Container Security Release Updates

Qualys Container Security provides discovery, tracking, and continuously protecting your container environments. This topic gives you overview of Container Security and its sensors releases.

 

Container Security Release - 1.38.0

Container Security 1.38.0

Qualys Container Security now supports,

  • Kubernetes Posture Management:
    Qualys Container Security now includes Kubernetes (K8s) Posture Management, focusing on securing Kubernetes environments. The feature uses a Cluster Sensor for policy evaluation based on CIS Benchmarks from various cloud providers. Over 200 controls are used to evaluate your K8s posture, with results accessible on the Qualys Enterprise TruRisk™ Platform or via K8s Posture APIs. The feature is enabled by default but can be disabled during Cluster Sensor installation using Helm Chart.
  • Blocking Older Images:
    Qualys introduces a new rule to block container images older than a specified duration (1 to 12 months or custom days). This rule ensures only newer images are evaluated and applies to Kubernetes Admission Controller Policies.
  • First Detected Information in Reports:
    A "First Detected" column is now included in the Container Vulnerability report, showing when a vulnerability was first identified in a container. This helps track vulnerability history and provides insights on how long vulnerabilities have been present.
  • Sensor Download Page Enhancement:
    The Sensor Download page has been simplified to allow users to choose the appropriate sensor based on their container environment. Additionally, it now supports new cloud providers for runtime sensor installation, including Amazon EKS, Google GKE, and others.

These updates enhance Kubernetes security posture, vulnerability tracking, and image management for containerized environments.

Container Security Sensor 1.38.0

Qualys Container Security Sensor now supports,

  • Podman Runtime Compatibility:
    The Qualys CS General Sensor now supports installation on hosts running Podman Runtime. Previously, only the CS Registry Sensor supported Podman. The General Sensor on Podman can scan static images and perform Software Composition Analysis (SCA) but does not scan containers, although it lists them and sends data to the Qualys TruRisk™ Platform.
  • CS Sensor Debug Data Collector:
    Qualys now automates the process of collecting sensor data (like debug logs) for troubleshooting, reducing delays and minimizing errors. This new approach ensures consistent and reliable data collection. Users will receive an email request for confirmation before this feature is used.
  • Podman Runtime Authentication Enhancements: The '--insecure-registry' parameter allows bypassing TLS verification for private or local registries. A new 'REGISTRY_CERT_DIR' parameter enables custom certificate directories for secure connections.
  • Sensor Log File Storage:
    Qualys CS Sensor now saves log files inside the sensor container, instead of only in the console output. This ensures easier access to logs for further investigation. The --enable-console-logs flag remains in use for capturing container logs.
  • Updates to Sensor Deployment YAML Files:
    The Sensor Deployment YAML files have been updated to improve the accuracy of identifying the Sensor Host IP address, especially when the host has multiple IPs. Users are advised to update their environment with the latest YAML files, which now include a more accurate method for fetching the host IP.

These updates enhance the flexibility and reliability of Qualys CS Sensor in various environments, particularly with Podman and container log management.

CS 1.38.0 UI Release Notes | CS 1.38.0 API Release Notes | CS 1.38.0 Sensor Release Notes

Container Security Release - 1.37.0

Container Security 1.37.0

Qualys Container Security now supports,

  • Red Hat Vulnerability Scanner: Qualys Container Security is now certified as a Red Hat Vulnerability Scanner, allowing RHSA info to be viewed in Image and Container reports with new template options.
  • Host Architecture Information: Container reports can now display host architecture details (e.g., x86_64, ARM) to help manage security and patching.
  • Vulnerability Exception Management: Users can enable/disable vulnerability exceptions and view exempted vulnerabilities in reports and vulnerability lists.
  • Layer-Level Vulnerability Detection: Container images now show vulnerabilities per layer, with options to filter by Base or Application layers and view only vulnerable layers.

Container Security Sensor 1.37.0

Qualys Container Security now supports,

  • Overlay2 Scanning Support: Qualys Container Security Sensor now supports scanning with the 'Overlay2' storage driver on Docker Runtime hosts. A new 'StorageDriverType' flag is introduced to enable this feature.
  • Oracle Container Registry Scanning: Sensor now supports scanning container images from the Oracle Container Infrastructure Registry (OCIR), requiring specific OCI user permissions.
  • Podman Runtime Authentication Enhancements: The '--insecure-registry' parameter allows bypassing TLS verification for private or local registries. A new 'REGISTRY_CERT_DIR' parameter enables custom certificate directories for secure connections.
  • Kubernetes Cluster Metadata Enhancement: A new '--populate-k8smetadata' argument speeds up Kubernetes cluster metadata population in Qualys TruRisk™ when vulnerabilities are detected.
  • Scan Images in Exclusion List: The '--ignore-exclusion-list-for-images' argument enables scanning images in the 'Image Exclusion List', which is configurable in the Sensor profile.
  • Cri-O Runtime Sensor Deployment Updates: Updated Yaml files for Cri-O runtimes now include specific configurations for image tar operations, requiring environment upgrades.

