Release 1.41.1

January 08, 2026

Enhanced 'Image Pull Secrets' using Unified Helm Chart

Currently, Qualys Container Security Sensor supports the  global.imagePullSecret flag in Qualys Unified Helm Chart to pull an image from a private repository.

With this release, we have introduced a new flag - global.imagePullSecrets - in Qualys Unified Helm Chart, using which you can pull images from multiple private registries. The new flag provides greater flexibility and robustness for managing container image authentication in Kubernetes environments.

For example, you can edit the Unified Helm chart (qualys-tc > charts > values.yaml), using the below snippet, to provide your repository details to Qualys Container Sensors.

# imagePullSecrets:
  #   # To create a new secret managed by Helm:
  #   - name: my-new-secret
  #     create: true
  #     registry_url: "your.private.registry.com"
  #     username: "your-username"
  #     password: "your-password-or-token"
  #     dockerconfigjson: "" # Optional: base64 encoded dockerconfigjson, takes precedence
  #   # To use a secret that already exists in the cluster:
  #   - name: my-existing-secret
  #     create: false

The global.imagePullSecret flag is scheduled to be deprecated in a future CS Sensor release.

Key Benefits

  • Multiple Registries Support: You can now configure multiple secrets simultaneously present for various Qualys Sensors such as, QCS, Admission Controller, Cluster, and Container Runtime Sensors. This is essential if your deployment pulls images from different private registries. For example, one of the sensor image is present in AWS ECR whereas, another sensor image is present in a private DockerHub repository.
  • Seamless Secret Rotation: Support for a list of secrets allows for zero-downtime credential rotation. You can add a new secret to the list, deploy, and then remove the old secret in a subsequent update.
  • Kubernetes Native: The new structure aligns with the standard Kubernetes pod specification for imagePullSecrets, making it intuitive for Kubernetes administrators.
  • Flexible Secret Management: You can choose to have the Helm chart create the secrets for you (using provided credentials) or reference existing secrets already present in your cluster.

Helm Chart 1.20.0 Updates

The Qualys Container Security package consists of the 'values.yaml' file, which deploys the sensor in various environments.
This section explains the updates in the latest Helm chart (values.yaml) file. Refer to QCS Sensor Helm Chart (qcs-sensor).

Enhancements

With this release, the following flags are introduced or updated in the 'values.yaml' file. 

Flag/Entity Status Flag Location in YAML 1.20.0 (qcs-sensor 1.20.0 > values.yaml) Description
gcfsStorageDriverPath New Line No. 10 To specify GCFS storage driver path under Containerd runtime.
Value: "/run/gcfsd/mnt/layers"
Usage
containerd:
      .
      .
      .
      gcfsStorageDriverPath: "/run/gcfsd/mnt/layers"
storageDriverType Updated Line 72 To specify the type of the storage driver. With this release, we have introduced a new value - gcfs - for the usage of gcfs storage driver.
Valid values: overlay (default), gcfs (new)
Usage: 
args:
      storageDriverType: "gcfs"

Unified Helm Chart (qualys-tc 2.7.0) Updates

The unified helm chart can be used to install QCS Sensor, Admission Controller, Cluster Sensor, and Container Runtime Sensor.
Refer to Qualys Unified Helm Chart (qualys-tc).

Enhancements to Global values.yaml

With this release, the following flag is introduced in the 'qualys-tc 2.7.0' file.  

Flag/Entity Status Flag Location (qualys-tc > values.yaml) Description
imagePullSecrets New Line No. 6 to 21 To pull image secrets from various private repositories. 
Usage: --set global.imagePullSecrets 

Enhancements to QCS Sensor values.yaml in qualys-tc

With this release, the following flag is introduced in the 'qualys-tc 2.7.0' file.  

Flag/Entity Status Flag Location (qualys-tc > charts > qcs-sensor > values.yaml) Description
gcfsStorageDriverPath New Line No. 10 To specify GCFS storage driver path under Containerd runtime.
Value: "/run/gcfsd/mnt/layers"
Usage
containerd:
      .
      .
      .
      gcfsStorageDriverPath: "/run/gcfsd/mnt/layers"
storageDriverType Updated Line 72 To specify the type of the storage driver. With this release, we have introduced a new value - gcfs - for the usage of gcfs storage driver.
Valid values: overlay (default), gcfs (new)
Usage: 
args:
      storageDriverType: "gcfs"

Issue Addressed

The following issue has been fixed with this release.

Category Issue
Registry Sensor The Qualys Registry sensor (a part of QCS Sensor) failed to run a Malware scan on images with duplicate layers when the target image shares the same cached layers as the previously scanned image. As a result, the scan results were not visible on Qualys Enterprise TruRisk™ Platform

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: January, 2026