To install the Security Center CI/CD plug-in on Jenkins or GitHub, complete these two setup tasks:
Generate a plug-in token in the Security Center console.
Create a dedicated Resource Access Management (RAM) user with the minimum permissions required for container image scanning.
Prerequisites
Before you begin, ensure that you have:
Access to the Security Center console
Permission to create RAM users and attach custom policies
Obtain a token
Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > CI/CD Integration Settings.
Click Integration Configuration to open the Integration Configuration panel.
Click Add Token, enter a name for the token (up to 64 characters), and click OK.
The token appears in the Token column of the CI/CD Plug-in list in the Integration Configuration panel.
Set up a RAM user for CI/CD
Use a dedicated RAM user — not a personal Alibaba Cloud account — for CI/CD automation. If the account owner changes roles or leaves, a dedicated RAM user ensures the pipeline keeps running without interruption.
If you already have a RAM user with the permissions listed below, skip to step 3 and attach the policy to that user.
Create a RAM user. In the Access Mode section, select OpenAPI Access.
Create a custom policy on the JSON tab. Copy the following policy document into the code editor:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "yundun-sas:CreateJenkinsImageScanTask", "yundun-sas:ListImageAnalysisRuleProject", "yundun-sas:SubmitImageAnalysisOutput", "yundun-sas:UpdateJenkinsImageScanTaskStatus", "yundun-sas:UploadAnalyzerRuntimeLog", "yundun-sas:CreateBatchUploadURL" ], "Resource": "*" } ] }Grant the permissions to the RAM user by attaching the policy you created.
What's next
Use the token and the RAM user's AccessKey pair when configuring the CI/CD plug-in on Jenkins or GitHub.