Installsensor Shell Script Command Line Parameters

Here’s a quick overview of the Sensor Installation Shell script (installsensor.sh) command line parameters.

Only a few of the parameters have default values. Default values can be changed during sensor installation. However, the default values (For example, LogLevel) once set may get overridden by a config update. If you want to change any default value post sensor installation, you must rerun the 'installsensor.sh' script with new values.

Parameter Mandatory/Optional? Description

ActivationId

Mandatory

The Activation Id for the container sensor, auto-generated based on your subscription.

ConcurrentScan

Optional

Number of docker/registry asset scans to run in parallel. A valid range is between 1-20.
Default value is 4.

ContainerRuntime Optional Applicable only if the Sensor is being installed on a host having Podman runtime.
Valid value: Podman

CpuShares

Optional

Define CPU shares for the sensor container. A valid value is a non-zero, positive integer other than 1024.

CpuUsageLimit Optional CPU usage limit in percentage for sensor. A valid range is between 0-100. Default is '0.2', i.e. 20% on the host. The installsensor script has intelligence to find the number of CPU cores present on the host and apply the CPU limit based on the CpuUsageLimit input value and number of CPU cores available. For example, when CpuUsageLimit=30, it’s considered as 30% CPU of overall CPU capacity of the host. If the host has 8 CPU cores, the total CPU limit applied to sensor container would be 0.30 * 8 = 2.4 CPU cores.

CustomerId

Mandatory

The Qualys subscription’s customer Id, auto-generated based on your subscription.

--cicd-deployed-sensor or -c

Optional

Run the sensor in a CI/CD environment. This allows you to scan images on CI/CD pipeline (Jenkins, Bamboo).

--disable-auto-update Optional Do not let sensor update itself automatically.

--disableImageScan

Optional

This parameter should be passed if you want to disable image scans for General Sensor. Images will not be scanned by sensors deployed with this option. This is available for General sensor type only, and is available for all Runtimes (Docker, CRI-O and Containerd).

--disableContainerScan Optional Use this parameter to disable container scan.

--disable-log4j-scanning

Optional

This parameter should be passed if you want to disable log4j vulnerability scanning for container images.
See Log4j vulnerability scanning.

--disable-log4j-static-detection

Optional

This parameter should be passed if you want to disable log4j static detection for dynamic/static image scans. See Static log4j detection.

DisableFeatures Optional This parameter should be passed if you want to disable generation of the SBOM.

Valid Value: DisableFeatures=SBOM

DockerHost

Optional

The address on which the docker daemon is configured to listen. This option is mandatory if DOCKER_TLS_VERIFY=1 is defined.

DockerHost format: <Docker daemon host’s IPv4 address, or FQDN, or hostname>:<port#>

DockerSocketDirectory

Optional

Docker socket directory path. The default value is Default: /var/run

DOCKER_TLS_VERIFY

Optional

This parameter enables the TLS authentication. The value should be 0 or 1.

If DOCKER_TLS_VERIFY=1 is defined, then ensure that the provided IPv4 address or FQDN or hostname in DockerHost matches either the CN or the Alternative Subject Name in the docker server certificate.

By enabling sensor communication with docker daemon over TLS, customer can restrict the sensor’s access to docker socket by using docker authorization plugin.

--enable-console-logs

Optional

Print logs on console. These logs can be retrieved using the docker logs command.

--enable-disk-space-check Optional Checks the availability of the disk space before generating a tar.
When the sensor is being launched with below parameters, minimum disk space on the host should be as mentioned below:
a) SCA + Online scan = 1.5GB
b) Any other parameters defined = 500MB

HostIdSearchDir

Optional

Directory to map the marker file created by Qualys Agent or Scanner appliance on the host, update if modified. Default value is /etc/qualys

ImageFile

Optional

Location of the Sensor Image File. This defaults to the local directory.

--insecure-registry Optional Allows you to specify insecure registries. Applicable only for Podman runtime.
If this parameter is passed, the sensor automatically sets -tls-verify=false for podman pull and podman login commands.

Note: If you have given both flags [--insecure-registry, REGISTRY_CERT_DIR], then insecure-registry flag will take precedence.

LogFilePurgeCount

Optional

Integer value that specifies the maximum number of archived log files. Default value is 5.

LogFileSize

Optional

Configuration to set the maximum size per log file for the sensor in bytes. Accepts "<digit><K/M/>" where K is kilobytes and M is megabytes. For example, specify "10" for 10 bytes, "10K" for 10 kilobytes, "10M" for 10 megabytes. Default value is "10M".

LogLevel

Optional

Configuration to set the logging level for sensor, accepts 0 to 5. Default value is 3 (Information).

