Back to Details

alibabacloud-governance-evaluation-report

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Alibaba Cloud Governance Center Evaluation Report

阿里云治理中心评估报告

Guide users to discover governance risks, focus on critical issues, and take remediation actions through a progressive drill-down workflow.
通过渐进式下钻工作流引导用户发现治理风险、聚焦关键问题并采取修复措施。

Scenario Description

场景说明

This skill is a problem-discovery and resolution guide — not a comprehensive audit report generator. It operates as a progressive disclosure funnel:
  1. Overview (quick diagnosis) — Score + pillar distribution + top critical risks → guide user to choose a direction
  2. Pillar analysis (focused drill-down) — All risks in a specific domain, controlled by severity → guide user to specific items
  3. Detail (deep dive) — Single check item with full remediation steps → guide user to related items or resources
  4. Resources (action) — Non-compliant resource listing for targeted remediation
Each layer focuses on the most important information and guides the user to the next level. Avoid information overload — keep output concise and actionable.
Architecture: 
Governance Center API → CLI (aliyun governance) → governance_query.py (merge + cache) → JSON output → Agent report
该技能是问题发现与解决指南,而非完整的审计报告生成工具。它采用渐进式信息披露的漏斗模型工作:
  1. 概览(快速诊断) — 得分 + 支柱分布 + 顶级关键风险 → 引导用户选择排查方向
  2. 支柱分析(聚焦下钻) — 特定领域的所有风险,按严重程度管控 → 引导用户定位到具体项
  3. 详情(深度排查) — 包含完整修复步骤的单个检测项 → 引导用户查看关联项或资源
  4. 资源(执行动作) — 不合规资源列表,用于定向修复
每一层都聚焦最重要的信息并引导用户进入下一层。避免信息过载,保持输出简洁且可落地。
架构
Governance Center API → CLI (aliyun governance) → governance_query.py (合并 + 缓存) → JSON 输出 → Agent 报告

How It Works

工作原理

Data Sources — Three APIs provide all data:
  1. list-evaluation-metadata
    — Check item definitions (name, description, pillar, level, remediation)
  2. list-evaluation-results
    — Actual results (status, risk, compliance rate, score)
  3. list-evaluation-metric-details
    — Non-compliant resource details for a specific check item
Processing — The script (governance_query.py) merges data sources and caches results for 1 hour. It provides 4 query modes: 
overview
, 
pillar
, 
detail
, 
resources
.
Output — Structured JSON for Agent to generate user-friendly reports. Reports are output directly in the conversation as formatted text, NOT written to files.
数据源 — 三个API提供所有数据:
  1. list-evaluation-metadata
    — 检测项定义(名称、描述、支柱、等级、修复方案)
  2. list-evaluation-results
    — 实际检测结果(状态、风险、合规率、得分)
  3. list-evaluation-metric-details
    — 特定检测项的不合规资源详情
处理流程 — 脚本(governance_query.py)合并多源数据并将结果缓存1小时。它提供4种查询模式:
overview
pillar
detail
resources
输出 — 结构化JSON供Agent生成用户友好的报告。报告直接以格式化文本形式在对话中输出,不会写入文件。

Prerequisites

前提条件

Pre-check: Aliyun CLI >= 3.3.0 required Run 
aliyun version
to verify. If not installed or version too low, see references/cli-installation-guide.md for installation instructions. Then [MUST] run 
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.
bash
aliyun version                                    # >= 3.3.0
aliyun configure set --auto-plugin-install true   # Enable auto plugin install
python3 --version                                 # Python 3.x
前置检查:要求 Aliyun CLI >= 3.3.0 运行 
aliyun version
验证版本。如果未安装或者版本过低,查看 references/cli-installation-guide.md 获取安装指引。 之后**[必须]** 运行 
aliyun configure set --auto-plugin-install true
启用插件自动安装功能。
bash
aliyun version                                    # >= 3.3.0
aliyun configure set --auto-plugin-install true   # 启用自动安装插件
python3 --version                                 # Python 3.x

Authentication

身份认证

Configure CLI authentication (OAuth recommended):
bash
undefined
配置CLI身份认证(推荐OAuth方式):
bash
undefined

OAuth mode (recommended)

OAuth 模式(推荐)

aliyun configure --mode OAuth
aliyun configure --mode OAuth
undefined

RAM Policy

RAM 策略

Requires Governance Center read permissions. See references/ram-policies.md for full policy.
Minimum required permissions:
  • governance:ListEvaluationMetadata
  • governance:ListEvaluationResults
Or attach system policy: AliyunGovernanceReadOnlyAccess
需要治理中心的读权限。查看 references/ram-policies.md 获取完整策略。
最低所需权限:
  • governance:ListEvaluationMetadata
  • governance:ListEvaluationResults
或者挂载系统策略:AliyunGovernanceReadOnlyAccess

