Release 1.5.0
April 15, 2026
The Qualys Container Runtime Sensor (CRS) 1.5.0 release introduces key enhancements focused on improved runtime visibility, precise policy targeting, expanded platform support, and stronger event‑volume control across containerized environments.
Runtime Information Visibility
With this release, the Container Runtime Sensor sends container runtime type and version to the Qualys Enterprise TruRisk™ Platform during sensor provisioning. With this change, you can easily identify the container runtime (Containerd, Cri-O, or Docker) in use along with its exact version running on the node. This information is important not only for general environmental awareness but also for troubleshooting and auditing. You no longer need to access the CLI for this information, as you can now get this information on Qualys Enterprise TruRisk™ Platform.
Support for Kubernetes Priority Class
Container Runtime Sensor 1.5.0 adds support for Kubernetes Priority Class, allowing you to control pod scheduling priority for the runtime sensor. Such pod scheduling is crucial on busy clusters. It also helps in the unnecessary termination (eviction) of the pods
By default, priority class support is disabled. You can enable it using the Unified Helm Chart (qualys-tc). Once priority classes are set, the runtime sensor pods are created and assigned the specified priority class.
Support for Pod Label Filter in Runtime Tracing Policies
Runtime tracing policies now support pod label filters (pod selectors), allowing policies to be applied only to specific pods rather than all workloads in the cluster. Policies are enforced exclusively on pods that match the specified label selector.
This enables targeted runtime monitoring for specific workloads, reducing event noise and improving signal quality while aligning security policies more closely with application requirements.
When such tracing policy is applied, the Runtime events from the pods with the specific label are processed. Whereas the Pods without matching labels are excluded from the policy.
Support for Docker Standalone Environment
With this release, the Qualys Container Runtime Sensor supports Docker standalone environments, enabling runtime visibility beyond Kubernetes and OpenShift. When deployed on a Docker host with the required environment variables, the sensor captures and sends process events to the Qualys Enterprise TruRisk™ Platform. This enhancement extends the runtime security coverage to standalone Docker deployments while maintaining controlled and efficient event ingestion.
Supported Environment Variables
- QUALYS_IGNORE_PROCESS_LIST
- QUALYS_EVENT_GLOBAL_RATE_LIMIT
Set this value to a value between 10 and 30 to configure global event rate limiting.
'Hostname configuration' and 'Docker socket mount' are mandatory for runtime sensor operation in Docker standalone mode.
Enhancement in Rate Limiting
CRS 1.5.0 release introduces enhancements in FIM rate-limit as well as Global event rate-limit.
FIM rate limiting and Global rate limiting can operate independently or together.
File Integrity Monitoring (FIM) Event Rate Limiting
This release introduces rate limiting for File Integrity Monitoring (FIM) events, allowing you to control the volume of file events before they are sent to the Qualys Enterprise TruRisk™ Platform.
This enhancement provides,
- better control over event volume
- improved runtime performance
- reduced operational noise without sacrificing security visibility
Supported rate-limit Scopes
- Pod‑level rate limiting (default for FIM)
- Process‑level rate limiting
Additionally, the option to disable rate limiting is removed. Previously, you could disable rate limiting by setting the value to 0 or 0s. With this release, a default rate limit of 1 minute is always enforced.
Global Event Rate Limiting
Container Runtime Sensor 1.5.0 introduces global rate limiting, which limits the total number of runtime events (file, process, and network) sent to Qualys Enterprise TruRisk™ Platform within a given time window. No changes are required in tracing‑policy files. Global rate limiting is applied by default once configured.
Key characteristics
- Global rate limiting is count‑based
- It does not perform de‑duplication
- Applies across all event types collectively
Global rate limiting is configured using the Helm chart values.yaml file:
Valid value range: 10 (min) to 30 (max)
The global rate limiting ensures predictable event volume, protects against sudden event bursts, and simplifies event governance across the cluster.
Deprecation of PCI‑FIM Policies
Container Runtime Sensor 1.5.0 includes updates to PCI‑related File Integrity Monitoring (FIM) policies to reduce unnecessary event generation. PCI‑FIM open policies are deprecated to avoid sending open‑only file events. Along with this, the monitored path /var/log/qualys is also removed from PCI‑FIM policies. These configurations were relevant for FIM‑VM, but not for runtime sensor use cases.
This enhancement reduces low‑value FIM events by eliminating open‑only policies and irrelevant paths, which in turn reduces the processing overhead.
Issues Addressed
The following issues have been fixed with this release.
| Category | Issue |
|---|---|
| File Difference | File diff was blank when using write diff policy for operations like `cat file1 file2` or `cp file1 file2`. The sensor now displays the number of bytes written when diff data is unavailable, providing better visibility into file modification events. |
| Process Event Null Pointer Handling | Runtime sensor could crash when process exec events lacked capabilities or credentials information. Added null checks to prevent crashes when processing incomplete process events, improving sensor stability and reliability. |