diff --git a/core/src/main/resources/jenkins/security/s2m/filepath-filter.conf b/core/src/main/resources/jenkins/security/s2m/filepath-filter.conf
index faa7cffa1623..7e4f5308c99a 100644
--- a/core/src/main/resources/jenkins/security/s2m/filepath-filter.conf
+++ b/core/src/main/resources/jenkins/security/s2m/filepath-filter.conf
@@ -23,6 +23,9 @@ allow read,stat <JENKINS_HOME>/userContent($|/.*)
 # In the next rule we grant general access under build directories, so first we protect
 # the actual build record that Jenkins core reads, which nothing should be touching.
 deny all <BUILDDIR>/build.xml
+# Similarly for Pipeline build (WorkflowRun) metadata:
+deny all <BUILDDIR>/program.dat
+deny all <BUILDDIR>/workflow($|/.*)
 
 # Various plugins read/write files under build directories, so allow them all.
 # - git 1.x writes changelog.xml from the slave (2.x writes from the master so need not be listed)
diff --git a/test/src/test/java/jenkins/security/s2m/AdminFilePathFilterTest.java b/test/src/test/java/jenkins/security/s2m/AdminFilePathFilterTest.java
new file mode 100644
index 000000000000..4df4df76ca18
--- /dev/null
+++ b/test/src/test/java/jenkins/security/s2m/AdminFilePathFilterTest.java
@@ -0,0 +1,60 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2016 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.security.s2m;
+
+import java.io.File;
+import javax.inject.Inject;
+import static org.junit.Assert.*;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+
+public class AdminFilePathFilterTest {
+
+    @Rule
+    public JenkinsRule r = new JenkinsRule();
+
+    @Inject
+    AdminWhitelistRule rule;
+
+    @Before
+    public void setUp() {
+        r.jenkins.getInjector().injectMembers(this);
+        rule.setMasterKillSwitch(false);
+    }
+
+    // TODO in master when using a version taking a String[]: @Issue({"JENKINS-27055", "SECURITY-358"})
+    @Test
+    public void matchBuildDir() throws Exception {
+        File buildDir = r.buildAndAssertSuccess(r.createFreeStyleProject()).getRootDir();
+        assertTrue(rule.checkFileAccess("write", new File(buildDir, "whatever")));
+        assertFalse(rule.checkFileAccess("write", new File(buildDir, "build.xml")));
+        // WorkflowRun:
+        assertFalse(rule.checkFileAccess("write", new File(buildDir, "program.dat")));
+        assertFalse(rule.checkFileAccess("write", new File(buildDir, "workflow/23.xml")));
+    }
+
+}
diff --git a/test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java b/test/src/test/java/jenkins/security/s2m/DefaultFilePathFilterTest.java
similarity index 89%
rename from test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java
rename to test/src/test/java/jenkins/security/s2m/DefaultFilePathFilterTest.java
index 6a91ec7db5fd..8dd83964cdeb 100644
--- a/test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java
+++ b/test/src/test/java/jenkins/security/s2m/DefaultFilePathFilterTest.java
@@ -22,7 +22,7 @@
  * THE SOFTWARE.
  */
 
-package jenkins.security;
+package jenkins.security.s2m;
 
 import hudson.FilePath;
 import hudson.model.Slave;
@@ -31,8 +31,6 @@
 import java.io.PrintWriter;
 import java.io.StringWriter;
 
-import jenkins.security.s2m.AdminWhitelistRule;
-import jenkins.security.s2m.DefaultFilePathFilter;
 import org.jenkinsci.remoting.RoleChecker;
 import org.junit.Before;
 import org.junit.Test;
@@ -41,7 +39,6 @@
 import org.jvnet.hudson.test.JenkinsRule;
 
 import javax.inject.Inject;
-import org.jvnet.hudson.test.Issue;
 
 public class DefaultFilePathFilterTest {
 
@@ -112,11 +109,4 @@ public void checkRoles(RoleChecker checker) throws SecurityException {
         }
     }
 
-    @Issue("JENKINS-27055")
-    @Test public void matchBuildDir() throws Exception {
-        File f = new File(r.buildAndAssertSuccess(r.createFreeStyleProject()).getRootDir(), "whatever");
-        rule.setMasterKillSwitch(false);
-        assertTrue(rule.checkFileAccess("write", f));
-    }
-
 }