diff --git a/Dockerfile b/Dockerfile
index 58c5a65da378c7679056b3cc6e6f459b2fb83c0f..92e42646ce3c8012bcea129e7d8b8e528eb4fd6a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -63,13 +63,15 @@ USER ${user}
 
 COPY --from=jenkins /usr/local/bin/jenkins-support /usr/local/bin/jenkins-support
 COPY scripts/jenkins.sh /usr/local/bin/jenkins.sh
+COPY jenkins-plugin-manager.jar /opt
 COPY --from=jenkins /bin/tini /bin/tini
 COPY --from=jenkins /sbin/tini /sbin/tini
+COPY scripts/plugins.sh /usr/local/bin/plugins.sh
+COPY scripts/install-plugins.sh /usr/local/bin/install-plugins.sh
+COPY scripts/jenkins-plugin-cli.sh /bin/jenkins-plugin-cli
 
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD curl -I -f --max-time 5 http://localhost:8080/login?from=%2F || exit 1
 
 ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/jenkins.sh"]
 
 # from a derived Dockerfile, can use `RUN plugins.sh active.txt` to setup $REF/plugins from a support bundle
-COPY scripts/plugins.sh /usr/local/bin/plugins.sh
-COPY scripts/install-plugins.sh /usr/local/bin/install-plugins.sh
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 3892f7e7753c6a1d51890757e5afcee935645a23..2d4ce4d464914a9b8f9e590f4d73c350b00e039a 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -39,6 +39,11 @@ labels:
 resources:
 - url: "docker://docker.io/jenkins/jenkins@sha256:a9cf9e95587179d843e1e9817ac2c1246c44935d5b8222b3a742114ffd88fc9a"
   tag: "jenkins/jenkins:2.289.2-centos"
+- filename: jenkins-plugin-manager.jar
+  url: https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.10.0/jenkins-plugin-manager-2.10.0.jar
+  validation:
+    type: sha256
+    value: fd52046f8167355754471cf9d817986eb8b43f1832b7bac7c36eded65821f2c1
 
 # List of project maintainers
 # FIXME: Fill in the following details for the current container owner in the whitelist
diff --git a/scripts/jenkins-plugin-cli.sh b/scripts/jenkins-plugin-cli.sh
new file mode 100644
index 0000000000000000000000000000000000000000..ed6759d09e588269791982240617afd20501bf09
--- /dev/null
+++ b/scripts/jenkins-plugin-cli.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /bin/bash -c "java $JAVA_OPTS -jar /opt/jenkins-plugin-manager.jar $*"
\ No newline at end of file