QScanner 4.4.0

QScanner now supports the Harbor Scanner Adapter for scanning container images in Harbor. It’s also available as an image on DockerHub for easier installation and version switching. New storage drivers for Cri-O and Podman runtimes optimize scans by eliminating redundant image saves. Software Composition Analysis has been improved for Golang, DotNet, PHP, Python, and Java. JavaDB can now be downloaded from GHCR, AWS, and Docker, reducing download failures. A retry mechanism is added for Changelist.db and SBOM uploads in case of temporary errors, minimizing workflow disruptions. QScanner also supports scanning multi-architecture images with a new '--platform' flag and has updated the default 'config.json' file path for better consistency.

CS 1.37.0 UI Release Notes | CS 1.37.0 API Release Notes | CS 1.37.0 Sensor Release Notes | QScanner 4.4.0 Release Notes

 

Container Security Release - 1.36.0

Container Security 1.36.0

Qualys Container Security now supports,

  • CI/CD Centralized Policy Management - Expanded support for image denial policies beyond vulnerability severity count. New rule sub-types allow marking images as ‘Fail’ (formerly ‘Deny’) or ‘Pass’ (formerly ‘Allow’)
  • Admission Controller Centralized Policy Management - A Pod Security rule (one per policy) is introduced, with configurable Baseline and Restrictive options. You can exclude Images, Namespaces, Non-patchable vulnerabilities from the Admission Controller scan. 

Container Security Sensor 1.36.0

Qualys Container Security now supports installing the CS Registry Sensor on hosts using Podman runtime (version 4.9.4 and above). The sensor requires podman.socket to be enabled and running, and must be executed with root privileges. Installation can be done using the Sensor Instllation script (installsensor.sh) with additional parameters or using podman run, with instructions available in the Qualys platform.

Additionally, container scanning with the containerd runtime now defaults to using the 'overlay' storage driver. Previously, this required manual configuration, but the necessary arguments are now included by default in the YAML file. Relevant sections for /var/lib/containerd under Volumemounts and Volumes are uncommented, and users must update the path if their containerd root directory differs.

Admission Controller 1.1.0

With this release, the Admission Controller supports Pod Security Policies to enforce organizational security by blocking risky configurations like privileged containers, shared namespaces, and host-level access, while promoting secure defaults and non-root containers.

Additionally, new Image Security Policies prevent the deployment of vulnerable or non-compliant container images by blocking embedded secrets (exclusive to Qualys Admission Controller), limiting vulnerabilities by severity or CVSS, enforcing detection score thresholds, and restricting unauthorized software or untrusted images.

CS 1.36.0 UI Release Notes | CS 1.36.0 API Release Notes | CS 1.36.0 Sensor Release Notes | Admission Controller 1.1.0 Release Notes

Container Security Release - 1.35.0

Container Security 1.35.0

Qualys Container Security now supports,

  • Support to Download SBOM Report - SBOM report available in 'SPDX' and 'CycloneDX' formats. Provides details like software components, versions, dependencies, and metadata.
  • Base Image Identification - Identifies the base image and shows its SHA and associated child images. 
  • Disabled Container Scanning - Container scanning is disabled by default, replaced with 'Vulnerability Propagation' (Static Scanning). Available for new users (CS 1.35+). Old users still have container scanning enabled.
  • Detecting Publicly Exposed Containers and Workloads - New tiles for "Exposed to World" and "Exposed Outside Cluster" to identify containers exposed to the internet or outside their cluster.
  • Enhancement in TruRisk™ Score - Publicly Exposed Containers now have a 20% higher TruRisk™ score. Asset Criticality Score (ACS)** is now calculated from tags associated with the container.
  • Dynamic Tagging for Images and Containers - Dynamic tags can be created and automatically assigned based on defined rules. Boolean values are not supported, and only the colon ":" is allowed in numeric fields.
  • Enhancement in Reporting - More options to edit scheduled reports, such as compressing reports and updating schedules. Reports can be sent to up to 50 recipients with email notifications.
  • Cloud and Cluster Information in Vulnerability Report - Added support for selecting cloud and Kubernetes attributes (for example, Cloud Provider, Region, Cluster Name) in container vulnerability reports.
  • Support Runtime Sensor Profile - The 'Runtime Sensor Profile' is introduced to track container events. Includes a 'Process Exclusion' page to filter unwanted runtime events.
  • Active Images Detected by General Sensor - The 'Image In Use' tile now shows active images detected by the **General Sensor**, in addition to Cluster Sensors.
  • New Region for AWS ECR Registry - New region available for AWS ECR registry during its creation.

