Alibaba Cloud Security Center Multi-Account Management and Baseline Report Export

Use aliyun CLI and Python scripts to manage multiple Alibaba Cloud accounts in a resource directory and batch-export Security Center baseline reports for each account.

Prerequisites and Environment Setup

1. Install Alibaba Cloud CLI

# macOS
brew install aliyun-cli

# Or download from GitHub: https://github.com/aliyun/aliyun-cli/releases

Check credentials:

aliyun sts get-caller-identity

If the call fails, instruct the user to run aliyun configure and set up credentials (interactive step, must be completed by the user).

1.1 Configure AI mode and plugin mode (required)

This skill requires aliyun CLI plugin mode commands (kebab-case) and a fixed User-Agent declaration.

# Keep plugins up to date
aliyun plugin update

# Install required product plugins if missing
aliyun plugin install --names aliyun-cli-sts,aliyun-cli-sas

# Enable AI mode and set required UA segment
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent AlibabaCloud-Agent-Skills

# Optional checks / rollback
aliyun configure ai-mode show
aliyun configure ai-mode disable

2. Install Python ≥ 3.6

# Check version
python3 --version  # Requires 3.6+, 3.9+ recommended

3. Create Virtual Environment and Install Dependencies

Create a virtual environment in <skill-path>/scripts/ and install dependencies declared in pyproject.toml:

cd scripts/

# Option A: use venv
python3 -m venv .venv
.venv/bin/pip install -e .

# Option B: use uv (optional)
uv sync

# Option C: if current Python version is unsupported, install as system dependencies
pip install -r requirements.txt

4. Run Commands

All scripts must be executed with Python from the virtual environment (whether created via venv, uv, conda, etc.). This document uses .venv/bin/python in examples; replace it with your actual virtual environment path.

---

Working Directory

accounts.json and exported Excel files are saved in the agent's current working directory (the directory where the command is executed). Script files themselves are located in <skill-path>/scripts/. Do not switch into the scripts directory when running commands, or accounts.json location may shift unexpectedly.

# Example: run from any directory
.venv/bin/python /path/to/scripts/accounts.py refresh

Feature 1: Account Management (accounts.py)

Workflow

1. First use: run refresh to fetch account list from the resource directory.
2. Filter as needed: use search to find target accounts and get AccountId.
3. Enable/disable control: use enable / disable to decide which accounts participate in batch export.

Quick Start

Refresh account list

Fetch the latest account list from Alibaba Cloud resource directory and write to accounts.json. Existing enable states are preserved; new accounts are enabled by default.

.venv/bin/python accounts.py refresh

List all accounts

.venv/bin/python accounts.py list

Sample output:

1225574417218097    cwx                     [enabled]
1234567890123456    prod-account            [disabled]

Search accounts

Fuzzy-search by DisplayName, returning AccountId and enable status.

.venv/bin/python accounts.py search cwx
.venv/bin/python accounts.py search prod

Enable / disable accounts

Control whether an account participates in subsequent batch exports.

.venv/bin/python accounts.py enable 1225574417218097
.venv/bin/python accounts.py disable 1234567890123456

accounts.json Structure

[
  {
    "AccountId": "1225574417218097",
    "DisplayName": "cwx",
    "FolderId": "r-1Q4pqB",
    "IsMaAccount": "NO",
    "SasVersion": "0",
    "enable": true
  }
]

---

Feature 2: Batch Baseline Export (baseline.py)

Launch export tasks concurrently for all accounts with enable=true. After polling completion, files are downloaded, extracted, and merged into a single Excel file.

Workflow

1. Concurrent submission: submit export-record requests for all enabled accounts (QPS ≤ 5).
2. Concurrent polling: poll describe-export-info for each account until export completes.
3. Download and extract: download zip and extract xlsx.
4. Merge output: merge all account xlsx files into one file via merge.py, appending a “Resource Directory Account” column.
5. Cleanup temporary files: delete per-account temporary xlsx files after merge.

Prerequisites

• accounts.py refresh has been executed and account enable/disable configuration is complete.
• aliyun CLI is configured with valid credentials and has SAS export-record and describe-export-info permissions.
• Accounts must have Security Center purchased (free edition accounts are skipped automatically).

Export cloud platform configuration check results (CSPM)

Export baselineCspm results for all enabled accounts and merge into baseline-cspm-merged-{date}.xlsx.

# Export for all enabled accounts
.venv/bin/python baseline.py export-cspm

# Export for one specific account
.venv/bin/python baseline.py export-cspm --account-id 1225574417218097

Export system baseline risk list

Export exportHcWarning risk list (high/medium/low, all statuses) for all enabled accounts and merge into system-warning-merged-{date}.xlsx.

