All Products
Search

This Product

    Security Center:Install the CI/CD plug-in for GitHub Actions

    Document Center

    Security Center:Install the CI/CD plug-in for GitHub Actions

    Last Updated:Mar 31, 2026

    Security Center allows you to install the CI/CD plug-in on GitHub. After you install the CI/CD plug-in, Security Center scans images in GitHub when you build the images.

    Prerequisites

    Before you begin, make sure you have:

    • A GitHub repository with an existing Actions workflow

    • A CI/CD plug-in token from Security Center. See Obtain a token of the CI/CD plug-in. Store this token as a GitHub encrypted secret (SAS_TOKEN).

    • An AccessKey ID and AccessKey secret for a RAM user. Store both values as GitHub encrypted secrets (ACCESSKEYID and ACCESSKEYSECRET)

    Important

    Use a RAM user's AccessKey ID and AccessKey secret instead of your Alibaba Cloud account credentials. Account-level credentials grant full permissions across all resources — keep them confidential and out of any external channel.

    Add the image scanning step to your workflow

    1. Log on to GitHub.

    2. Click your profile picture in the upper-right corner and select Your repositories from the drop-down list.

    3. On the Repositories tab, click the repository you want to configure.

    4. Click the Actions tab.

    5. In the All workflows section, find the target pipeline file and click the More icon icon in the Actor column.

    6. Select View workflow file.

    7. In the Workflow file for this run section, add the scanning step based on the following example:

      name: Docker build and scan security issue by sas-image-scanner

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

env:
  REPO_TAG: your_docker_image_repo:your_docker_image_tag

jobs:

  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - name: Build the Docker image
      run: docker build . --file Dockerfile --tag ${{ env.REPO_TAG }}
    - name: Scan image by sas-image-scanner
      run: >
          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock --network=host
          sas-image-scanner-registry.cn-hangzhou.cr.aliyuncs.com/sas_public/sas-image-scanner:latest
          --accessKeyId=${{ secrets.ACCESSKEYID }} --accessKeySecret=${{ secrets.ACCESSKEYSECRET }}
          --token=${{ secrets.SAS_TOKEN }} --imageId=${{ env.REPO_TAG }}

      The following table describes the parameters.

      ParameterRequiredDefaultDescription
      accessKeyIdYesAccessKey ID of your RAM user
      accessKeySecretYesAccessKey secret of your RAM user
      tokenYesToken of the CI/CD plug-in
      imageIdYesImage ID or image repository tag. By default, images are scanned locally. To scan a remote image, set this to the image repository tag and also configure registryUrl, registryUsername, and registryPwd.
      domainNo(none)Endpoint of Security Center. Set to tds.ap-southeast-1.aliyuncs.com.
      registryUrlNo(none)URL of the remote image repository. Required when scanning remote images.
      registryUsernameNo(none)Username for the remote image repository. Required when scanning remote images.
      registryPwdNo(none)Password for the remote image repository. Required when scanning remote images.

    After you complete the configurations, Security Center scans images in the project for risks when you build the project.

    What's next

    View scan results on the Container tab of the Assets page in the Security Center console. See View image scan results.