Static log4j Detection

Static log4j detection is enabled by default for dynamic/static image scans. Static log4j detection is implemented by executing the log4j detection command for each image layer and then merging the results. You have the option to disable static log4j detection for dynamic/static image scans using the parameter --disable-log4j-static-detection.

For static scans, static log4j detection will always be invoked unless the --disable-log4j-static-detection parameter is specified. The log4j commands are read from the VM manifest.

For dynamic scans, static log4j detection will only be invoked when the following is true:

- The parameter --disable-log4j-scanning is not used.

- The parameter --disable-log4j-static-detection is not used.

- The primary log4j detection command was unsuccessful in collecting log4j data points.

To disable the static log4j detection, specify --disable-log4j-static-detection as a command line parameter for “installsensor.sh” script or provide it as a command or args parameter when deploying a sensor.

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.