Container Security Release Updates
Qualys Container Security provides discovery, tracking, and continuously protecting your container environments. This topic gives you overview of Container Security and its sensors releases.
Container Security Release - 1.34.0
Container Security 1.34.0
Qualys Container Security now supports,
- TruRisk™ score and Qualys Detection Score (QDS) for your Container Security assets
- Tagging for sensor and sensor profiles
- A new registry type called 'Harbor Container Registry'
- A new Sensor Profile called 'Cluster'
With this release, a new Sensor for capturing the Runtime activities, and a brand new page for downloading sensor are introduced.
Container Security Sensor 1.34.0
Qualys Container Security Sensor 1.34 introduces several key updates. Notably, Harbor Robot Account support allows admins to create project-specific robot accounts for automated tasks. There's also a feature to disable container scanning and a disk space check before scans. CPU limits for sensor scans have been increased for better performance. Additionally, the release adds support for new operating systems, sensor and sensor profile tagging, and customization of POD URLs. Helm Chart 1.13.0 includes flags for CPU limits, disabling scans, and disk space checks.
Cluster Sensor 1.1.0
Qualys Cluster Sensor scans your clusters and provides you with vulnerabilities. The following changes are introduced in this release.
- By default, the Qualys Cluster Sensor will operate without persistent storage on the host.
- Qualys Cluster Sensor will run as a non-root user.
QScanner 4.2.0
QScanner now supports scanning images based on new operating systems, including Amazon Linux 2023, Chainguard, and Photon. Performance has been improved by enabling bulk-insertion, which allows QScanner to handle multiple data requests simultaneously, speeding up the process of inserting a large number of packages. The default vulnerability report format has changed from JSON to SARIF, along with the existing Tabular format. Additionally, QScanner now collects BuildTime and InstallTime for RPM package managers, improving the accuracy of signature evaluations based on these values.
CS 1.34.0 UI Release Notes | CS 1.34.0 API Release Notes | CS 1.34.0 Sensor Release Notes | Cluster Sensor 1.1.0 Release Notes | QScanner 4.2.0 Release Notes
Container Security Release - 1.33.0
Container Security 1.33.0
This release focused on, supporting 'Overlay' Storage Driver on 'containerd' runtime. Going forward, you need to create the 'qualys' namespace manually before launching CS Sensor.
Container Security Sensor 1.33.0
The support for the 'Overlay' storage driver in the 'containerd' runtime used by Qualys Container Security (CS) sensors. The Overlay driver enables faster image handling by avoiding time-consuming image saving, particularly beneficial for large images. The driver is supported by General, CI/CD, and Registry sensors but is only compatible with 'containerd' runtime.
QScanner 4.1.0
The latest QScanner release introduces several enhancements. It now supports a new `containerd-overlay
` storage driver for Containerd runtime, alongside the existing overlay2 driver for Docker. QScanner also supports SPDX and CycloneDX SBOM formats for inventory output. Additionally, vulnerability reports are now available in SARIF format, which will become the default in future releases.
QScanner can scan container images without a runtime, pulling directly from remote registries. New authentication flags for private registry access are added. It also supports scanning OCI Layout .tar archives and Conda Package Manager-installed packages. New cache cleanup flags allow the removal of old cache entries, and the --report-format
flag lets users specify SARIF or Tabular formats. Performance improvements have sped up scan times.
CS 1.33.0 UI Release Notes | CS 1.33.0 API Release Notes | CS 1.33.0 Sensor Release Notes | QScanner 4.1.0 Release Notes
Container Security Release - 1.32.0
Container Security 1.32.0
CS 1.32.0 release offers the following enhancements.
- GHCR is now supported for all GitHub accounts, replacing its former placement under 'Docker V2- Private'.
- A new tab lists CI/CD events and categorizes policy evaluations as AUDIT, ALLOW, or DENY, with detailed event and policy info available.
- The CS_IMAGE_MALWARE report template shows malware details in image layers, complementing existing vulnerability and secrets reports.
- Dynamic lists automatically update with new vulnerabilities based on set criteria, unlike static lists. Modify filters only after mapping QIDs.
- The Regex field now supports backslashes () for escaped special characters in secret detectors.
Container Security Sensor 1.32.0
CS Sensor 1.32.0 offers the following changes.
- GHCR is now supported as a new registry type for all GitHub accounts (Personal, Enterprise, Organization), replacing its previous classification under 'Docker V2- Private'.
- The Regex field in secret detectors now supports the backslash () for escaped special characters, allowing for more flexible pattern matching (e.g., ".", "*", "\").
QScanner 4.0.0 Release Notes
The QScanner update introduces several new features and changes. It now supports a 'local' cache type for faster scans, with customizable cache paths using --cache-dir
. The --use-cache
flag is replaced by --cache <cache-type>
. Scanning Java files is quicker as QScanner downloads the Java index database locally, reducing Maven repository access.
A new --offline-scan
flag allows scans without network access, though results for Java images may be inaccurate. The --limit-resource-usage
flag reduces CPU and memory consumption. The proxy flag has been simplified to --proxy <proxy_url>
.
QScanner now generates a tabular vulnerability report in the console with the --mode get-report
command. The --pod flag simplifies using Qualys-specific gateways, while --gateway-url
is for non-Qualys PODs. It also supports the overlay2 filesystem for Docker runtime to speed up large image scans.
Finally, the --report-file
and --customer-id
flags are deprecated, with reports now shown in the console and the Access Token replacing the customer ID. These updates aim to improve performance and ease of use.
CS 1.32.0 UI Release Notes | CS 1.32.0 Sensor Release Notes | CS 1.32.0 API Release Notes | QScanner 4.0.0 Release Notes
Container Security Release - 1.31.0
Container Security 1.31.0
CS 1.31.0 release offers the following changes.
- You can now create, edit, delete custom (non-system) type secret detectors.
- Admins can restrict sub-users access to certain assets. They can achieve this control using a set of tags. Now, all sub-users can only see the assets which are in their scope.
- Earlier, Hosts page was treated as the default landing page for the ASSETS tab. Now, Images are treated as the default option. Also, you can choose the default landing page for your ASSETS tab.
- Earlier, if all scan jobs created under a registry are deleted, the status shown was '-'. Now, for registries without any scan jobs, the status shown will be 'unknown'.
- The Match column from the Detected Secrets window is removed to add extra security to the existing secrets. Now, only the Line Number column is displayed.
- For all users, the Software Composition Analysis (SCA) scan type is enabled by default.
Container Security Sensor 1.31.0
Starting this release, you can now create, edit, delete custom (non-system) type secret detectors. Qualys has introduced a new sensor argument '--limit-resource-usage' to reduce memory consumption for the given sensor leading to better performance of the scans. PriorityClass is used in Kubernetes to prioritize Pods in the case of resource contention. With this release, Qualys has added support to the PriorityClass. It is named as 'qualys-priority-class' in the Sensor deployment yaml file.
CS 1.31.0 UI Release Notes | CS 1.31.0 Sensor Release Notes | CS 1.31.0 API Release Notes