Parameter Confirmation

参数确认

This skill has minimal user-specific parameters. The following may require confirmation:
Parameter NameRequired/OptionalDescriptionDefault Value
--profile
OptionalAliyun CLI profile nameDefault profile
-c, --category
Required (pillar mode)Pillar category nameN/A
--id
Required (detail/resources mode)Check item metric IDN/A
--keyword
Optional (detail mode)Search keyword for check itemsN/A
--max-results
Optional (resources mode)Max results per page50
该技能的用户自定义参数非常少,可能需要确认以下参数:
参数名必填/可选描述默认值
--profile
可选Aliyun CLI 配置名默认配置
-c, --category
(支柱模式下)必填支柱分类名称
--id
(详情/资源模式下)必填检测项指标ID
--keyword
(详情模式下)可选检测项搜索关键词
--max-results
(资源模式下)可选每页最大返回结果数50

Verification

验证

Verify setup before use:
bash
undefined
使用前先验证配置是否正确:
bash
undefined

Test CLI connection

测试CLI连接

aliyun governance list-evaluation-results
--user-agent AlibabaCloud-Agent-Skills
--cli-query "Results.TotalScore"
aliyun governance list-evaluation-results
--user-agent AlibabaCloud-Agent-Skills
--cli-query "Results.TotalScore"

Test script

测试脚本

python3 scripts/governance_query.py overview

See [references/verification-method.md](references/verification-method.md) for detailed steps.

---
python3 scripts/governance_query.py overview

查看 [references/verification-method.md](references/verification-method.md) 获取详细步骤。

---

Core Workflow

核心工作流

IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., 
--profile
, 
--category
, 
--id
, 
--keyword
, 
--max-results
, etc.) MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.
IMPORTANT: Output Format — Reports are format specifications for conversation output only. Always output report content directly in the chat message as formatted Markdown. Do NOT create or write report files (e.g., 
.md
, 
.txt
, 
.html
). No file generation is needed.
Script location: scripts/governance_query.py
重要提示:参数确认 — 执行任何命令或者API调用前,必须与用户确认所有用户可自定义的参数(例如 
--profile
--category
--id
--keyword
--max-results
等)。未经用户明确同意,请勿假设参数值或者使用默认值。
重要提示:输出格式 — 报告仅为对话输出的格式规范,始终直接在聊天消息中以格式化Markdown输出报告内容,请勿创建或者写入报告文件(例如 
.md
.txt
.html
),不需要生成任何文件。
脚本位置:scripts/governance_query.py

Global Options

全局选项

OptionDescription
--refresh
Force refresh cache (default: 1-hour TTL)
选项描述
--refresh
强制刷新缓存(默认TTL为1小时)

Mode 1: 
overview
— Overall Maturity Report

模式1:
overview
— 整体成熟度报告

When to use: User asks about overall account health, maturity score, or wants a summary.
bash
python3 scripts/governance_query.py overview
python3 scripts/governance_query.py overview -r Error              # Only high-risk items
python3 scripts/governance_query.py overview -r Error,Warning      # High + medium risk
python3 scripts/governance_query.py --refresh overview             # Force fresh data
Options:
OptionDescription
-r, --risk
Filter RiskyItems by risk level (comma-separated: 
Error
, 
Warning
, 
Suggestion
). PillarSummary and RiskDistribution are always complete.
Output JSON fields:
  • TotalScore
    — Overall maturity score (0.0-1.0)
  • PillarSummary
    — Per-pillar statistics (checked/risky counts, always unfiltered)
  • RiskDistribution
    — Count by risk level (always unfiltered)
  • RiskyItems
    — Items with risk, filtered by 
    --risk
    if specified, sorted by severity
  • RiskFilter
    — Applied risk filter values (only present when 
    --risk
    is used)
Report format: Read references/report-format-overview.md for the exact output format.
适用场景:用户询问账号整体健康度、成熟度得分,或者想要汇总结果时。
bash
python3 scripts/governance_query.py overview
python3 scripts/governance_query.py overview -r Error              # 仅展示高风险项
python3 scripts/governance_query.py overview -r Error,Warning      # 高+中风险项
python3 scripts/governance_query.py --refresh overview             # 强制获取最新数据
选项
选项描述
-r, --risk
按风险等级过滤风险项(逗号分隔:
Error
Warning
Suggestion
)。支柱汇总和风险分布信息始终完整展示。
输出JSON字段
  • TotalScore
    — 整体成熟度得分(0.0-1.0)
  • PillarSummary
    — 各支柱统计数据(已检测/风险项数量,始终不过滤)
  • RiskDistribution
    — 按风险等级统计的数量(始终不过滤)
  • RiskyItems
    — 存在风险的项,若指定
    --risk
    则按规则过滤,按严重程度排序
  • RiskFilter
    — 已应用的风险过滤值(仅当使用
    --risk
    时存在)
报告格式:阅读 references/report-format-overview.md 获取准确的输出格式。

