Sensor Types

A Qualys Container Security sensor can only be deployed in a single mode on a single container’s host/cluster node.
These are the types of Qualys Container Security sensors:

• General
• CI/CD
• QScanner
• Registry
• Cluster
• Admission Controller
• Runtime

General

The General mode sensor is installed on your container nodes/hosts. It provides vulnerability and compliance assessments for your running containers and locally cached images. The general sensor performs demand driven assessments based on container events like containers instantiated and images pulled. There are no on-demand scans or scheduled scan assessments; the sensor reacts to the container environment changes in real-time. The general mode sensor must be deployed separately from the Registry or CI/CD sensor.

CI/CD

CI/CD mode is for sensors running on CI Pipeline workers. It is a demand-driven assessment based on specific events. The sensor in CI/CD mode does not inventory or assess other images or containers running on the host/node. The sensor in CI/CD mode performs vulnerability assessments on specifically tagged images and the assessment results are put into a priority processing queue with a faster SLA specifically for CI Pipeline assessments. The CI/CD sensor must be deployed separately from the General or Registry sensor.

QScanner

QScanner is a command-line utility for scanning CI/CD environments for vulnerabilities. It provides inline vulnerability reports directly in the command-line interface, integrating effortlessly into your existing workflow. Designed with enterprise needs in mind, QScanner enhances your security measures without adding any extra footprint to your ecosystem.

To know more about QScanner, refer to QScanner Online Help.

Registry

Registry mode provides inventory and vulnerability assessment for images stored in registries. The sensor, in registry mode, will not inventory or perform vulnerability assessments of the images or containers on the host where the sensor is deployed. The sensor in registry mode must have network access to the registry URL. The registry mode sensor will not discover registries automatically. The images inventoried and assessed are scoped by the registry connector scan jobs. These scan jobs are either automatic (scheduled) or on demand. Log into the Container Security UI to configure a registry connector and scan job. The registry mode sensor must be deployed separately from the General or CI/CD sensor.

Cluster

The Qualys Cluster Sensor is a component of Qualys Container Security that helps secure Kubernetes clusters by collecting and analyzing data on cluster events, network activity, and container interactions. It acts as a monitoring agent that runs inside your Kubernetes environment, providing visibility into cluster-level security.

To know more about Qualys Cluster Sensor, refer to Cluster Sensor Online Help.

Admission Controller

The Qualys Admission Controller is a security component for Kubernetes clusters that enforces policies, ensuring that only compliant resources are allowed to be created or updated. It acts as a gatekeeper, evaluating incoming requests against predefined security policies before they are persisted in the cluster.

To know more about Qualys Container Security Admission Controller, refer to Admission Controller Online Help.

Container Runtime

Qualys Container Runtime Sensor (CRS) tracks the file and process events happening in your containers, which are hosted on a cluster. With the help of the latest eBPF technology, it monitors and enforces policies on the behavior of containers during runtime. 

To know more about Qualys Container Runtime Sensor, refer to CRS Online Help.