Compliance Scanning in Container Security

Qualys supports compliance scanning/assessments of running containers and images. Perform Policy Compliance (PC) checks and configuration assessments on your running containers and container images. We support a subset of controls from CIS Docker benchmarks, which are applicable to running containers and container images. Customers can assess configuration risks in their running containers and images and remediate them accordingly based on the Qualys findings.

Prerequisites

Upgrade your sensors to the latest Container Security Sensor version. See the latest Sensor details here - Qualys Release Notes.

How it works

The updated Qualys Container Sensor runs an additional scan of configurations in containers, images and uploads additional scan metadata to the Qualys backend. Based on the scan metadata, the backend performs an assessment against various industry standard benchmarks and controls for compliance assessment.

The compliance scans of containers, images will be transparent to customers and will function in a similar real-time cloud native manner like the vulnerability scanning feature. The configuration scan results will be available in the UI and the API. In the UI, view Image and Container details to get compliance posture (PASS or FAIL) and control information.  

View compliance information

You'll see compliance information in the UI for your images and containers. In the Images and Containers lists, you'll see a column called Compliance with the number of controls that have a posture of PASS and FAIL.  

Here's a sample list of containers:

Containers list with Compliance

Easily search images and containers by control ID, control criticality (MINIMAL, MEDIUM, SERIOUS, CRITICAL, URGENT) and control posture (PASS, FAIL).

searching controls

Drill down into the details for any image or container to see compliance information, including the list of controls that were scanned with control details (CID, criticality, statement, category, technologies).

Compliance in Control Details

Drill down into the details for any control to get control details, including the control category, policy and technologies.

control details

Compliance APIs

Compliance information can also be fetched using Compliance APIs. Use APIs to:

  • fetch compliance posture for an image
  • fetch compliance posture for a container
  • fetch control details
  • fetch a list of controls

See the Compliance section of the Container Security API Guide for more information.