Qualys AWS ECS Fargate Image Scan Stack Deployment Steps

Follow the steps below to set up AWS ECS Fargate image scanning. You’ll create a CloudFormation stack using a Qualys CloudFormation template and a Qualys Lambda function.

Prerequisites

Before you begin, make sure you have the following items ready to successfully launch the CloudFormation AWS ECS Fargate image scanning stack.

The AWS region where you want to deploy the stack.

Qualys CloudFormation template URL: https://qualys-cs-image-scanning-cloud-formation-template.s3.amazonaws.com/qcs-ecs-fargate-image-scanning-cf.template

Environment details for your Qualys subscription: POD URL, Activation ID, Customer ID. To get the Activation ID and Customer ID auto-generated for your subscription, go to Configurations > Sensors in the UI, click Download Sensor. Then click any sensor type. The installation command on the Installation Instructions page contains your Activation ID and Customer ID.

Qualys Lambda function (Zip file). You’ll need the S3 bucket name and bucket key for configuring the ECS scanning Lambda function. See the following section to get the S3 bucket name and bucket key for each AWS region: Qualys CS Lambda Function S3 Bucket Names and Keys.

Qualys sensor image (version 1.18 or later). Refer to How to Get the Qualys Sensor Image

How to Get the Qualys Sensor Image

You have these options for the Qualys Container Security Sensor image:

Use from Docker Hub directly

Use from Docker Hub but push the image to your ECR repository (public)

Load from tar and push it to your ECR repository (public)

The sections that follow describe these options in more detail.

Use from Docker Hub directly

You can use the sensor image directly from Docker Hub. The Container Security Sensor on Docker Hub is available as:
qualys/qcs-sensor: <tag>
qualys/qcs-sensor:latest

Look up the most recent tag in Docker Hub.

Use from Docker Hub but push the image to your ECR repository (public)

Use the following commands to push the qualys sensor image to the ECR public repository:
sudo docker pull qualys/qcs-sensor:latest
sudo docker tag qualys/qcs-sensor:latest <URL to push image to ECR public repository>
sudo docker push <URL to push image to ECR public repository>

 

For example:
sudo docker pull qualys/qcs-sensor:latest
sudo docker tag c3fa63a818df public.ecr.aws/y4h7m2t8/qualys/sensor:latest
sudo docker push public.ecr.aws/y4h7m2t8/qualys/sensor:latest

Load from tar and push the image to your ECR repository (public)

Download the QualysContainerSensor.tar.xz file from Qualys Cloud Portal on a Linux computer. In the Container Security UI, download the Binary (tar.xz) file by going to Configurations > Sensors > Download Sensor and click any sensory type. Then pick Linux and the Binary (tar.xz) tab. Click Download Now to get the tar file.

Untar the sensor package:
sudo tar -xvf QualysContainerSensor.tar.xz

 

Use the following commands to push the qualys sensor image to the ECR public repository:
sudo docker load -i qualys-sensor.tar
sudo docker tag <IMAGE NAME/ID> <URL to push image to ECR public repository>
sudo docker push <URL to push image to ECR public repository>

 

For example:
sudo docker load -i qualys-sensor.tar
sudo docker tag c3fa63a818df public.ecr.aws/y4h7m2t8/qualys/sensor:latest
sudo docker push public.ecr.aws/y4h7m2t8/qualys/sensor:latest

 

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: February, 2026