Security Center provides the feature of CI/CD-based container image scan to detect image risks in an efficient manner. The feature is intended for the project building stage on Jenkins and GitHub. The feature can detect high-risk system vulnerabilities, application vulnerabilities, viruses, webshells, execution of malicious scripts, and configuration risks, and help you identify sensitive data on images. The feature also provides solutions to detected image risks.
Limits
Only the Advanced, Enterprise, Ultimate, and Value-added Plan editions of Security Center support the feature. If the edition of your Security Center is Basic or Anti-virus, upgrade the edition. For information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For information about the features that each edition supports, see Functions and features.
Implementation
To use CI/CD-based container image scan, you need to only install the CI/CD plug-in on Jenkins or GitHub to allow Security Center to automatically scan images for risks when you build projects in Jenkins or GitHub. You do not need to synchronize your images to Security Center for risk scans. After the scan is complete, the scan result is displayed on the CI/CD tab of the Assets page in the Security Center console. The CI/CD plug-in is used to scan images. You can handle image risks based on the scan result.
Scenarios
The following list describes the scenarios in which you can use CI/CD-based container image scan:
Jenkins Freestyle project
Jenkins Pipeline project
GitHub Actions
Prerequisites
Your server meets the minimum configuration requirements. This prevents slow image scans.
Minimum configuration settings
Number of vCPUs: 1.
Memory: 2 GB.
Storage capacity: 60 GB.
Network: The server is available over the Internet and can access the Alibaba Cloud service whose endpoint is
tds.ap-southeast-1.aliyuncs.com.
Optimal configuration settings
Number of vCPUs: 4.
Memory: 8 GB.
Storage capacity: 100 GB.
Network: The server is available over the Internet and can access the Alibaba Cloud service whose endpoint is
tds.ap-southeast-1.aliyuncs.com. The upstream bandwidth is greater than 10 Mbit/s.
Procedure
Obtain the access token of the CI/CD plug-in of Security Center. For more information, see Obtain a token.
If you want to use a RAM user to create an image scan task in Security Center, you must create a RAM user and attach a policy to the RAM user for Security Center image scans. For more information, see Create a RAM user and grant permissions to the RAM user.
Obtain the AccessKey pair of the Alibaba Cloud account or RAM user that is used to create image scan tasks in Security Center. For more information, see View the information about AccessKey pairs of a RAM user.
Integrate the CI/CD plug-in of Security Center into Jenkins or GitHub. For more information, see the following topics:
View the image scan results and handle the security risks of the image based on the solutions provided by Security Center. For more information, see View image scan results.