Alibaba Cloud Governance Center Evaluation Report
Guide users to discover governance risks, focus on critical issues, and take remediation actions through a progressive drill-down workflow.
Scenario Description
This skill is a problem-discovery and resolution guide — not a comprehensive audit report generator. It operates as a progressive disclosure funnel:
- Overview (quick diagnosis) — Score + pillar distribution + top critical risks → guide user to choose a direction
- Pillar analysis (focused drill-down) — All risks in a specific domain, controlled by severity → guide user to specific items
- Detail (deep dive) — Single check item with full remediation steps → guide user to related items or resources
- Resources (action) — Non-compliant resource listing for targeted remediation
Each layer focuses on the most important information and guides the user to the next level. Avoid information overload — keep output concise and actionable.
Architecture:
Governance Center API → CLI (aliyun governance) → governance_query.py (merge + cache) → JSON output → Agent report
How It Works
Data Sources — Three APIs provide all data:
- — Check item definitions (name, description, pillar, level, remediation)
- — Actual results (status, risk, compliance rate, score)
list-evaluation-metric-details
Processing — The script (
governance_query.py) merges data sources and caches results for 1 hour. It provides 4 query modes:
,
,
,
.
Output — Structured JSON for Agent to generate user-friendly reports. Reports are output directly in the conversation as formatted text, NOT written to files.
Prerequisites
Pre-check: Aliyun CLI >= 3.3.0 required
Run
to verify. If not installed or version too low,
see
references/cli-installation-guide.md for installation instructions.
Then
[MUST] run
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.
bash
aliyun version # >= 3.3.0
aliyun configure set --auto-plugin-install true # Enable auto plugin install
python3 --version # Python 3.x
Authentication
Configure CLI authentication (OAuth recommended):
bash
# OAuth mode (recommended)
aliyun configure --mode OAuth
## RAM Policy
Requires Governance Center read permissions. See [references/ram-policies.md](references/ram-policies.md) for full policy.
Minimum required permissions:
- `governance:ListEvaluationMetadata`
- `governance:ListEvaluationResults`
Or attach system policy: **AliyunGovernanceReadOnlyAccess**
## Parameter Confirmation
This skill has minimal user-specific parameters. The following may require confirmation:
| Parameter Name | Required/Optional | Description | Default Value |
|----------------|-------------------|-------------|---------------|
| `--profile` | Optional | Aliyun CLI profile name | Default profile |
| `-c, --category` | Required (pillar mode) | Pillar category name | N/A |
| `--id` | Required (detail/resources mode) | Check item metric ID | N/A |
| `--keyword` | Optional (detail mode) | Search keyword for check items | N/A |
| `--max-results` | Optional (resources mode) | Max results per page | 50 |
## Verification
Verify setup before use:
```bash
# Test CLI connection
aliyun governance list-evaluation-results \
--user-agent AlibabaCloud-Agent-Skills \
--cli-query "Results.TotalScore"
# Test script
python3 scripts/governance_query.py overview
See references/verification-method.md for detailed steps.
Core Workflow
IMPORTANT: Parameter Confirmation — Before executing any command or API call,
ALL user-customizable parameters (e.g.,
,
,
,
,
, etc.) MUST be confirmed with the user.
Do NOT assume or use default values without explicit user approval.
IMPORTANT: Output Format — Reports are format specifications for conversation output only.
Always output report content directly in the chat message as formatted Markdown.
Do NOT create or write report files (e.g.,
,
,
). No file generation is needed.
Script location: scripts/governance_query.py
Global Options
| Option | Description |
|---|
| Force refresh cache (default: 1-hour TTL) |
Mode 1: — Overall Maturity Report
When to use: User asks about overall account health, maturity score, or wants a summary.
bash
python3 scripts/governance_query.py overview
python3 scripts/governance_query.py overview -r Error # Only high-risk items
python3 scripts/governance_query.py overview -r Error,Warning # High + medium risk
python3 scripts/governance_query.py --refresh overview # Force fresh data
Options:
| Option | Description |
|---|
| Filter RiskyItems by risk level (comma-separated: , , ). PillarSummary and RiskDistribution are always complete. |
Output JSON fields:
- — Overall maturity score (0.0-1.0)
- — Per-pillar statistics (checked/risky counts, always unfiltered)
- — Count by risk level (always unfiltered)
- — Items with risk, filtered by if specified, sorted by severity
- — Applied risk filter values (only present when is used)
Report format: Read references/report-format-overview.md for the exact output format.