--limit-resource-usage

Optional

Use this parameter to limit usage of resources for SCA/Secret/Malware Scan

--mask-env-variable

Optional

Use this parameter to mask environment variables for images and containers. The environment variables will be masked/removed in sensor logs and in the Container Security UI.

MemoryUsageLimit

Optional

Define the memory usage limit for the sensor container. The value should be formatted as <digit><unit> where unit can be any of the following: b (bytes), k (kilobytes), m (megabytes), g (gigabytes). The recommended value is 500m for 500 megabytes.

--optimize-image-scans

Optional

This parameter should be passed if you want to optimize Image scans for General Sensor. This is available for General sensor type only.

By default, the sensor scans every image that it detects on the host. This results in redundant scanning of images. When you install the General sensor with “--optimize-image-scans”, the sensor will communicate with the Qualys Cloud Platform and perform informed scans to avoid redundant image scans. The sensor will determine if the images present on the host are already scanned by other sensors for the same manifest and version and will not scan those images again.

--perform-secret-detection

Optional

Use this parameter to enable secret detection for container images. You can specify a timeout for this command using the SCAScanTimeoutInSeconds={value} parameter.

Secret detection is supported only on:
- CICD and registry sensors
- Linux operating system
- Docker, Containerd, and CRI-O runtimes

PidLimit

Optional

Define the PID limit for the sensor container. The value provided must be a positive integer.

PodmanSocketDirectory Optional Podman socket directory path.
The default value is: /run/podman/

Proxy

Optional

IPv4/IPv6 address or FQDN of the proxy server.

ProxyCertFile

Optional

Proxy certificate file path. ProxyCertFile is applicable only if the Proxy has a valid certificate file. If this option is not provided, then Sensor will try to connect to the server with the given https Proxy settings only.

If only ProxyCertFile is provided without Proxy then Sensor would simply ignore the ProxyCertFile and it would try to connect to the server without any https proxy settings.

--read-only Optional Use this option to run the sensor in read-only mode. In this mode, the sensor uses persistent storage on the host. The sensor should be run either with the '--sensor-without-persistent-storage'option OR with the '--read-only' option and not with both options enabled together.

REGISTRY_CERT_DIR Optional Use this parameter to specify a directory containing custom certificates.
If this argument is provided, Podman will use the certificates from the specified directory for authentication and secure connections.
For example, REGISTRY_CERT_DIR=/etc/containers/certs.d

--registry-sensor or -r Optional Run the sensor to list and scan registry assets. This allows you to scan images in a public or private registry.

ScanningPolicy

Optional

Specifies the scanning policy, which allows you to select the suitable scan type as per your requirement. The available values are:

DynamicWithStaticScanningAsFallback: (Default value). Performs static scanning as a fallback to dynamic scanning for images without shell.
DynamicScanningOnly: performs only dynamic scanning.
StaticScanningOnly: performs only static scanning.
For example, 'scanningPolicy=podman'

--sensor-without-persistent-storage

Optional

Use this option to run the sensor without using persistent storage on the host.

The sensor should be run either with the “--sensor-without-persistent-storage” option OR with the “--read-only” option and not with both options enabled together.

To install the sensor without persistent storage, exclude the 'Storage' option, and include the '--sensor-without-persistent-storage' option in the installer script. We recommend you use the '--enable-console-logs' option along with '--sensor-without-persistent-storage' to preserve the logs as data is not available on host but stored at the /usr/local/qualys/qpa/data folder relative to the Sensor.

As the sensor is running with '--sensor-without-persistent-storage', upon auto-update the updated sensor is a completely new instance of sensor container hence data from the old sensor is not available in the new sensor. Thus, the new sensor re-scans the existing scanned assets.

--silent or -s Optional Run the installsensor.sh script in non-interactive mode.

Storage Optional Directory where the sensor would store the files. Default value: /usr/local/qualys/sensor/data. Create this directory if not already available or specify a custom directory location.

StorageDriverType

Optional

Use this to provide storage driver type for container runtimes.
Valid values:

'overlay' applicable only with Podman runtime.
For example, 'StorageDriverType=overlay'
'overlay2' applicable only with Docker runtime.
For example, 'StorageDriverType=overlay2'

TLS_CERT_PATH

Optional

Provide client certificate directory path. This is mandatory if DOCKER_TLS_VERIFY=1 is defined.

tlscacert=<Name of CA (default "ca.pem")> tlscert=<Name of TLS certificate file (default "cert.pem")> tlskey=<Name of TLS key file (default "key.pem")>

If any of the CA certificate, client certificate, or client private key have default file names such as ca.pem, cert.pem, key.pem respectively they can be omitted.

TagSensorProfile Optional Assign tags to the sensor or sensor profile. Such tags can be used to categorize the sensors or sensor profiles. You need to use this flag while creating a Sensor.
For examples,
- sudo ./installsensor.sh ActivationId=xxxx CustomerId=xxxx Storage=/usr/local/qualys/sensor/data -s TagSensorProfile=Tag1

To assign a special tag, use
TagSensorProfile=--qcs_sensor_profile_<tag_name>

For more information, refer to Important Points Related to Sensor Tagging.