Mode 2: 
pillar
— Pillar-Specific Report

模式2:
pillar
— 指定支柱的专项报告

When to use: User asks about a specific domain (security, reliability, cost, etc.).
bash
python3 scripts/governance_query.py pillar -c <Category> [options]
Options:
OptionDescription
-c, --category
Required. Pillar name (see below)
--risky
Only show items with risk (exclude compliant)
-l, --level
Filter by recommendation level (comma-separated)
-r, --risk
Filter by actual risk level (comma-separated)
Category values:
  • Security
    — 安全
  • Reliability
    — 稳定
  • CostOptimization
    — 成本
  • OperationalExcellence
    — 效率
  • Performance
    — 性能
Level values: 
Critical
, 
High
, 
Medium
, 
Suggestion
Risk values: 
Error
, 
Warning
, 
Suggestion
, 
None
Examples:
bash
undefined
适用场景:用户询问特定领域(安全、可靠性、成本等)的问题时。
bash
python3 scripts/governance_query.py pillar -c <Category> [options]
选项
选项描述
-c, --category
必填。支柱名称(见下方列表)
--risky
仅展示存在风险的项(排除合规项)
-l, --level
按推荐等级过滤(逗号分隔)
-r, --risk
按实际风险等级过滤(逗号分隔)
分类取值
  • Security
    — 安全
  • Reliability
    — 稳定
  • CostOptimization
    — 成本
  • OperationalExcellence
    — 效率
  • Performance
    — 性能
等级取值
Critical
High
Medium
Suggestion
风险取值
Error
Warning
Suggestion
None
示例
bash
undefined

安全支柱所有风险项

安全支柱所有风险项

python3 scripts/governance_query.py pillar -c Security --risky
python3 scripts/governance_query.py pillar -c Security --risky

仅严重和高优先级的错误/警告

仅严重和高优先级的错误/警告

python3 scripts/governance_query.py pillar -c Security -l Critical,High -r Error,Warning --risky

**Output JSON fields**:
- `Category`, `CategoryCN` — Pillar name
- `MatchedCount` — Number of matched items
- `Items` — List of check items with status

**Report format**: Read [references/report-format-pillar.md](references/report-format-pillar.md) for the exact output format.

---
python3 scripts/governance_query.py pillar -c Security -l Critical,High -r Error,Warning --risky

**输出JSON字段**:
- `Category`、`CategoryCN` — 支柱名称
- `MatchedCount` — 匹配的项数量
- `Items` — 带状态的检测项列表

**报告格式**:阅读 [references/report-format-pillar.md](references/report-format-pillar.md) 获取准确的输出格式。

---

Mode 3: 
detail
— Check Item Detail

模式3:
detail
— 检测项详情

When to use: User asks about a specific check item or how to fix an issue.
bash
python3 scripts/governance_query.py detail --id <metric-id>
python3 scripts/governance_query.py detail --keyword <search-term>
Options:
OptionDescription
--id
Check item ID (e.g., 
apbxftkv5c
)
--keyword
Search by name/description (if multiple matches, shows list)
Examples:
bash
undefined
适用场景:用户询问特定检测项,或者如何修复某个问题时。
bash
python3 scripts/governance_query.py detail --id <metric-id>
python3 scripts/governance_query.py detail --keyword <search-term>
选项
选项描述
--id
检测项ID(例如 
apbxftkv5c
--keyword
按名称/描述搜索(如果匹配多个则展示列表)
示例
bash
undefined

按 ID 查询

按 ID 查询

python3 scripts/governance_query.py detail --id apbxftkv5c
python3 scripts/governance_query.py detail --id apbxftkv5c

按关键字搜索

按关键字搜索

python3 scripts/governance_query.py detail --keyword "MFA"

**Output JSON fields**:
- Basic info: `Id`, `DisplayName`, `Description`, `Category`
- Status: `Status`, `Risk`, `Compliance`, `NonCompliant`
- `Remediation` — Fix steps (Manual/Analysis/QuickFix)

**Report format**: Read [references/report-format-detail.md](references/report-format-detail.md) for the exact output format. The detail format also covers the resources listing when needed.

