JENKINS_HOME is Jenkins’ main data directory. It holds persistent state such as configuration files, job definitions, build history, plugin data, and other controller-side files that Jenkins needs to run. In practice, it is the filesystem root of the Jenkins instance, and its contents define much of the server’s behavior.
In cyber security, JENKINS_HOME matters because it is a high-value trust boundary. If an attacker can read or modify files there, they may steal credentials, alter pipelines, or plant malicious configuration that affects builds and deployments. Many Jenkins attacks focus on this directory because it contains both operational data and sensitive automation state. Defenses include strict OS permissions, limiting shell access, isolating the controller, encrypting secrets at rest, and monitoring for unexpected changes to config and plugin files.