Important Points about Sensor Tagging

Sensor provisioning with the '--tag-sensor-profile' flag considers tags that have already been created and are present in your Qualys account. Before provisioning your sensors with this flag, ensure that the desired tag is present in your account. In the absence of a tag, create it first and use it in the sensor deployment YAML file or in the command line.
A sensor gets assigned to a Sensor Profile only if the Sensor and Sensor Profile tag names and count match.
For example, if there is a sensor profile with five tags say <tag1>, <tag2>, <tag3>, <tag4>, <tag5>, and you launch a sensor with only three tags - <tag1>, <tag2>, <tag3>.
Then, this sensor will not be attached to the above sensor profile since the total number of tags is not an exact match. Only a sensor having all 5 tags, like the sensor profile, will be assigned.
At times, if the match criteria is not met, a wrong sensor profile may be assigned to the Sensor instead of the default profile.
You can assign existing tags to sensors only while launching them, whereas Sensor Profile tags can be assigned during or after the creation of the Sensor Profile.
The maximum limit for the total number of tags assigned to a sensor or sensor profile is '10'.
To know more about Special tags, refer to Container Security Sensor 1.38 Release Notes.

Rules about Tag name

Special characters are not allowed in Sensor and Sensor Profile tags.
For example, characters such as,'*' ':' '{}' or '&' are not allowed.
A tag could contain dashes (-), underscores (_), dots (.), and alphanumerics characters between.
A Tag name must be 63 characters or less (can be empty). Unless it is empty, it must begin and end with an alphanumeric character ([a-z0-9A-Z]).
No spaces are allowed in tag or value.

Optional Parameters for SCA Scanning

The following parameters are optional when the SCA scanning feature is enabled for your subscription (--perform-sca-scan). See SCA scanning to learn more.

Parameter

Description

--perform-sca-scan

(Optional when SCA scanning is enabled for your subscription) By default, SCA scanning is not performed. Use this parameter to enable SCA scanning for container images. When specified, the SCA scan will be performed after a standard vulnerability scan (Static or Dynamic). The SCA scan is attempted even when the vulnerability scan is not successful.

--disallow-internet-access-for-sca

(Optional when --perform-sca-scan is specified) By default, Internet access is enabled for the SCA scan and the SCA scan is performed in online mode because in online mode, the package collection is more accurate than compared to scans performed in offline mode. Use this parameter to disable Internet access for the SCA scan and run the scan in offline mode instead.

We recommend you run the SCA scan in online mode. Quality of software package enumeration for Java substantially degrades when the SCA scan is run in offline mode. The remote maven repository may need to be consulted for an accurate package detection. This can affect accuracy of the vulnerability posture of the image. The sensor must be able to reach the URL “http://search.maven.org” and “https://ghcr.io”.

--disableFeatures (Optional when --perform-sca-scan is specified) This parameter should be passed if you want to disable generation of the SBOM.
Format: --disableFeatures "SBOM"

SCAScanTimeoutInSeconds={value}

(Optional when --perform-sca-scan is specified) The default SCA scan command timeout is 5 minutes (300 seconds). Use this parameter to overwrite the default timeout with a new value specified in seconds. For example, you may need to increase the SCA scan timeout when scanning large container images to ensure the SCA scan has time to finish.

This parameter is also used for specifying a timeout for secret detection.

--limit-resource-usage

(Optional) Use this parameter to limit the usage of resources for SCA/Secret/Malware Scan.

POD_URL

Use this parameter to provide a customized POD URL.
Format: POD_URL=<URL of your POD>

QCSImageScanningContCpuLimit Use this parameter to edit the default CPU limit for image scanning containers.

Docker Hub

For information on installing the sensor from Docker Hub, see:

Installing the sensor from Docker Hub

CI/CD Environments

For information on deploying the sensor in CI/CD environments, refer to:

Qualys Container Scanning Connector for Jenkins

Qualys Container Scanning Connector for Bamboo

Qualys Container Scanning Connector for Azure DevOps

Your hosts must be able to reach your Qualys Cloud Platform (or the Qualys Private Cloud Platform) over HTTPS port 443. See Qualys Platform (POD URL) your hosts need to access.

How to Comply with CIS Benchmark for Docker using Installsensor.sh Commands

Qualys Container Security adheres to the CIS Benchmark for Docker for our Sensor image. Refer to Compliance with CIS Benchmark for Docker for guidance on how to use the Sensor image in a way that complies with the CIS Benchmark for Docker. We’ve provided instructions for a number of controls so you can operate the Sensor in a compliant manner.