# Export for all enabled accounts
.venv/bin/python baseline.py export-system-warning

# Export for one specific account
.venv/bin/python baseline.py export-system-warning --account-id 1225574417218097

Output Files

| File | Description | |------|------| | baseline-cspm-merged-{date}.xlsx | Merged cloud platform configuration check results, including “Resource Directory Account” column | | system-warning-merged-{date}.xlsx | Merged system baseline risk list, including “Resource Directory Account” column |

Error Handling

| Scenario | Behavior | |------|------| | FreeVersionNotPermit | Silently skip this account and continue others | | NoPermission / Forbidden | Silently skip this account | | Export failed (server-side error) | Print [failed] message and continue with other accounts | | All accounts skipped | Print message and exit without output file |

---

Feature 3: Batch Vulnerability Export (vuln.py)

Launch vulnerability export tasks concurrently for all accounts with enable=true. Supports four vulnerability types. After polling completion, files are downloaded, extracted, and merged automatically.

Workflow

1. Concurrent submission: submit export-vul --force requests for all enabled accounts (QPS ≤ 5).
2. Concurrent polling: poll describe-vul-export-info --force for each account until export completes.
3. Download and extract: download zip and extract xlsx.
4. Merge output: merge all account xlsx files into one file via merge.py, appending a “Resource Directory Account” column.
5. Cleanup temporary files: delete per-account temporary xlsx files after merge.

When the current account is the same as the caller's primary account, --ResourceDirectoryAccountId is omitted automatically.

Prerequisites

• accounts.py refresh has been executed and account enable/disable configuration is complete.
• aliyun CLI is configured with valid credentials and has SAS export-vul and describe-vul-export-info permissions.
• Accounts must have Security Center purchased (free edition accounts are skipped automatically).

Export Linux software vulnerabilities (CVE)

Export unresolved Linux software vulnerabilities (high/medium/low priority) for all enabled accounts and merge into vul-cve-merged-{date}.xlsx.

# Export for all enabled accounts
.venv/bin/python vuln.py export-cve

# Export for one specific account
.venv/bin/python vuln.py export-cve --account-id 1225574417218097

Export Windows system vulnerabilities

Export unresolved Windows system vulnerabilities (high/medium/low priority) for all enabled accounts and merge into vul-sys-merged-{date}.xlsx.

.venv/bin/python vuln.py export-sys
.venv/bin/python vuln.py export-sys --account-id 1225574417218097

Export application vulnerabilities (including SCA)

Export unresolved application vulnerabilities (ECS + container, including software composition analysis) for all enabled accounts and merge into vul-app-merged-{date}.xlsx.

.venv/bin/python vuln.py export-app
.venv/bin/python vuln.py export-app --account-id 1225574417218097

Export emergency vulnerabilities

Export emergency vulnerabilities (at-risk status) for all enabled accounts and merge into vul-emg-merged-{date}.xlsx.

.venv/bin/python vuln.py export-emg
.venv/bin/python vuln.py export-emg --account-id 1225574417218097

Output Files

| File | Description | |------|------| | vul-cve-merged-{date}.xlsx | Merged Linux software vulnerability list, including “Resource Directory Account” column | | vul-sys-merged-{date}.xlsx | Merged Windows system vulnerability list, including “Resource Directory Account” column | | vul-app-merged-{date}.xlsx | Merged application vulnerability list (including SCA), including “Resource Directory Account” column | | vul-emg-merged-{date}.xlsx | Merged emergency vulnerability list, including “Resource Directory Account” column |

Export Parameter Details

| Type | export-vul parameters | |------|----------------| | export-cve | --Type cve --Necessity asap,later,nntf --Dealed n | | export-sys | --Type sys --Necessity asap,later,nntf --Dealed n | | export-app | --Type app --Necessity asap,later,nntf --AttachTypes sca --AssetType ECS,CONTAINER --Dealed n | | export-emg | --Type emg --RiskStatus y --Dealed n |

Error Handling

| Scenario | Behavior | |------|------| | FreeVersionNotPermit | Silently skip this account and continue others | | NoPermission / Forbidden | Silently skip this account | | Export failed (server-side error) | Print [failed] message and continue with other accounts | | All accounts skipped | Print message and exit without output file |

---

Notes

• Scripts must run in a virtual environment. Examples use .venv/bin/python; replace with your actual virtual environment path.
• Manage aliyun CLI credentials with aliyun configure; do not hardcode AK/SK.
• SAS API supports only two endpoints: cn-shanghai (China mainland) and ap-southeast-1 (outside China mainland).