Qualys Dataflow for Container Security Connector
The Qualys Dataflow for Container Security Connector automates the ingestion of container image and instance data from Qualys Container Security into Qualys Enterprise TruRisk Management for centralized risk analysis. By consolidating container asset information with vulnerability findings in a unified platform, security teams can prioritize remediation efforts more effectively and gain comprehensive visibility into container-based infrastructure risks.
The connector supports delta synchronization and bidirectional mapping between container security data models and the ETM risk management system, enabling teams to correlate container vulnerabilities with business context and organizational risk posture. This integration eliminates manual data silos between container security tools and enterprise risk management, allowing teams to make faster, more informed decisions about container security investments and remediation strategies.
Connector Details
| Vendor | Qualys |
|---|---|
| Product Name | Qualys Dataflow for Container Security |
| Category | Container Security |
| Works With | ETM, CSAM |
| Connector Type | ROC Connector |
| Supported Assets | Container Images, Container Instances |
| Findings Support | Yes |
| Version | 1.0 |
| Supported Version & Type | Qualys Container Security API |
| Integration Type | API Integration |
| Authentication Type | Basic Authentication, OAuth |
| Direction | Unidirectional (Qualys > Qualys) |
| Incremental Sync (Delta) | Supported |
| Import of Installed Software | Supported |
| Import of Source Tags | Not Supported |
| Filters / Filter Query | Asset type chip selector |
Supportability MatrixSupportability Matrix
| Asset Class | Finding Type | AWS | Azure | GCP | OCI |
|---|---|---|---|---|---|
| Compute | Resource Type | EC2 Instance | Azure Virtual Machine | Compute Engine VM | OCI Compute Instance |
| Inventory | NA | NA | NA | NA | |
| Vulnerabilities | NA | NA | NA | NA | |
| Misconfigurations | NA | NA | NA | NA | |
| Serverless | Resource Type | AWS Lambda Function | Azure Function App | GCP Cloud Functions | OCI Functions |
| Inventory | — | — | — | — | |
| Vulnerabilities | — | — | — | — | |
| Misconfigurations | NA | NA | NA | NA | |
| Container Image | Resource Type | Amazon ECR
(Container Image) |
Azure Container Registry
(ACR Image) |
Google Artifact Registry
(Container Image) |
OCI Container Registry
(OCIR Image) |
| Inventory | ✓ | ✓ | ✓ | ✓ | |
| Vulnerabilities | ✓ | ✓ | ✓ | ✓ | |
| Misconfigurations | — | — | — | — | |
| Container Instance | Resource Type | Amazon ECS Task /
AWS Fargate Container |
Azure Container Instance
(ACI) |
GKE Pod /
Cloud Run Container |
OCI Container Instances |
| Inventory | ✓ | ✓ | ✓ | ✓ | |
| Vulnerabilities | ✓ | ✓ | ✓ | ✓ | |
| Misconfigurations | — | — | — | — |
"—" entries indicate the asset class/finding type combination is not yet available for that cloud provider. NA indicates that CNAPP vendor is currently not supporting this asset class/finding type combination.
Configure the Connector
Before You Begin - AuthenticationBefore You Begin - Authentication
Before configuring the connector, ensure the following prerequisites are completed:
- Ensure you have Qualys Container Security credentials:
- Username and password for Basic Authentication
- Client ID and Client Secret for OAuth
- Note the Qualys Gateway URL, for example:
https://gateway.qg1.apps.qualys.com
Generate Authentication Credentials
Using Basic Authentication
- Open Qualys Container Security.
- Identify the appropriate Gateway URL for your subscription.
- Create or use an existing service account with access to Container Security APIs.
- Copy the username and password.
- Enter the values during connector configuration in ETM.
Using OAuth
- Create or identify an OAuth application in Qualys.
- Copy the Client ID and Client Secret.
- Enter the OAuth credentials during connector configuration.
Store OAuth Client Secrets securely. Access to secrets may be restricted after creation depending on your Qualys configuration.
