CI/CD overview

更新时间:
复制 MD 格式

The CI/CD feature of Security Center scans images for security risks during the build phase of your Jenkins or GitHub projects. It detects high-risk system and application vulnerabilities, viruses, webshells, malicious scripts, configuration risks, and sensitive data. Security Center also provides remediation suggestions, helping you resolve security issues earlier in the development lifecycle.

Supported editions

This feature is available only for the Advanced, Enterprise, and Ultimate editions, and for users who purchase the Value-added Plan. To use this feature, users of other editions must upgrade to one of these editions or purchase the Value-added Plan. For instructions on purchasing and upgrading Security Center, see Purchase Security Center and Upgrade and downgrade. For a detailed comparison of features across editions, see Features.

How it works

You do not need to synchronize your image assets with Security Center to use the CI/CD feature. Instead, you integrate the CI/CD plug-in with Jenkins or GitHub. After you configure the integration, an image scan automatically triggers whenever you build a project. The scan checks for security risks in the project's images, and the results appear on the CI/CD tab in the Security Center console. You can then resolve any detected security risks based on the scan results.

Use cases

You can use the Security Center CI/CD feature in the following scenarios:

  • Jenkins Freestyle

  • Jenkins Pipeline

  • GitHub Actions

System requirements

To avoid slow image scans, ensure your server meets the minimum configuration requirements.

  • Minimum configuration

    • CPU: 1 core

    • memory: 2 GB

    • storage: 60 GB

    • Network: an internet connection and access to the Alibaba Cloud service endpoint (sas.aliyuncs.com).

  • Recommended configuration

    • CPU: 4 cores

    • memory: 8 GB

    • storage: 100 GB

    • Network: an internet connection with an upstream bandwidth greater than 10 Mbps and access to the Alibaba Cloud service endpoint (sas.aliyuncs.com).

Procedure

  1. Obtain an access token for the Security Center CI/CD plug-in. For more information, see Obtain an access token.

  2. If you use a dedicated RAM user to run image scans, you must create the RAM user and attach the policy required for image scans. For more information, see Create and authorize a RAM user.

  3. Obtain the AccessKey of the Alibaba Cloud account or RAM user to run image scans. You can use an existing AccessKey or create a new one. For more information, see Create an AccessKey.

    Note

    The AccessKey secret is displayed only upon creation and cannot be retrieved. Store it securely to prevent security risks from a potential leak.

  4. Integrate the Security Center CI/CD plug-in with Jenkins or GitHub. For instructions, see the following topics:

  5. After a scan is complete, promptly review the results and use the provided remediation suggestions to resolve any security risks found in your images. For more information, see View image scan results.