Qualys Cloud Agent Application Release 2.2
Limited Customer Release
June 02, 2025
New Feature — Manifest Version Control
Overview
Manifest Version Control (MVC) gives organizations greater control over the Vulnerability Management (VM) manifests used by Qualys Cloud Agents. With this feature, you can delay or prevent the automatic assignment of newly published manifests, allowing time for validation in test environments before assigning them to production systems.
This capability helps reduce the risk of operational disruptions caused by unforeseen issues in newly released manifests and supports more controlled, reliable security operations at scale.
Importance of Manifest Version Control
VM manifests define the vulnerability signatures used by Qualys Cloud Agents. While it is important to have the latest threat data available, automatic assignment of newly published manifests can introduce a risk if the new manifest has unexpected interaction with specific environments.
Though published manifest are thoroughly tested and rarely cause any issues, the Manifest Version Control acts as a safeguard by allowing time to validate new manifests before assigning them to your critical assets.
Benefits of Manifest Version Control
The manifest version control offers the following benefits:
- Reduce Operational Risk: Validating new manifests before assigning them to critical assets avoids any unforeseen and unintended impact.
- Controlled Manifest Assignment: Manifest version control supports staggering manifest assignments across environments using time delays. You can delay the manifest assignment till the new manifest is validated.
- Consistent Scanning Behavior: Using validated manifests across your assets brings uniformity and consistency in scan behavior.
- Rapid Mitigation: With manifest version control, you can delay the assignment of problematic manifests for up to 48 hours, allowing you time to remediate the issues.
Steps to Create Manifest Version Control Profile
Perform the following steps to create a new manifest version control profile:
- Navigate to Configurations > Version Control Profiles > Manifest Version Control tab in the Cloud Agent user interface.
- Click New MVC Profile. The profile configuration window opens.
- Enter the profile name and description and configure the following settings:
Prevent Manifest Update
Select the Prevent manifest update checkbox to prevent the newly published manifest from being assigned to your Cloud Agent. You can specify Cloud Agents by adding tags in your manifest version control profile.We recommend using this option only for validation purposes. Once you validate the newly published manifest in your test environment, disable this option for affected Cloud Agents to download and assign the latest available manifest.
If you want your Cloud Agent to download the latest manifest immediately after you disable this option, ensure that:
- Time delay for manifest assignment is set to zero (0)
OR - Disable the Prevent manifest update option after the time delay interval is passed.
For example, If you have set the time delay of five hours in the manifest version control profile, disable the Prevent manifest update option after five hours, so that the affected Cloud Agents get the latest manifest immediately.
When the Prevent Manifest Update option is enabled, Cloud Agent for Linux is temporarily disabled for Vulnerability Management and does not perform VM scans with their existing manifests. Once the Prevent Manifest Update option is disabled, Cloud Agent performs the VM scan as expected. This is a known issue for the Linux agent and will be fixed in the next release.
Delay Manifest Assignment
In the Time Delay field, select the time interval in hours to delay the new manifest assignment for your Cloud Agent. By default, the Time Delay is set to 0 hours. Meaning, Cloud Agents are assigned the new manifest immediately after it is published. You can set a maximum of 48 hours of time delay for the manifest assignment.
For example, if you select the Time Delay as five (5) hours, manifests published in the last five hours are not assigned to Cloud Agents associated with the MVC profile. However, the manifests published before 5 hours are assigned to the affected Cloud Agents.
By default, all newly provisioned Cloud Agents are assigned the latest manifests. However, tag-based manifests are assigned only after the tag evaluation is complete. By the time tag-based manifest is assigned to a Cloud Agent, it may already have undergone a VM scan. This may result in different QID detections where the vulnerabilities reported before assignment are marked resolved, as the tag-based manifest does not include those detections. This issue will be fixed in the next platform update.
- Time delay for manifest assignment is set to zero (0)
Manage Manifest Version Control Profiles
You can use the Quick Actions menu to View, Edit, or Delete a manifest version control profile.
To access the Quick Actions menu, select a manifest version control profile and click the down arrow.
Reorder MVC Profiles
The MVC profiles are assigned based on their priority. To change the profile priority, click Reorder in the Manifest Version Control tab and reorder the profiles in the Reorder MVC Profile window.