---
python3 scripts/governance_query.py detail --keyword "MFA"

**输出JSON字段**:
- 基础信息:`Id`、`DisplayName`、`Description`、`Category`
- 状态:`Status`、`Risk`、`Compliance`、`NonCompliant`
- `Remediation` — 修复步骤(手动/分析/快速修复)

**报告格式**:阅读 [references/report-format-detail.md](references/report-format-detail.md) 获取准确的输出格式。需要时详情格式也包含资源列表。

---

Mode 4: 
resources
— Non-Compliant Resources

模式4:
resources
— 不合规资源

When to use: User wants to see which specific resources failed a check item.
bash
python3 scripts/governance_query.py resources --id <metric-id>
Options:
OptionDescription
--id
Required. Check item ID
--max-results
Max results per page (default: 50)
Examples:
bash
undefined
适用场景:用户想要查看某个检测项未通过的具体资源列表时。
bash
python3 scripts/governance_query.py resources --id <metric-id>
选项
选项描述
--id
必填。检测项ID
--max-results
每页最大返回结果数(默认:50)
示例
bash
undefined

查询未启用 MFA 的 RAM 用户列表

查询未启用 MFA 的 RAM 用户列表

python3 scripts/governance_query.py resources --id apbxftkv5c
python3 scripts/governance_query.py resources --id apbxftkv5c

查询开放高危端口的安全组

查询开放高危端口的安全组

python3 scripts/governance_query.py resources --id a9g6pv7r5b

**Output JSON fields**:
- `MetricId` — Check item ID
- `TotalCount` — Number of non-compliant resources
- `Resources[]` — List of resources:
  - `ResourceId`, `ResourceName`, `ResourceType`
  - `RegionId`, `ResourceOwnerId`
  - `Classification` — Risk classification
  - `Properties` — Resource-specific attributes

---
python3 scripts/governance_query.py resources --id a9g6pv7r5b

**输出JSON字段**:
- `MetricId` — 检测项ID
- `TotalCount` — 不合规资源数量
- `Resources[]` — 资源列表:
  - `ResourceId`、`ResourceName`、`ResourceType`
  - `RegionId`、`ResourceOwnerId`
  - `Classification` — 风险分类
  - `Properties` — 资源特定属性

---

Mode Selection Guide

模式选择指南

User says...Use modeCommandReport format
"查查我的账号安全吗" / "成熟度得分" / "分析下治理检测结果"
overview
overview
overview
"有哪些高风险项" / "看下所有高风险"
overview
overview -r Error
overview
"中风险以上的问题"
overview
overview -r Error,Warning
overview
"安全方面有哪些问题" / "XX支柱的风险"
pillar
pillar -c Security --risky
pillar
"网络安全相关的检测项" / "数据库风险"
pillar
+ keyword filter
pillar -c Security --risky
then filter by keyword		pillar
"高优先级的问题"
pillar
pillar -c Security -l Critical,High --risky
pillar
"MFA怎么修" / "XX检测项详情"
detail
detail --keyword "MFA"
detail
"哪些用户没开MFA" / "不合规资源有哪些"
detail
+ 
resources
detail --id xxx
then 
resources --id xxx
detail
Default: If user doesn't specify pillar or check item, use 
overview
.
Report format selection: After determining the query mode, read the corresponding report format reference file before generating output. Only read the format file that matches the user's intent — do not read all format files at once.
用户输入...使用模式命令报告格式
"查查我的账号安全吗" / "成熟度得分" / "分析下治理检测结果"
overview
overview
overview
"有哪些高风险项" / "看下所有高风险"
overview
overview -r Error
overview
"中风险以上的问题"
overview
overview -r Error,Warning
overview
"安全方面有哪些问题" / "XX支柱的风险"
pillar
pillar -c Security --risky
pillar
"网络安全相关的检测项" / "数据库风险"
pillar
+ 关键词过滤
pillar -c Security --risky
之后按关键词过滤		pillar
"高优先级的问题"
pillar
pillar -c Security -l Critical,High --risky
pillar
"MFA怎么修" / "XX检测项详情"
detail
detail --keyword "MFA"
detail
"哪些用户没开MFA" / "不合规资源有哪些"
detail
+ 
resources
detail --id xxx
之后 
resources --id xxx
detail
默认规则:如果用户未指定支柱或者检测项,使用
overview
模式。
报告格式选择:确定查询模式后,生成输出前先阅读对应的报告格式参考文件。仅读取与用户意图匹配的格式文件,请勿一次性读取所有格式文件。

