SCA scanning

Qualys Container Security Sensor supports Software Composition Analysis (SCA) scanning of container images. An SCA scan discovers installed open-source software and libraries, as well as associated vulnerabilities, present in your container images.

While evaluating the security posture of container images it is important to identify all software packages present in the image. The SCA scan can be used to identify programming language-based software packages inside the image. In addition, metadata information for each image layer is also provided. The SCA scan detects packages for these programming languages: Java, Python, Go, Node.js, .NET, PHP, Ruby, and Rust.

SCA scanning is supported for all sensor types – General, Registry and CI/CD. It’s supported for Docker, ContainerD, and CRI-O runtimes. SCA scanning is only supported when scanning container images. SCA scanning is not supported for Mac OS.

For CRI-O runtime to support SCA, it is required to launch the sensor with privilege rights. To do that, in the ‘cssensor-crio-ds.yml’ file, the following parameter must be set to true.
securityContext:
   privileged: true

If your environment is restricted and you are using a proxy for sensor provisioning with the SCA-enabled flag, then you need to use the qualys_https_proxy variable. This proxy is used to communicate with Qualys Cloud platform.

In K8s environment, to perform the SCA scanning with Proxy setting, uncomment the section below and provide the given values to the yaml file.
- name: qualys_https_proxy
value:http://proxy_URL

In standalone Docker environment, to perform the SCA scanning with Proxy setting, provide the given values in the installsensor.sh file.
-e qualys_https_proxy=https://proxy_URL

Prerequisites

• By default, the SCA Scanning feature is enabled for all new subscriptions. Contact
• Qualys Support to have this feature enabled. Sensor version 1.23 or later.
• Below URLs are accessible to the Sensor.
  - https://ghcr.io
  - https://pkg-containers.githubusercontent.com
• Relaunch your sensors with the parameter --perform-sca-scan to perform SCA scanning.
• Additional storage on the host to store SCA scan metadata. Refer to Storage Requirements for Sensor Scans.

How it Works

SCA scanning is not performed by default. Users must enable SCA scanning using the parameter --perform-sca-scan. When enabled, an SCA scan is performed after a standard vulnerability scan (Static or Dynamic) on your container images. When the SCA scan completes, the sensor uploads the metadata information collected by the scan to the Qualys backend where posture evaluation is performed. You can view SCA scan data findings in the Container Security UI and API as part of image details. Vulnerability detections found by the SCA scan are presented as QIDs. Filters are provided so you can identify the type of scan (SCA, Dynamic or Static) used to detect a particular vulnerability.

Internet access is enabled for the SCA scan and the SCA scan is performed in online mode by default. Make sure the sensor can reach the URL “https://ghcr.io” and "https://pkg-containers.githubusercontent.com".

During an SCA scan, the following files are scanned for the language-specific software packages: