One plugin update, one Groovy method that silently returns null, and your entire deployment chain collapses at 2 AM. I've debugged enough of these to know: the problem isn't Jenkins — it's how people write pipelines.

The core issue? Developers treat pipelines as disposable glue code. They copy-paste from Stack Overflow, use Scripted syntax when Declarative would do, and never test the pipeline itself. Then they wonder why a production deploy fails because a variable wasn't initialized.

By the end of this article, you'll be able to write a Declarative pipeline that handles parallel stages, credentials, and error recovery — and you'll know exactly when to reach for Scripted instead. No fluff, just patterns that survive production.

Why Declarative Pipelines Are Your Default — and When They're Not

Declarative syntax forces structure. You define stages, steps, and post-actions in a clean block hierarchy. It's easier to read, validate, and debug. Scripted pipelines give you full Groovy power — but that power comes with serialization issues, harder debugging, and a tendency to turn into spaghetti. I've seen teams spend weeks debugging a Scripted pipeline that could have been 20 lines of Declarative. Start Declarative. Only reach for Scripted when you need conditional stage execution based on complex logic, dynamic parallel branches, or custom step definitions that can't be expressed in Declarative's script block.

Jenkinsfile.declarativeDEVOPS

// io.thecodeforge — DevOps tutorial

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                echo 'Building...'
                sh 'make build'
            }
        }
        stage('Test') {
            steps {
                echo 'Testing...'
                sh 'make test'
            }
        }
        stage('Deploy') {
            when {
                branch 'main'
            }
            steps {
                echo 'Deploying...'
                sh 'make deploy'
            }
        }
    }
    post {
        always {
            echo 'Pipeline finished.'
        }
        failure {
            echo 'Pipeline failed.'
        }
    }
}

Output

Building...

Testing...

Deploying...

Pipeline finished.

Production Trap: Scripted Pipeline Serialization

If you use Scripted pipelines, every variable you create must be serializable. The classic bug: a def list = [] that gets populated inside a node block — later, when Jenkins tries to checkpoint the pipeline, you get NotSerializableException. Fix: use @NonCPS on methods that hold non-serializable state, or better, use Declarative.

Environment Variables and Credentials — Don't Hardcode, Don't Leak

Hardcoding secrets in your Jenkinsfile is a firing offense. Use Jenkins credentials store and the withCredentials step. For environment-specific values (API URLs, feature flags), use environment blocks with credentials() or load from a vault. Never echo a credential — even in a debug step. I've seen a team accidentally print a production AWS secret key to build logs because they used sh 'env' in a debug stage. The logs were public.

Jenkinsfile.credentialsDEVOPS

// io.thecodeforge — DevOps tutorial

pipeline {
    agent any
    environment {
        // Load from Jenkins credential store — never hardcode
        DOCKER_REGISTRY = credentials('docker-registry-url')
        DOCKER_CREDS = credentials('docker-hub-creds')
    }
    stages {
        stage('Login') {
            steps {
                withCredentials([usernamePassword(
                    credentialsId: 'docker-hub-creds',
                    usernameVariable: 'DOCKER_USER',
                    passwordVariable: 'DOCKER_PASS'
                )]) {
                    sh 'echo $DOCKER_PASS | docker login -u $DOCKER_USER --password-stdin'
                }
            }
        }
        stage('Build and Push') {
            steps {
                sh 'docker build -t $DOCKER_REGISTRY/myapp:latest .'
                sh 'docker push $DOCKER_REGISTRY/myapp:latest'
            }
        }
    }
}

Output

...

Build and Push completed.

Never Do This: Echoing Secrets

Never use echo or sh 'env' in a pipeline that has credentials. Even if you mask the secret, the log might be stored and searchable. Use withCredentials and only reference the variable inside the block.

Parallel Stages — Speed Up Builds Without Breaking the Bank

Parallel stages let you run independent tasks concurrently — like running unit tests and linting at the same time. But don't go overboard. Each parallel branch consumes an executor. If your Jenkins has 4 executors and you run 10 parallel branches, 6 will queue. Use failFast true to abort all branches if one fails — otherwise you wait for all to finish even if one already failed. I've seen a build take 30 minutes because a failed parallel branch didn't abort the others.

Jenkinsfile.parallelDEVOPS

// io.thecodeforge — DevOps tutorial

pipeline {
    agent any
    stages {
        stage('Parallel Tests') {
            parallel {
                stage('Unit Tests') {
                    steps {
                        sh 'make unit-test'
                    }
                }
                stage('Integration Tests') {
                    steps {
                        sh 'make integration-test'
                    }
                }
                stage('Lint') {
                    steps {
                        sh 'make lint'
                    }
                }
            }
            failFast true  // abort all if any branch fails
        }
        stage('Package') {
            steps {
                sh 'make package'
            }
        }
    }
}

Output

[Unit Tests] ...

[Integration Tests] ...

[Lint] ...

All tests passed.

Package completed.

Senior Shortcut: Dynamic Parallel Branches

If you need to run the same stage against multiple targets (e.g., test on different OS), use Scripted's parallel with a loop. But keep it simple: Declarative's parallel block is enough for 90% of cases.

Post Actions — Always Clean Up, Always Notify

The post block runs after all stages, regardless of success or failure. Use it to clean up resources (kill containers, delete temp files) and send notifications (Slack, email). Never put cleanup in a finally block inside a stage — if the stage crashes, finally might not run. The post block is guaranteed to execute. I've seen a pipeline leave behind 50GB of Docker images because the cleanup was in a stage that got aborted.

Jenkinsfile.postDEVOPS

// io.thecodeforge — DevOps tutorial

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                sh 'docker build -t myapp:latest .'
            }
        }
        stage('Test') {
            steps {
                sh 'docker run myapp:latest make test'
            }
        }
    }
    post {
        always {
            sh 'docker rmi myapp:latest || true'  // clean up image
            cleanWs()  // delete workspace
        }
        success {
            slackSend(color: 'good', message: "Pipeline succeeded: ${env.JOB_NAME} ${env.BUILD_NUMBER}")
        }
        failure {
            slackSend(color: 'danger', message: "Pipeline failed: ${env.JOB_NAME} ${env.BUILD_NUMBER}")
        }
    }
}

Output

Build completed.

Test passed.

[Slack notification sent]

Interview Gold: Post vs Finally

Question: 'What's the difference between post and a try-finally block in a stage?' Answer: post runs even if the stage is aborted by a user or timeout. finally inside a script block may not run if the JVM crashes or the executor is killed. Always use post for critical cleanup.

Shared Libraries — Don't Repeat Yourself, Don't Repeat Your Pipeline

If you have multiple pipelines doing similar things (e.g., building Docker images, deploying to Kubernetes), extract the logic into a shared library. A shared library is a separate Git repo with Groovy classes and vars — global functions you can call from any Jenkinsfile. This keeps your Jenkinsfiles thin and your logic testable. I've seen teams with 50 Jenkinsfiles that all had the same 100 lines of deployment code. One bug fix required editing all 50 files. Use shared libraries.

vars/buildDockerImage.groovyDEVOPS

// io.thecodeforge — DevOps tutorial
// vars/buildDockerImage.groovy — callable from any Jenkinsfile as buildDockerImage('myapp')

def call(String imageName) {
    sh "docker build -t ${imageName}:latest ."
    sh "docker tag ${imageName}:latest ${imageName}:${env.BUILD_NUMBER}"
    sh "docker push ${imageName}:latest"
}

// Jenkinsfile using the library
@Library('my-shared-library')_

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                buildDockerImage('myapp')
            }
        }
    }
}

Output

Building Docker image...

Pushing...

Done.

Senior Shortcut: Test Your Shared Library

Write unit tests for your shared library using JenkinsPipelineUnit (a Groovy testing framework). It simulates pipeline execution without a real Jenkins. This catches serialization issues and logic errors before they hit production.

Error Handling — Don't Let a Flaky Test Block a Deploy

Use catchError to mark a stage as unstable instead of failing the whole pipeline. For example, if a flaky integration test fails, you might want to continue and let the team review later. But use this sparingly — if you catch every error, you'll mask real failures. I've seen a team that caught all errors and then wondered why broken code reached production. The rule: catch only known flaky steps, and always notify.

Jenkinsfile.errorHandlingDEVOPS

// io.thecodeforge — DevOps tutorial

pipeline {
    agent any
    stages {
        stage('Test') {
            steps {
                catchError(buildResult: 'UNSTABLE', stageResult: 'UNSTABLE') {
                    sh 'make flaky-test'
                }
            }
        }
        stage('Deploy') {
            when {
                expression { currentBuild.result != 'UNSTABLE' }
            }
            steps {
                sh 'make deploy'
            }
        }
    }
    post {
        unstable {
            slackSend(color: 'warning', message: "Pipeline unstable: ${env.JOB_NAME} ${env.BUILD_NUMBER}")
        }
    }
}

Output

Flaky test failed (but pipeline continues as UNSTABLE).