Mode 2: — Pillar-Specific Report
When to use: User asks about a specific domain (security, reliability, cost, etc.).
bash
python3 scripts/governance_query.py pillar -c <Category> [options]
Options:
| Option | Description |
|---|
| Required. Pillar name (see below) |
| Only show items with risk (exclude compliant) |
| Filter by recommendation level (comma-separated) |
| Filter by actual risk level (comma-separated) |
Category values:
Examples:
bash
# 安全支柱所有风险项
python3 scripts/governance_query.py pillar -c Security --risky
# 仅严重和高优先级的错误/警告
python3 scripts/governance_query.py pillar -c Security -l Critical,High -r Error,Warning --risky
Output JSON fields:
- , — Pillar name
- — Number of matched items
- — List of check items with status
Report format: Read references/report-format-pillar.md for the exact output format.
Mode 3: — Check Item Detail
When to use: User asks about a specific check item or how to fix an issue.
bash
python3 scripts/governance_query.py detail --id <metric-id>
python3 scripts/governance_query.py detail --keyword <search-term>
Options:
| Option | Description |
|---|
| Check item ID (e.g., ) |
| Search by name/description (if multiple matches, shows list) |
Examples:
bash
# 按 ID 查询
python3 scripts/governance_query.py detail --id apbxftkv5c
# 按关键字搜索
python3 scripts/governance_query.py detail --keyword "MFA"
Output JSON fields:
- Basic info: , , ,
- Status: , , ,
- — Fix steps (Manual/Analysis/QuickFix)
Report format: Read references/report-format-detail.md for the exact output format. The detail format also covers the resources listing when needed.
Mode 4: — Non-Compliant Resources
When to use: User wants to see which specific resources failed a check item.
bash
python3 scripts/governance_query.py resources --id <metric-id>
Options:
| Option | Description |
|---|
| Required. Check item ID |
| Max results per page (default: 50) |
Examples:
bash
# 查询未启用 MFA 的 RAM 用户列表
python3 scripts/governance_query.py resources --id apbxftkv5c
# 查询开放高危端口的安全组
python3 scripts/governance_query.py resources --id a9g6pv7r5b
Output JSON fields:
- — Check item ID
- — Number of non-compliant resources
- — List of resources:
- , ,
- ,
- — Risk classification
- — Resource-specific attributes
Mode Selection Guide
| User says... | Use mode | Command | Report format |
|---|
| "查查我的账号安全吗" / "成熟度得分" / "分析下治理检测结果" | | | overview |
| "有哪些高风险项" / "看下所有高风险" | | | overview |
| "中风险以上的问题" | | overview -r Error,Warning
| overview |
| "安全方面有哪些问题" / "XX支柱的风险" | | pillar -c Security --risky
| pillar |
| "网络安全相关的检测项" / "数据库风险" | + keyword filter | pillar -c Security --risky
| pillar |
| "高优先级的问题" | | pillar -c Security -l Critical,High --risky
| pillar |
| "MFA怎么修" / "XX检测项详情" | | | detail |
| "哪些用户没开MFA" / "不合规资源有哪些" | + | then | detail |
Default: If user doesn't specify pillar or check item, use
.
Report format selection: After determining the query mode, read the corresponding report format reference file before generating output. Only read the format file that matches the user's intent — do not read all format files at once.
Field Reference
| Field | Values | Note |
|---|
| (高风险) > (中风险) > (低风险) > (合规) | Actual detected risk |
| > > > | Recommended priority |
| / / | Check execution status |
| 0.0 - 1.0 | 1.0 = fully compliant |
Cache & Cleanup
Only metadata (check item definitions) is cached locally — results are always fetched in real-time.
- Cache location:
~/.governance_cache/metadata.json
- TTL: 24 hours (metadata rarely changes)
- and
list-evaluation-metric-details
bash
# Force refresh metadata cache
python3 scripts/governance_query.py --refresh overview
# Clear cache manually
rm -rf ~/.governance_cache/
Best Practices
- Focus, don't dump — Each report layer should highlight what matters most, not list everything. Read the corresponding report format reference for quantity control rules
- Follow the funnel — Start with , guide user to , then to . Don't skip layers unless user explicitly asks for a specific item
- Use filter for pillar mode — Reduces noise by hiding compliant items when investigating issues
- Prioritize by Risk + Level — Focus on risk with / recommendation level first
- Follow remediation guidance — Use mode to get actionable fix steps before modifying resources
- Always guide next steps — Every report must end with follow-up guidance based on actual data, helping users continue exploring
- Cache management — Only metadata is cached (24h TTL); results are always real-time. Use to force metadata refresh
References
| File | Content |
|---|
| report-format-overview.md | Report format: overall governance overview |
| report-format-pillar.md | Report format: pillar / keyword aggregated analysis |
| report-format-detail.md | Report format: single check item detail + resources |
| related-apis.md | CLI commands and API details |
| ram-policies.md | Required permissions |
| verification-method.md | Verification steps |
| cli-installation-guide.md | CLI installation |