Container Security Interoperability Matrix
Last updated on: October 09, 2025
This article lists the Qualys Container Security Sensor versions and interoperability with third-party solutions. Qualys Container Security will review this interoperability matrix quarterly and update its compatibility accordingly.
Container Security Interoperability Matrix
With each new sensor release, we test and certify the latest sensor version with the third-party solutions.
As a general guideline, we recommend you to use the latest sensor version. This will ensure that you always have the latest features that work with the third-party solutions. Qualys Container Security does not support any third-party solutions with EOL (End of Life) status.
The information provided in this article is believed to be accurate at the time of publication; however, updates and revisions may occur periodically and without prior notice.
Private Registries
If you do not see your container registry or registry version listed below, please contact Qualys Support.
Qualys no longer supports container registries that have reached their End of Life stage as specified by the respective vendors.
| Container Registry (Private) | Registry Version | Minimum Supported CS Sensor Version |
|---|---|---|
| Harbor | 2.13.2 | 1.23.0 or later |
| JFrog Artifactory | 7.46.13 | 1.23.0 or later |
| Docker Private Registry | Docker Registry V2 API* | 1.23.0 or later |
| RedHat Quay | 3.11.13 | 1.23.0 or later |
| Mirantis Secure Registry (MSR) | 2.9.14 | 1.23.0 or later |
| OpenShift Container Registry (OCR) | 4.12 | 1.23.0 or later |
| 4.13, 4.14 | 1.30.0 or later | |
| Sonatype Nexus Repository | 3.59.0 | 1.23.0 or later |
| GitHub Container Registry (GHCR) | API version 2022-11-28 | 1.32.0 or later |
*These items are tested and certified by using Docker Container Registry API V2.
Public Registries
If you do not see your container registry or registry version listed below, reach out to Qualys Support.
Qualys no longer provides support for container registries that have reached their end of life as determined by the respective vendors.
| Container Registry (Public) | Minimum Supported CS Sensor Version |
|---|---|
| AWS ECR | 1.23.0 or later |
| Azure Container Registry | 1.23.0 or later |
| DockerHub | 1.23.0 or later |
| Google Artifact Registry | 1.23.0 or later |
| Oracle Cloud Infrastructure Registry (OCIR) | 1.37.0 or later |
Upstream OSS Kubernetes Version
Container Security sensors have different modes, including General, Registry and CICD, which are tested with different Container Runtimes, including ContainerD, CRI-O and Docker. Without explicitly testing every sensor mode with every possible runtime engine, Container Security sensors are tested with the most used container runtime, typically ContainerD or CRI-O.
Any that has reached its end-of-life as defined by upstream Kubernetes will no longer be supported by Qualys.
Qualys no longer supports a Kubernetes version that has reached its end of life as defined by upstream Kubernetes.
| Upstream OSS Kubernetes Version | Container Runtime Tested | Minimum Supported CS Version |
|---|---|---|
| Kubernetes 1.31.x | containerd | 1.33.0 or later |
| Kubernetes 1.32.x | containerd | 1.33.0 or later |
| Kubernetes 1.33.x | containerd | 1.33.0 or later |
Kubernetes Cluster Environments
| Kubernetes | Minimum Supported CS Version |
|---|---|
| Azure Kubernetes Service (AKS 1.31 or later) | 1.33.0 or later |
| Google Kubernetes Engine - Standard mode (GKE 1.32 or later) |
1.33.0 or later |
| Google Kubernetes Engine - Autopilot mode (GKE 1.33.4 or later) |
1.37.0 to 1.39.0 |
| Oracle Kubernetes Engine (OKE) | 1.30.0 or later |
| AWS EKS (EKS 1.32 or later) | 1.33.0 or later |
| RedHat OpenShift 4.17 | 1.37.0 or later |
| Tanzu Kubernetes Grid 2.5.3 | 1.40.0 or later |
| Rancher Kubernetes Engine (RKE2) 1.28 or later | 1.31.0 or later |
Docker Environments
| Name | OS Architecture | Docker Engine Version | Minimum Supported CS Version |
|---|---|---|---|
| Docker Engine | Linux x86-64 | 27.5.x 28.4.x |
1.32.1 or later |
| Docker Engine | Linux ARM64 | 27.5.x 28.4.x |
1.32.1 or later |
Podman Support for Qualys Sensor
| Name | OS Architecture | Podman Engine Version | Minimum Supported CS Version |
|---|---|---|---|
| Podman Engine | Linux x86-64 | 5.6.1 and above | 1.38.0 or later |
CRS Interoperability Matrix
This section outlines the supported operating systems and managed Kubernetes environments for the Qualys Container Runtime Sensor (CRS). The CRS relies on eBPF (extended Berkeley Packet Filter) technology, which requires a minimum Linux kernel version of 4.19 or higher for proper operation.
To ensure full CRS functionality, deploy CRS on environments meeting kernel version ≥ 4.19. CRS has been verified on the listed distributions and managed environments. For other platforms, ensure kernel compliance and contact Qualys support.
To know more about Qualys CRS, refer to CRS Online Help. For kernel compatibility details with eBPF, refer to the Tetragon FAQ.
Supported OS
CRS supports the following Operating Systems.
| OS Distribution | OS Version | Kernel Version | Architecture | OS EOL |
|---|---|---|---|---|
| CentOS | CentOS Stream 9 or a later version | 5.14.0 | x86_64 | Until RHEL 9 EOL (~2032) |
| RHEL | 9.2 or later version | 5.14.0 | x86_64 | Refer to Red Hat documentation |
| Ubuntu | 22.04 LTS (Jammy Jellyfish) | 5.19.0 | x86_64 | April 2032 |
| Ubuntu | 18.04.5 LTS (Bionic Beaver) or later version | 5.4.0 | x86_64 | April 2026 |
Supported Kubernetes Cluster Environments
CRS supports the following K8s Cluster Environments.
| Cluster Environment | Version |
|---|---|
| Azure Kubernetes Service (AKS) | - |
| Google Kubernetes Engine | GKE 1.26 or later version |
| Oracle Kubernetes Engine (OKE) | - |
| AWS | EKS 1.26 or later |
| Red Hat OpenShift | 4.13 - 4.15 |
| Rancher Kubernetes Engine (RKE2) | 1.28 |