Events that Lead to Asset Scanning

This topic explains events that trigger General and CI/CD sensors to scan your images and containers. 

Events on Images that Lead to Scan

Typically, the following events are tracked in an image: load, pull, import, and tag

General Sensor

General Sensor (part of QCS Sensor) scans the image upon the occurrence of any of the following events: load, import, or pull.

Import (in Kubernetes environments) is similar to load (in Docker), but is typically not used.

When an existing image is tagged, it does not automatically trigger a new scan.
On tagging, General Sensor updates the event to Qualys backend but does not perform a re-scan, because it's just an alias for an already scanned image.

Images scanned by General Sensor (for example, in the last 24 hours) can be listed using the following QQL.
lastVmScanDate:[now-24h ... now]
 

CI/CD Sensor

The CI/CD Sensor initiates scans only when a build artifact is explicitly marked for scanning using a reserved trigger tag (qualys_scan_target:<image-sha>). The Qualys CI/CD plugin automatically applies this tag to new images during the build process. The presence of this tag indicates to the CI/CD Sensor about images it should scan.

After the scan completes and the results are uploaded to the Qualys backend, the CI/CD Sensor automatically removes the trigger tag.

This serves the following two purposes:

  • It informs the build pipeline (when not using the plugin) that the scan has finished and the results are ready to be fetched from the Qualys platform.
  • It prevents the CI/CD Sensor from re-processing the same image, since only images with the trigger tag are eligible for scanning.

Customers building custom pipelines (without the plugin) can apply this trigger tag in their Makefile or build script. Their pipeline can simply watch for the tag’s removal to know when scanning has completed and proceed with actions such as failing the build or displaying results.

QScanner is the modern alternative for inline image scanning and can be invoked directly within the build pipeline without requiring any sensor or plugin. This is ideal for teams who prefer a fully self-contained, scriptable scan step. Know more about QScanner here - Getting Started with QScanner 
You can download QScanner from here - Download QScanner | Qualys

Events on Containers that Lead to Scan

Typically, the following events are tracked in a container: start, create, and unpause.

General Sensor scans containers at creation and performs 48-hour Drift-Detection scans (Dynamic Scan) thereafter.

A container’s state change does not trigger a new scan. For example, if a container's state changes later from 'Running' to 'Paused' or 'Stopped', then it doesn't trigger a scan.

Although Qualys Container Security detects all container events, scanning can only be performed when the container is in Running state; so from a scan perspective, other events do not trigger a scan until the container is in Running state. 

Containers scanned by General Sensor can be listed using the following QQL: 
lastVmScanDate:[now-48h ... now] 

Other Events that Lead to Scan

Every time Qualys releases a new manifest, the General Sensor launches a Scan. Manifests are pulled every 24 hours by General Sensor.

To confirm if the scan is triggered with the new manifest, use the following QQL (works for both images and containers):

lastVmScanDate:[now-24h ... now]
 

 

 

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: December, 2025