Security Center allows you to install the CI/CD plug-in on GitHub. After you install the CI/CD plug-in, Security Center scans images in GitHub when you build the images. This topic describes how to install the CI/CD plug-in on GitHub.

Procedure

  1. Log on to GitHub.
  2. Click the profile picture in the upper-right corner and select Your repositories from the drop-down list that appears.
  3. On the Repositories tab, click the repository for which you want to install the CI/CD plug-in.
  4. Click the Actions tab.
  5. In the All workflows section, find the workflows pipeline file for which you want to install the CI/CD plug-in and click the More icon icon in the Actor column.
  6. In the drop-down list, select View workflow file.
  7. In the Workflow file for this run section, configure the parameters based on the following example: 
    name: Docker build and scan security issue by sas-image-scanner

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

env:
  REPO_TAG: your_docker_image_repo:your_docker_image_tag

jobs:

  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - name: Build the Docker image
      run: docker build . --file Dockerfile --tag ${{ env.REPO_TAG }}
    - name: Scan image by sas-image-scanner
      run: >
          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock --network=host
          sas-image-scanner-registry.cn-hangzhou.cr.aliyuncs.com/sas_public/sas-image-scanner:latest
          --accessKeyId=${{ secrets.ACCESSKEYID }} --accessKeySecret=${{ secrets.ACCESSKEYSECRET }}
          --token=${{ secrets.SAS_TOKEN }} --imageId=${{ env.REPO_TAG }}
    The following table describes the parameters.
    Parameter Required Description
    accessKeyId Yes The AccessKey ID of your Alibaba Cloud account or the RAM user of the Alibaba Cloud account.
    Notice We recommend that you enter the AccessKey ID of a RAM user. The AccessKey pair of an Alibaba Cloud account is made up of the AccessKey ID and AccessKey secret. These credentials provide you full permissions on the resources within the account. You must keep the AccessKey pair confidential. To avoid security threats caused by malicious uses, do not disclose your AccessKey pair to external channels. We recommend that you follow the best practices of Alibaba Cloud and use the AccessKey pair of a RAM user to call API operations.
    accessKeySecret Yes The AccessKey secret of your Alibaba Cloud account or the RAM user of the Alibaba Cloud account.
    Notice We recommend that you enter the AccessKey secret of a RAM user. The AccessKey pair of an Alibaba Cloud account is made up of the AccessKey ID and AccessKey secret. These credentials provide you full permissions on the resources within the account. You must keep the AccessKey pair confidential. To avoid security threats caused by malicious uses, do not disclose your AccessKey pair to external channels. We recommend that you follow the best practices of Alibaba Cloud and use the AccessKey pair of a RAM user to call API operations.
    token Yes A token of the CI/CD plug-in. For more information about how to obtain a token of the CI/CD plug-in, see Obtain a token of the CI/CD plug-in.
    imageId Yes The ID of the image that you want to scan. By default, images are scanned locally.
    • If you want to scan a local image, you must set this parameter to the ID of the image or the tag of the image repository to which the image belongs.
    • If you want to scan remote images, you must configure the registryUrl parameter or set this parameter to the tag of the image repository to which the images belong.
      Notice If you want to scan images in a remote image repository, you must configure the registryUrl, registryUsername, and registryPassword parameters.
    domain No The endpoint of Security Center. Set the value to tds.ap-southeast-1.aliyuncs.com.
    registryUrl No The URL of the image repository.
    Notice If you want to scan the images in a remote image repository, you must configure this parameter.
    registryUsername No The username used to log on to the image repository.
    Notice If you want to scan the images in a remote image repository, you must configure this parameter.
    registryPwd No The password used to log on to the image repository.
    Notice If you want to scan the images in a remote image repository, you must configure this parameter.
    After you complete the configurations, Security Center scans images in the project for risks when you build the project.

What to do next

You can view image scan results on the Container tab of the Assets page in the Security Center console. For more information, see View image scan results.