Release 1.40.0
September 22, 2025
- Qualys strongly recommends upgrading your Qualys Container Security Sensor to 1.40.0 version to avail the latest features and enhancements.
Support Sensor Scanning using 'Overlay' Storage Driver on a host having 'Cri-o' Runtime
With this release, Qualys Container Security Sensor adds Overlay scanning support for CS Sensor on a host having 'Cri-o' Runtime. General and Registry sensors support the 'Overlay' storage driver.
CS Sensor now supports 'Overlay' storage driver with 'containerd' and 'cri-o' runtimes.
To enable 'Overlay' scanning, a new value 'overlay' is introduced in 'StorageDriverType' flag. See the exact argument for this flag in the table below.
| Entity | Arguments |
| Cri-o Runtime | --storage-driver-type=overlay |
Change in Data Collection for 'Chainguard' and 'Wolfi'
With this release, Qualys Container Security has enhanced the package collection logic of Chainguard and Wolfi images. Earlier, only main packages were considered for the scanning, now, sub-packages of these images will also be considered. With this enhancement, the vulnerabilities present in the sub-packages are also detected and the false-negative cases in a sensor scan are reduced.
Qualys strongly recommends upgrading your Qualys Container Security Sensor to 1.40.0 version to avail this feature.
Improvement in Masked Environmental Variable Reporting
Environment Variables are masked with the help of --mask-env-variable flag. Such masked variables are reported under Assets > Images > Layers and Assets > Containers. With this release, Qualys Container Security Sensor indicates the masked environmental variable in masked format - MASKED_KEY=XXXXX. This has improved security.
Currently, this feature is supported only in General and CI/CD Sensors.
Helm Chart 1.19.0 Updates
The Qualys Container Security package consists of the 'values.yaml' file, which deploys the sensor in various environments.
This section explains the updates in the latest Helm chart (values.yaml) file. Refer to QCS Sensor Helm Chart (qcs-sensor).
Enhancements
With this release, the following flags are introduced or updated in the 'values.yaml' file.
| Flag/Entity | Status | Flag Location in YAML 1.19.0 | Description |
| crio storageDriverType |
Updated | 16 | Used to specify the Storage Driver type. A new storage driver value for Cri-O runtime is introduced - overlay |
Unified Helm Chart (qualys-tc 2.6.0) Updates
The unified helm chart can be used to install QCS Sensor, Admission Controller, Cluster Sensor, and Container Runtime Sensor.
Refer to Qualys Unified Helm Chart (qualys-tc).
Enhancements
With this release, the following flags are introduced or updated in the 'qualys-tc 2.6.0' file.
| Flag/Entity | Status | Flag Location (qualys-tc > charts > qcs-sensor > values.yaml) | Description |
| qcsSensor crio storageDriverType |
Updated | 16 | Used to specify the Storage Driver type. A new storage driver value for Cri-O runtime is introduced - overlay |
Issues Addressed
The following issues have been fixed with this release.
| Category | Issue |
|---|---|
| Registry Sensor | Registry Sensor failed to iterate the next URL for the Catalog list API in Harbor. This Harbor API was only iterating over the first 100 responses of Repositories and Tags. This issue is resolved as Registry Sensor now iterates more than 100 responses in batches. Wherein each batch consist 100 responses. |
| AWS Fargate | If any image contains unknown or unspecified architecture, QCS lambda Function was reporting the imageSha as empty to the Qualys Container Security backend. Thus, the event processing in the backend failed, and QCS Sensor was unable to get image details in Qualys Enterprise TruRisk™ Platform. Going forward, QCS Sensor will ignore such unknown architectures. |