Field Reference

字段参考

FieldValuesNote
Risk
Error
(高风险) > 
Warning
(中风险) > 
Suggestion
(低风险) > 
None
(合规)		Actual detected risk
RecommendationLevel
Critical
> 
High
> 
Medium
> 
Suggestion
Recommended priority
Status
Finished
/ 
NotApplicable
/ 
Failed
Check execution status
Compliance
0.0 - 1.01.0 = fully compliant
字段取值说明
Risk
Error
(高风险) > 
Warning
(中风险) > 
Suggestion
(低风险) > 
None
(合规)		实际检测到的风险
RecommendationLevel
Critical
> 
High
> 
Medium
> 
Suggestion
推荐处理优先级
Status
Finished
/ 
NotApplicable
/ 
Failed
检测执行状态
Compliance
0.0 - 1.01.0 = 完全合规

Cache & Cleanup

缓存与清理

Only metadata (check item definitions) is cached locally — results are always fetched in real-time.
  • Cache location: 
    ~/.governance_cache/metadata.json
  • TTL: 24 hours (metadata rarely changes)
  • list-evaluation-results
    and 
    list-evaluation-metric-details
    are never cached
bash
undefined
仅元数据(检测项定义)会在本地缓存 — 检测结果始终实时获取。
  • 缓存位置:
    ~/.governance_cache/metadata.json
  • TTL:24小时(元数据极少变更)
  • list-evaluation-results
    list-evaluation-metric-details
    永远不会缓存
bash
undefined

Force refresh metadata cache

强制刷新元数据缓存

python3 scripts/governance_query.py --refresh overview
python3 scripts/governance_query.py --refresh overview

Clear cache manually

手动清理缓存

rm -rf ~/.governance_cache/
undefined
rm -rf ~/.governance_cache/
undefined

Best Practices

最佳实践

  1. Focus, don't dump — Each report layer should highlight what matters most, not list everything. Read the corresponding report format reference for quantity control rules
  2. Follow the funnel — Start with 
    overview
    , guide user to 
    pillar
    , then to 
    detail
    . Don't skip layers unless user explicitly asks for a specific item
  3. Use 
    --risky
    filter for pillar mode     — Reduces noise by hiding compliant items when investigating issues
  4. Prioritize by Risk + Level — Focus on 
    Error
    risk with 
    Critical
    /
    High
    recommendation level first
  5. Follow remediation guidance — Use 
    detail
    mode to get actionable fix steps before modifying resources
  6. Always guide next steps — Every report must end with follow-up guidance based on actual data, helping users continue exploring
  7. Cache management — Only metadata is cached (24h TTL); results are always real-time. Use 
    --refresh
    to force metadata refresh
  1. 聚焦核心信息,不要全量堆砌 — 每个报告层都应该突出最重要的内容,而非罗列所有信息。阅读对应的报告格式参考了解数量管控规则
  2. 遵循漏斗模型 — 从
    overview
    开始,引导用户进入
    pillar
    ,再到
    detail
    。除非用户明确要求查看特定项,否则不要跳过层级
  3. 支柱模式下使用
    --risky
    过滤     — 排查问题时隐藏合规项,减少噪音
  4. 按风险+优先级排序 — 优先关注风险等级为
    Error
    且推荐优先级为
    Critical
    /
    High
    的问题
  5. 遵循修复指引 — 修改资源前先使用
    detail
    模式获取可落地的修复步骤
  6. 始终引导下一步操作 — 每份报告的末尾都需要基于实际数据给出后续操作指引,帮助用户继续排查
  7. 缓存管理 — 仅元数据会被缓存(24小时TTL);检测结果始终是实时的。使用
    --refresh
    强制刷新元数据

References

参考文档

FileContent
report-format-overview.mdReport format: overall governance overview
report-format-pillar.mdReport format: pillar / keyword aggregated analysis
report-format-detail.mdReport format: single check item detail + resources
related-apis.mdCLI commands and API details
ram-policies.mdRequired permissions
verification-method.mdVerification steps
cli-installation-guide.mdCLI installation
文件内容
report-format-overview.md报告格式:整体治理概览
report-format-pillar.md报告格式:支柱/关键词聚合分析
report-format-detail.md报告格式:单个检测项详情 + 资源列表
related-apis.mdCLI命令和API详情
ram-policies.md所需权限
verification-method.md验证步骤
cli-installation-guide.mdCLI安装指引