Container Security Sensor 1.35.0

Qualys Container Security now supports,

  • Added Support for Operating Systems - CS Sensor now supports scanning images for  Wolfi Linux  and  Microsoft Azure Linux .
  • Added Support to Generate SBOM Report - SBOM reports (SPDX JSON and CycloneDX JSON formats) are now automatically generated when an SCA scan is enabled. These reports provide visibility into the components (open source and commercial) of your software and can be downloaded from the Qualys Cloud Platform. The SBOM generation can be disabled using a new "Disable Features" flag.
  • Optimized Image Scan - The latest CS Sensor deployment includes the `--optimize-image-scans` flag for improved image scanning. This is applicable only to the General sensor, and the argument must be added to deployment YAML files.
  • Qualys Container Security CLI Tool - A new  CS CLI Tool (qcs-cli)  is introduced to manage and debug CS components (Sensor, Cluster Sensor, Admission Controller). It can fetch the list of installed sensors, show component statuses, and export logs.
  • Support to Upload General Sensor Inventory After Downtime - The General Sensor can now upload inventory changes made during service downtime. A new parameter, `UploadInventoryDowntimePeriod`, ensures that inventory changes during downtime are uploaded once services are restored. The default period is set to 3600 seconds (1 hour).

QScanner 4.3.0

QScanner now supports,

  • SARIF Report in Compliance with GitHub Actions - The SARIF report generated by QScanner now includes a 'locations' field, showing the artifact (secret, image, or OS package) location, ensuring compliance with GitHub Actions.
  • Fallback to Offline Scan - If the download or update of java-db fails during an SCA scan, QScanner will fall back to an offline scan, preventing scan failure.
  • Improvement in SCA Scan - The detection of  .Net runtime for Software Composition Analysis (SCA) is enhanced. QScanner now detects software packages based on  App.runtimeconfig.json  files.

CS 1.35.0 UI Release Notes | CS 1.35.0 API Release Notes | CS 1.35.0 Sensor Release Notes | QScanner 4.3.0 Release Notes

Container Security Release - 1.34.0

Container Security 1.34.0

Qualys Container Security now supports,

  • TruRisk™ score and Qualys Detection Score (QDS) for your Container Security assets
  • Tagging for sensor and sensor profiles
  • A new registry type called 'Harbor Container Registry' 
  • A new Sensor Profile called 'Cluster'

With this release, a new Sensor for capturing the Runtime activities, and a brand new page for downloading sensor are introduced.

Container Security Sensor 1.34.0

Qualys Container Security Sensor 1.34 introduces several key updates. Notably, Harbor Robot Account support allows admins to create project-specific robot accounts for automated tasks. There's also a feature to disable container scanning and a disk space check before scans. CPU limits for sensor scans have been increased for better performance. Additionally, the release adds support for new operating systems, sensor and sensor profile tagging, and customization of POD URLs. Helm Chart 1.13.0 includes flags for CPU limits, disabling scans, and disk space checks.

Cluster Sensor 1.1.0

Qualys Cluster Sensor scans your clusters and provides you with vulnerabilities. The following changes are introduced in this release.

  • By default, the Qualys Cluster Sensor will operate without persistent storage on the host. 
  • Qualys Cluster Sensor will run as a non-root user. 

QScanner 4.2.0

QScanner now supports scanning images based on new operating systems, including Amazon Linux 2023, Chainguard, and Photon. Performance has been improved by enabling bulk-insertion, which allows QScanner to handle multiple data requests simultaneously, speeding up the process of inserting a large number of packages. The default vulnerability report format has changed from JSON to SARIF, along with the existing Tabular format. Additionally, QScanner now collects BuildTime and InstallTime for RPM package managers, improving the accuracy of signature evaluations based on these values.

CS 1.34.0 UI Release Notes | CS 1.34.0 API Release Notes | CS 1.34.0 Sensor Release Notes | Cluster Sensor 1.1.0 Release Notes  | QScanner 4.2.0 Release Notes

Container Security Release - 1.33.0

Container Security 1.33.0

This release focused on, supporting 'Overlay' Storage Driver on 'containerd' runtime. Going forward, you need to create the 'qualys' namespace manually before launching CS Sensor.

