Integrate the Security Center CI/CD plug-in with a Jenkins Freestyle project to automatically scan for image vulnerabilities. - Security Center

Security Center integrates with Jenkins to scan container images for vulnerabilities automatically on every build. This topic describes how to download the plug-in from Security Center, install it on Jenkins, and configure image vulnerability scanning for a Freestyle project.

To complete the setup, follow these steps in order:

Prerequisites

Before you begin, ensure that you have:

Jenkins 1.625.3 or later installed
Access to the Security Center console with permission to view CI/CD integration settings
An Alibaba Cloud AccessKey ID and AccessKey secret for a RAM user with the required Security Center permissions
A CI/CD plug-in token. To get one, see Obtain a token of the CI/CD plug-in

Download the CI/CD plug-in

Log on to the Security Center console. In the top navigation bar, select the region of the asset you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Container Protection > CI/CD Integration Settings.
Click Integration Configuration.
In the Integration Configuration panel, click Download Plug-in in the upper-right corner.

The plug-in file (sas-jenkins-plugin) downloads to your computer in HPI format.

Install the CI/CD plug-in on Jenkins

The following steps use Jenkins 2.479.1 as an example.

Log on to Jenkins.
In the left-side navigation pane, click Manage Jenkins.
On the Manage Jenkins page, click Plugins.
On the Plugins page, click Advanced settings.
In the Deploy Plugin section, click Choose File and select the sas-jenkins-plugin file you downloaded.
Click Deploy.
Restart Jenkins.
Important
The plug-in takes effect only after Jenkins restarts.

Configure image scans

The following steps use Jenkins 2.479.1 as an example.

Log on to Jenkins.
Find the Freestyle project whose images you want to scan, then click the project name.
In the left-side navigation pane, click Configure.
In the Build Steps section, click Build Steps and select Image vulnerability scan from the drop-down list.

In the Image vulnerability scan section, configure the following parameters.

Parameter	Required	Description
AccessKeyId	Yes	The AccessKey ID of a RAM user. Use a RAM user's AccessKey ID rather than the root account's.
AccessKeySecret	Yes	The AccessKey secret of a RAM user. Use a RAM user's AccessKey secret rather than the root account's.
Token	Yes	The token of the CI/CD plug-in. To get a token, see Obtain a token of the CI/CD plug-in.
ImageId	Yes	The IDs of the images to scan, or the tag of the image repository.
Domain	Yes	The API endpoint. For regions outside China, set this to `tds.ap-southeast-1.aliyuncs.com`.
RegistryUrl	No (required for remote repositories)	The URL of the image repository. Required when scanning images in a remote image repository.
RegistryUsername	No (required for remote repositories)	The username to log on to the image repository. Required when scanning images in a remote image repository.
RegistryPwd	No (required for remote repositories)	The password to log on to the image repository. Required when scanning images in a remote image repository.

Click Save.

Security Center now scans images in the project for vulnerabilities each time the project builds.

What's next

After the plug-in is configured, view the scan results to identify and remediate image vulnerabilities. See View image scan results.