Release 1.39.0

July 07, 2025 (Updated on 14th August 2025)


- Qualys strongly recommends upgrading your Qualys Container Security Sensor to 1.39.0 version to avail the latest features and enhancements. 

Added Support for Asset Tracking Activity

Asset Tracking Activity refers to the ongoing actions or events related to the discovery, monitoring, and life-cycle changes of assets (Images, Registry Schedules, Sensor Containers) in your cloud environment. Earlier, all sensor errors were monitored using sensor logs sent by you. This process was time-consuming. With this release, Container Security delivers the initial phase of Asset Tracking Activity, wherein it offers more visibility to the assets by showing a few errors and status messages on the Qualys Enterprise TruRisk™ Platform and faster response with the help of Qualys Container Security Sensors. This also helps in live tracking of the assets.

The Asset Tracking Activity feature is enabled by default. You can disable it by using --disable-features 'sensor-asset-tracking' command during the sensor launch.

Sensor queues the activity messages and sends them together in bulk to Qualys Enterprise TruRisk™ Platform. To control the quantity and time interval of this bulk messaging, we have introduced the two arguments - --qlys-asset-tracking-flush-threshold-count and --qlys-asset-tracking-flush-duration-in-seconds.

See the new arguments usage below.

Entity Arguments
installsensor.sh AssetTrackingFlushDurationInSeconds= <Optional parameter to specify flush duration time in seconds for asset activity messages>

AssetTrackingFlushCountThreshold= <Optional parameter to specify flush count threshold for asset activity messages>
Docker run, Yamls --qlys-asset-tracking-flush-threshold-count: After queuing x messages, the sensor sends messages to Qualys Enterprise TruRisk™ Platform.
Valid values - This value must range between 5 and 50.  
Default value - 20.

--qlys-asset-tracking-flush-duration-in-seconds: After x time intervals in seconds, the sensor sends the messages to Qualys Enterprise TruRisk™ Platform.
Valid values - This value must range between 10 to 3600 seconds.  
Default value - 60 seconds

To know about errors and status messages offered under Asset Tracking Activity, refer to Container Security 1.39 Release Notes.

Added Support for Java DB Update Interval

CS Sensor downloads java.db to enable Java-specific vulnerability detection. The downloaded java.db is also useful for offline scanning. With this release, the CS Sensor downloads java.db only if .jar files are present in a package. GitHub Container Registry (GHCR) acts as a default repository to host the java.db. The SCA scans of the images without .jar files are faster than the images with the .jar files, as the time utilized for the GHCR call is saved. Also, this enhancement saves your network bandwidth.

With this release, CS Sensor has introduced '--qlys-java-db-update-interval' flag to set the frequency of the java.db download. Using this flag, you can decide the number of days after which CS Sensor can download the java.db from the cache directory.
Refer to the table below to understand java.db update interval argument based on the installation entity.

Entity Arguments
installsensor.sh JavaDbUpdateIntervalInDays=<no. of days>
Unified Helm chart --set qcsSensor.qualys.args.qlysJavaDBUpdateIntervalInDays=<no. of days>
Docker run, Podman run, Yamls --qlys-java-db-update-interval <no. of days>

 

As of today, the default value of this flag is '15' (15 days). 

Sensor Installation on Cluster using IPV6 Format

With this release, the sensor can be installed and operate fully on cluster nodes that use IPv6 networking. 

IPv6 is the next-generation Internet Protocol that provides:

  • A larger address space
    For example, IPV6 address can be 2001:db8::1 vs IPV4 address such as 192.168.1.1
  • Often used in modern data centers, cloud-native environments, and IoT

With this change, the Sensor can monitor and protect your IPv6-based traffic. The result will be displayed on Qualys Enterprise TruRisk™ Platform. To know more, refer refer to Container Security 1.39 Release Notes.

Update in HostIP Environment Variable

With this release, the HostIP environment variable, in a runtime environment, is renamed from SENSOR_HOST_IP  to QUALYS_SENSOR_HOST_IP to align with best practices in your runtime environments. This also helps prevent naming collisions in runtime environments where multiple tools or components may use generic variable names like SENSOR_HOST_IP. You are requested to update your environment with the latest deployment Yaml files.

Under env:
- name: QUALYS_SENSOR_HOST_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP

Added Support to Disable Log Collection in Sensor

Earlier, we added support to add logs inside the container sensor (qpa.log) when the console logging was enabled using --enable-console-logs. At times, you may not need to save the sensor logs under the default log collection file - qpa.log. To support this, we have added an argument --qlys-disable-default-logging-to-file to disable the default log generation in qpa.log file. 

Helm Chart 1.18.0 Updates

The Qualys Container Security package consists of the 'values.yaml' file which deploys the sensor in various environments.
This section explains the updates in the latest Helm chart (values.yaml) file. Refer to QCS Sensor Helm Chart (qcs-sensor).

Enhancements

With this release, the following flags are introduced or updated in the 'values.yaml' file. 

