Installing the CI/CD Sensor in Docker-in-Docker Environment

In this section, we’ll describe how to install the CS CI/CD Sensor (a part of QCS Sensor) in a CI/CD pipeline build for a Docker-in-Docker environment. This will allow you to scan images inside the Docker-in-Docker container.

Step 1: Have the CS Sensor image inside a Docker-in-Docker Container

There are two ways to do this:

  • You can pull the CS Sensor image from the registry and launch the sensor when the container is spun up. 

    OR
  • You can bake the Docker-in-Docker container image with the CS Sensor tar in it.

Pull the CS Sensor image from the registry and launch the sensor

Benefits

  • No need to have pre-baked Docker-in-Docker container image with CS Sensor image/tar.
  • You can easily use CS sensor image hosted on Docker hub registry

Disadvantages

  • All Docker-in-Docker containers need to have access to the registry.
  • An image is pulled each time a Docker-in-Docker container is spun up and that would be overhead.

Pre-baked Docker-in-Docker container image with CS sensor tar in it

Benefits

  • No need to have access to the registry from Docker-in-Docker container.   
  • The execution of a few commands and installsensor.sh script is enough to launch the CS Sensor. To know about InstallSensor shell script parameters, refer to Installsensor Shell Script Command Line Parameters.

Disadvantages

  • The Docker-in-Docker container image size will be increased.
  • You’ll need to re-bake the Docker-in-Docker image for each new sensor release.

Step 2: Launch the Container Security Sensor

There are two ways to do this:

  • You can launch the sensor when the Docker-in-Docker container boots up.

    OR
  • You can launch the sensor from a build job. This topic describes both methods.

Launch sensor on Docker-in-Docker container bootup

Benefit

No need to modify the build pipeline configuration to launch the CS Sensor.

Disadvantages

  • The credentials (Activation ID/Customer ID) need to be stored in the init script.
  • Only predefined persistent storage path can be provided.

Launch init script inside the Docker-in-Docker container

Use the init script to launch the sensor. The init script will have following command:

docker run -d --restart on-failure --cpus=0.2 -v /etc/qualys:/usr/local/qualys/qpa/data/conf/agent-data -v /var/run/docker.sock:/var/run/docker.sock:ro - v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --net=host --name qualys-container-sensor <Qualys CS Sensor image name from registry> --scan-thread-pool-size 4 --cicd-deployed-sensor

Use installsensor.sh script

Use the installsensor.sh script to launch the sensor on Docker-in-Docker bootup.

tar –xvf QualysContainerSensor.tar.xz

docker load -i qualys-sensor.tar

./installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> HostIdSearchDir=/private/etc/qualys Storage=/tmp/qualys/sensor/data
--cicd-deployed-sensor -s

Launch Sensor from a Build Job

Benefits
  • Credentials (AI/CI) and sensor parameters can be passed from build job configuration.
  • The persistent storage can be defined during launch.
  • It’s easy to have a unique directory for each job (using Job ID) and using it as persistent storage.

Disadvantages

You’ll need to modify the build job configuration to launch the CS Sensor.

Launch CS Sensor using docker run command to pull image from registry

Launch the CS Sensor using the docker run command in order to pull the CS Sensor image from the registry.

docker run -d --restart on-failure --cpus=0.2 -v /etc/qualys:/usr/local/qualys/qpa/data/conf/agent-data -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/local/qualys/sensor/data:/usr/local/qualys/qpa/data -e ACTIVATIONID=<Activation id> -e CUSTOMERID=<Customer id> -e POD_URL=<POD URL> --net=host --name qualys-container-sensor <Qualys CS Sensor image name from registry> --scan-thread-pool-size 4 --cicd-deployed-sensor

Launch CS Sensor as part of a build job using pre-baked Docker-in-Docker image

This command will launch the CS Sensor as part of a build job using a pre-baked Docker-in-Docker container image with the CS Sensor tar in it. It will launch the CS Sensor as part of the job.

<path>/installsensor.sh ActivationId=<Activation id> CustomerId=<Customer id> HostIdSearchDir=/private/etc/qualys Storage=/tmp/qualys/sensor/data  --cicd-deployed-sensor -s

Persistent storage for CS sensor running in Docker-in-Docker build container

Please provide the appropriate persistent storage for CS sensor so that the logs can be retrieved in case of CS sensor failure or container image scan failure.

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: December, 2025