Container Security Sensor 1.33.0

The support for the 'Overlay' storage driver in the 'containerd' runtime used by Qualys Container Security (CS) sensors. The Overlay driver enables faster image handling by avoiding time-consuming image saving, particularly beneficial for large images. The driver is supported by General, CI/CD, and Registry sensors but is only compatible with 'containerd' runtime.

QScanner 4.1.0

The latest QScanner release introduces several enhancements. It now supports a new `containerd-overlay` storage driver for Containerd runtime, alongside the existing overlay2 driver for Docker. QScanner also supports SPDX and CycloneDX SBOM formats for inventory output. Additionally, vulnerability reports are now available in SARIF format, which will become the default in future releases.

QScanner can scan container images without a runtime, pulling directly from remote registries. New authentication flags for private registry access are added. It also supports scanning OCI Layout .tar archives and Conda Package Manager-installed packages. New cache cleanup flags allow the removal of old cache entries, and the --report-format flag lets users specify SARIF or Tabular formats. Performance improvements have sped up scan times.

CS 1.33.0 UI Release Notes | CS 1.33.0 API Release Notes | CS 1.33.0 Sensor Release Notes | QScanner 4.1.0 Release Notes

Container Security Release - 1.32.0

Container Security 1.32.0

CS 1.32.0 release offers the following enhancements.

  • GHCR is now supported for all GitHub accounts, replacing its former placement under 'Docker V2- Private'.
  • A new tab lists CI/CD events and categorizes policy evaluations as AUDIT, ALLOW, or DENY, with detailed event and policy info available.
  • The CS_IMAGE_MALWARE report template shows malware details in image layers, complementing existing vulnerability and secrets reports.
  • Dynamic lists automatically update with new vulnerabilities based on set criteria, unlike static lists. Modify filters only after mapping QIDs.
  • The Regex field now supports backslashes () for escaped special characters in secret detectors.

Container Security Sensor 1.32.0

CS Sensor 1.32.0 offers the following changes. 

  • GHCR is now supported as a new registry type for all GitHub accounts (Personal, Enterprise, Organization), replacing its previous classification under 'Docker V2- Private'.
  • The Regex field in secret detectors now supports the backslash () for escaped special characters, allowing for more flexible pattern matching (e.g., ".", "*", "\").

QScanner 4.0.0 Release Notes

The QScanner update introduces several new features and changes. It now supports a 'local' cache type for faster scans, with customizable cache paths using --cache-dir. The --use-cache flag is replaced by --cache <cache-type>. Scanning Java files is quicker as QScanner downloads the Java index database locally, reducing Maven repository access.

A new --offline-scan flag allows scans without network access, though results for Java images may be inaccurate. The --limit-resource-usage flag reduces CPU and memory consumption. The proxy flag has been simplified to --proxy <proxy_url>.

QScanner now generates a tabular vulnerability report in the console with the --mode get-report command. The --pod flag simplifies using Qualys-specific gateways, while --gateway-url is for non-Qualys PODs. It also supports the overlay2 filesystem for Docker runtime to speed up large image scans.

Finally, the --report-file and --customer-id flags are deprecated, with reports now shown in the console and the Access Token replacing the customer ID. These updates aim to improve performance and ease of use.

CS 1.32.0 UI Release Notes | CS 1.32.0 Sensor Release Notes | CS 1.32.0 API Release Notes  | QScanner 4.0.0 Release Notes

Container Security Release - 1.31.0

Container Security 1.31.0

CS 1.31.0 release offers the following changes.

  • You can now create, edit, delete custom (non-system) type secret detectors.
  • Admins can restrict sub-users access to certain assets. They can achieve this control using a set of tags. Now, all sub-users can only see the assets which are in their scope. 
  • Earlier, Hosts page was treated as the default landing page for the ASSETS tab. Now, Images are treated as the default option. Also, you can choose the default landing page for your ASSETS tab.
  • Earlier, if all scan jobs created under a registry are deleted, the status shown was '-'. Now, for registries without any scan jobs, the status shown will be 'unknown'.
  • The Match column from the Detected Secrets window is removed to add extra security to the existing secrets. Now, only the Line Number column is displayed.
  • For all users, the Software Composition Analysis (SCA) scan type is enabled by default. 

Container Security Sensor 1.31.0

Starting this release, you can now create, edit, delete custom (non-system) type secret detectors. Qualys has introduced a new sensor argument '--limit-resource-usage' to reduce memory consumption for the given sensor leading to better performance of the scans. PriorityClass is used in Kubernetes to prioritize Pods in the case of resource contention. With this release, Qualys has added support to the PriorityClass. It is named as 'qualys-priority-class' in the Sensor deployment yaml file. 

CS 1.31.0 UI Release Notes | CS 1.31.0 Sensor Release Notes | CS 1.31.0 API Release Notes

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.