Release 1.43

May 13, 2026 (Updated on June 01, 2026)

Qualys strongly recommends upgrading your Qualys Container Security Sensor to version 1.43.0 along with latest Helm chart (qualys-tc-2.9.0) or Yaml files to avail the latest features and enhancements.

Support Scanning of Multi-architecture Images using Registry Sensor

Multi-architecture (multi-arch) images are container images that support multiple CPU architectures (For example, x86_64, ARM64, and so on), allowing a single image reference to work across different hardware platforms. You can scan multi-architectural images using Registry Sensor (a part of qcs-sensor). 
This support is enabled by default. You can find the multi-arch images on Qualys Enterprise TruRisk™ Platform > Assets > Images.

Enhancement in CIS Docker Compliance Scan for Images

The CIS Docker Benchmark defines security best practices to help secure Docker containers and their runtime environments against common threats and misconfigurations.

Qualys Container Security Sensor now supports CIS Docker Compliance Benchmark v1.7.0 scans for container images across all runtimes.
Previously, CIS Docker compliance scanning was limited to Docker-based environments only. With CS Sensor 1.43, this capability has been extended to include the following runtimes.

  • Containerd
  • Podman
  • CRI‑O

Support of Container Static Scanning

Earlier, CS Sensor used to support only Dynamic scan for containers. With this release, it offers Static Scan for the containers as well.

This change introduces a breaking impact on container static scanning. 
To ensure compatibility and support for this feature, Qualys highly recommends upgrading cssensor-containerd-ds.yml to version 1.43 or Helm chart (qualys-tc-2.9.0).

Container Static Scanning is supported only on sensors running with the following storage drivers:

  • Docker overlay2
  • Containerd overlayfs
  • Containerd GCFS

Sensors running without any of the above storage drivers are not supported for container static scanning. 

For customers where container scanning is currently disabled, please contact Qualys Support to enable and start using Container Static Scans.

CS Sensor Containerd Yaml Updates

The Qualys Container Security package consists of the 'cssensor-containerd-ds.yml' file, which deploys the sensor in an environment with Containerd runtime.
This section explains the updates in the latest cssensor-containerd-ds.yml file. Refer to QCS Sensor Helm Chart (qcs-sensor).

Enhancements

With this release, the following flags are introduced or updated in the 'cssensor-containerd-ds.yml' file. 

Flag/Entity Status Flag Location in 
cssensor-containerd-ds.yml		 Description
  mountPropagation: HostToContainer New 156 A new Mount propagation to support Static scan on containers on existing volume mount.
- mountPath: /var/lib/containerd
  name: containerd-root-dir
  readOnly: true
- mountPath: /run/containerd
              name: containerd-fs-dir
              readOnly: true
              mountPropagation: HostToContainer		 New 157 to 160 A new volume mount is introduced to support container static scan.
- name: containerd-fs-dir
              hostPath:
                path: /run/containerd		 New 186 to 188 A new volume is introduced for container static scan.

Issue Addressed

The following issue has been fixed with this release.

Category Issue
General Sensor Fixed an issue where the CS Sensor did not reload the Kubernetes API server token after it expired. As a result, Kubernetes API calls failed once the token expired, impacting inventory reporting and asset scanning. With this fix, the sensor now automatically refreshes the token on expiry for all Kubernetes API (kube-apiserver) calls, ensuring uninterrupted operation after token expiration.

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: June, 2026