Flag/Entity Status Flag Location in YAML 1.18.0 Description
javaDBUpdate
IntervalInDays
    		 New       Line no. 79 Specify the java DB update interval in days. Default value :”15"
assetTrackingFlush
DurationInSeconds 		 New     Line no. 80 Specify the duration in seconds to flush messages. Default value :”60"
assetTrackingFlush
ThresholdCount    
 		 New     Line no. 81 Specify the threshold count of queue to flush messages. Default value: "20"
disableDefault
LoggingToFile   		 New     Line no. 82 Set to true, if you want to disable duplicate logging when enableConsoleLogs is true.

# Parameters to set sensor container memory limit.

sensorContResources:
    enabled: false
    memoryLimit: "500Mi"
    memoryRequest: "300Mi"
    gkeAutoEphemeral
StorageLimit: "500Mi"
    gkeAutoEphemeral
StorageRequest: "100Mi"

Updated Old flags line no.  (YAML 1.17.0) - 105 to 110

Updated flags line no. (YAML 1.18.0) - 110 to 119

These flags are modified as mentioned below to be in consistency with other sensor types supported by qualys-tc.

This is a breaking change if you are using Command line interface to set them explicitly: 

# Parameters to set sensor container memory limit.
sensorContResources:
    enabled: false
    limits:
      cpu: "500m"
      memory: "500Mi"
      gkeAutoEphemeralStorage: "500Mi"
    requests:
      cpu: "100m"
      memory: "300Mi"
      gkeAutoEphemeralStorage: "100Mi"

scanningContResources:
    enabled: false 
    memoryLimit: "800Mi"
    memoryRequest: "300Mi"
    cpuLimit: "200m"
    cpuRequest: "100m"

 Updated Old flags line no.  (YAML 1.17.0) - 112 to 117

Updated flags line no. (YAML 1.18.0) - 120 to 127

These flags are modified as mentioned below to be in consistency with other sensor types supported by qualys-tc.

This is a breaking change if you are using Command line interface to set them explicitly. 

scanningContResources:
    enabled: false
    limits:
      cpu: "200m"
      memory: "800Mi"
    requests:
      cpu: "100m"
      memory: "300Mi"

Unified Helm Chart (qualys-tc 2.5.0) Updates

The unified helm chart can be used to install QCS Sensor, Admission Controller, Cluster Sensor, and Container Runtime Sensor.
Refer to Qualys Unified Helm Chart (qualys-tc).

Enhancements

With this release, the following flags are introduced or updated in the 'qualys-tc 2.5.0' file.  

Flag/Entity Status Flag Location (qualys-tc > charts > qcs-sensor > values.yaml) Description
javaDBUpdate
IntervalInDays		 New       Line no. 79 Specify the java DB update interval in days. Default value :”15"
assetTrackingFlush
DurationInSeconds 		 New     Line no. 80 Specify the duration in seconds to flush messages. Default value :”60"
assetTrackingFlush
ThresholdCount		 New     Line no. 81 Specify the threshold count of queue to flush messages. Default value: "20"
disableDefault
LoggingToFile    		 New     Line no. 82 Set to true, if you want to disable duplicate logging when enableConsoleLogs is true.

# Parameters to set sensor container memory limit.

sensorContResources:
 enabled: false
 memoryLimit: "500Mi"
 memoryRequest: "300Mi"
 gkeAutoEphemeral
StorageLimit: "500Mi"
  gkeAutoEphemeral
StorageRequest: "100Mi"

Updated Old flags line no.  (qualys-tc 2.4.0) - 105 to 110

Updated flags line no. (qualys-tc 2.5.0) - 110 to 119

These flags are modified as mentioned below to be in consistency with other sensor types supported by qualys-tc.

This is a breaking change if you are using Command line interface to set them explicitly: 

# Parameters to set sensor container memory limit.
sensorContResources:
    enabled: false
    limits:
      cpu: "500m"
      memory: "500Mi"
      gkeAutoEphemeralStorage: "500Mi"
    requests:
      cpu: "100m"
      memory: "300Mi"
      gkeAutoEphemeralStorage: "100Mi"

scanningContResources:
    enabled: false 
    memoryLimit: "800Mi"
    memoryRequest: "300Mi"
    cpuLimit: "200m"
    cpuRequest: "100m"

 Updated Old flags line no. (qualys-tc 2.4.0) - 112 to 117

Updated flags line no. (qualys-tc 2.5.0) - 120 to 127

These flags are modified as mentioned below to be in consistency with other sensor types supported by qualys-tc.

This is a breaking change if you are using Command line interface to set them explicitly. 

scanningContResources:
    enabled: false
    limits:
      cpu: "200m"
      memory: "800Mi"
    requests:
      cpu: "100m"
      memory: "300Mi"

Issues Addressed

The following issues have been fixed with this release.

Category Issue
Unified Helm Chart qualys-tc Helm chart did not account for imagePullSecrets policy, causing the sensor deployment to fail with an ImagePullBackOff error.
Unified Helm Chart CS Sensor failed to connect to qualys cms services when proxy with proxy certificate was used. This happened due to the certificate was mounted to different path. This path is now corrected in helm chart 2.5.0. 
Unified Helm Chart If multiple sensor types were installed with proxy which requires a proxy certificate to be passed, the sensor installation used to fail. This issue has been fixed.

 

 

 

 

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: August, 2025