Deploy skipped because result is UNSTABLE.

[Slack warning sent]

Production Trap: Catching Too Much

If you wrap your entire pipeline in a try-catch and ignore failures, you'll deploy broken code. Only catch specific steps that are known to be flaky. Use catchError with buildResult: 'UNSTABLE' so the pipeline still shows a warning.

When Not to Use Jenkins Pipelines — Simpler Alternatives

Jenkins Pipelines are powerful, but they're overkill for simple projects. If your CI/CD needs are just 'run tests and deploy to a single server', consider GitHub Actions, GitLab CI, or even a shell script triggered by a webhook. Jenkins requires maintenance — plugin updates, JVM tuning, executor management. I've seen a startup spend more time maintaining Jenkins than writing code. Use Jenkins when you need complex workflows, multiple environments, or compliance requirements (audit logs, approval gates). Otherwise, keep it simple.

Interview Gold: When to Choose Jenkins Over GitHub Actions

Question: 'When would you use Jenkins over GitHub Actions?' Answer: Jenkins gives you full control over the execution environment, supports complex pipeline logic (parallel, conditional, shared libraries), and can run on-premises for compliance. GitHub Actions is simpler but limited to GitHub-hosted runners and less flexible for advanced workflows.

● Production incidentPOST-MORTEMseverity: high

The Pipeline That Deleted the Database

Symptom

A staging environment's database was dropped during a routine deployment. The pipeline ran successfully but the app had no data.

Assumption

Someone ran a destructive migration manually.

Root cause

The pipeline had a stage that ran sh 'dropdb myapp_staging' as a cleanup step. The when condition was misconfigured — it ran on every branch, not just feature branches. The when block used branch 'feature/*' but the actual branch was feature/foo — the glob pattern was wrong.

Fix

Changed the when condition to expression { return env.BRANCH_NAME.startsWith('feature/') } and added a manual approval step with input before any destructive action.

Key lesson

Never run destructive operations without explicit human approval and a double-checked when condition.
Test your when logic with a dry-run stage first.

Production debug guideSystematic recovery paths for the failure modes engineers actually hit.3 entries

Symptom · 01

Pipeline stuck at 'Waiting for next available executor'

→

Fix

1. Check Jenkins master's executor count under Manage Jenkins > Configure System. 2. Increase number of executors if resources allow. 3. Check if agents are online. 4. Restart any disconnected agents.

Symptom · 02

java.io.NotSerializableException on a variable

→

Fix

1. Identify the non-serializable variable (e.g., a custom class). 2. Annotate the method with @NonCPS if it doesn't need to survive restarts. 3. Or convert the variable to a serializable type (e.g., use String instead of GString).

Symptom · 03

Pipeline fails with 'script not permitted' or sandbox errors

→

Fix

1. Check if the pipeline uses methods not in the approved list. 2. Go to Manage Jenkins > In-process Script Approval. 3. Approve the specific method signatures. 4. For shared libraries, ensure they are loaded with @Library('lib')_ and the library is trusted.

Feature / Aspect	Declarative Pipeline	Scripted Pipeline
Syntax	Structured blocks (pipeline, stages, steps)	Groovy code with node, stage, steps
Ease of Learning	Easy — limited syntax	Harder — full Groovy
Serialization Issues	None — built-in	Common — must handle @NonCPS
Conditional Stages	when block (limited)	Full Groovy conditionals
Dynamic Parallelism	Static parallel block	Dynamic parallel with loops
Best For	Most projects	Complex workflows needing custom logic

Key takeaways

Start with Declarative syntax

it's safer and easier to debug. Only use Scripted when you need dynamic parallelism or complex conditionals.

Never hardcode secrets. Use Jenkins credential store and withCredentials

and never echo them.

Always clean up in post blocks, not in stage-level finally. post is guaranteed to run even on abort.

Use shared libraries to avoid duplicating pipeline logic across projects. Test them with JenkinsPipelineUnit.

INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

FAQ · 4 QUESTIONS

Frequently Asked Questions

What's the difference between Declarative and Scripted Jenkins Pipeline?

How do I pass variables between stages in a Declarative pipeline?

How do I handle credentials in a Jenkins Pipeline?

Why does my pipeline fail with 'NotSerializableException'?

Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.

✓ Verified

production tested

June 21, 2026

last updated

1,577

articles · all by Naren

🔥

That's Jenkins. Mark it forged?

3 min read · try the examples if you haven't