Permissions Required
Scope and Data Access
The connector credentials must have access to the following Container Security API endpoints:
| Purpose | Endpoint |
|---|---|
| List Container Images | /csapi/v1.3/images/list |
| List Containers | /csapi/v1.3/containers/list |
The connector supports delta synchronization for incremental data retrieval.
Key Rotation
When rotating credentials, update the connector configuration in ETM using the Edit Connector option.
Create a Profile & ConnectionCreate a Profile & Connection
- Navigate to Connectors in ETM.
- Select Qualys Dataflow for Container Security.
- Click Create Connection.
- Provide the connection profile information.
- Configure authentication details.
- Run Test Connection.
- Click Next.
Connector Details
| Field | Type | Description |
|---|---|---|
| Name | String | Name of the connector profile. |
| Description | String | Description of the connector configuration. |
Authentication Details
| Field | Type | Description |
|---|---|---|
| Is IP Restricted | Boolean | Enable if API access is restricted to approved IP addresses. |
| Base URL | String | Qualys Gateway URL.
Example: https://gateway.qg1.apps.qualys.com
|
| Authentication Mechanism | String | Select the authentication type such as BASIC. |
| Username | String | Container Security username. |
| Password | Encrypted String | Password for the Container Security account. |
The Test Connection workflow validates the following checks:
- Network Reachability
- TLS Handshake
- Authentication Credential Check
- Authorization Scope Check
- Data Fetch
Set the Scope & ScheduleSet the Scope & Schedule
Select the data types to synchronize and configure the execution schedule.
Supported sync options:
- Assets & Findings
- Assets
The schedule configuration supports recurring synchronization such as Daily.
Schedules are configured using the selected ETM timezone and can run for up to 5 years.
Advanced Settings
Advanced Settings provide filtering and transformation configuration options.
Filters Tab
The connector supports chip-based asset type filtering.
Available asset type chips:
- Container Image
- Container Instance
All asset type chips are selected by default.
The Findings dropdown is available for selecting supported findings categories.
Save changes after modifying filter selections in Advanced Settings.
Transform Map Tab
The connector includes default transformation maps for Container Image and Container Instance assets and findings.
How the Connection Works
The Qualys Dataflow for Container Security Connector automates the ingestion of container image and container instance asset data from Qualys Container Security into Qualys ETM for unified risk analysis and prioritization.
The connector supports delta (incremental) synchronization and retrieves container metadata through the Container Security API.
Each run retrieves container image assets and findings including registry, tag, repository, SHA digest, architecture, UUID, size, layers, and creation date. Container instance assets and findings include port mappings, creation and update timestamps, vendor ID, image name, hostname, IP addresses, state, container ID, and start time.
Connector States
After the connector is created, it transitions through the following states:
| Registered | The connector is successfully registered and ready for synchronization. |
|---|---|
| Scheduled | The connector is queued for the next scheduled execution. |
| Processing | The connector is actively retrieving asset and findings data. |
| Processed | The connector completed asset synchronization successfully. |
Initial synchronization and findings processing can take up to 2 hours after the connector reaches the Processed state.
Viewing Assets and Findings in ETM
- Navigate to ETM > Inventory > Assets.
- Use the following QQL filter:
inventory:(source:"Qualys Container Security’")
- Navigate to ETM > Risk Management > Findings.
- Use the following QQL filter:
inventory.source:'Qualys Container Security’ and asset.subclass:'container-image'
Troubleshooting
| Authentication failure on connector run | Verify the Gateway URL, username/password, or Client ID/Client Secret entered in ETM. Confirm the credentials have Container Security API access. |
| No assets imported after first run | The connector may take up to 2 hours for completion. Verify Container Security has active container images and instances. Check the connector state in ETM. |
| Connector not available in the integrations list | The connector requires activation. Contact your TAM or Qualys Support to activate it. |
Additional Information
API Reference
| API | Endpoint |
|---|---|
| Container Images API | /csapi/v1.3/images/list |
| Containers API | /csapi/v1.3/containers/list |