FAQs

Q1. I am getting error  - Failed to create scan target: Gateway URL (--gateway-url or --pod) and Access token (--access-token) are required - on running below command:
$ ./qscanner image <image_name>

Answer: By default QScanner runs in get-report mode. In this mode it will try to communicate with Qualys backend to fetch vulnerability report. To allow this, you need to specify the POD that you wish to use and the access token for your account.
$ export QUALYS_ACCESS_TOKEN=<your-access-token>
$ ./qscanner --pod US2 image <image_name>


Q2. I provided both access token and POD. I still get this: "...failed to verify certificate: x509 error:..."
Answer: This can happen when you are running in a proxy environment. Specify --skip-verify-tls flag to bypass secure TLS verification.


Q3. QScanner execution is stuck. Nothing happens.
Answer: Make sure that you have internet connectivity. If you are running in a proxy environment, make sure the https_proxy environment variable is configured.


Q4. Can we specify file name for the scan result that gets generated by QScanner?
Answer: You cannot specify custom name for each file generated by QScanner. QScanner generates inventory (details about packages, layer mappings, metadata etc.) in a file called <prefix>_ScanResult.json in the path specified by --output-dir. ScanResult.json is not the only output file generated by QScanner. It can also generate Changelist DB, Report.json, other output formats of inventory etc. depending upon the options provided. This is the reason that --output-dir option is provided. This will let you keep all artifacts generated by one instance of QScanner in one place. E.g:

$ ./qscanner --pod US1 --output-dir /tmp/pythonData/ image python
Above command will create the following:

/tmp/pythonData/<image_id>_ChangeList.db.xz
/tmp/pythonData/<image_id>_ScanResult.json
/tmp/pythonData/<image_id>_Report.json

 

Q5. It is very cumbersome to provide the complete gateway URL to QScanner on each run. Is there any easy way?
Answer: Starting with QScanner v4.0.0, we support a new flag --pod. This will let you specify the Qualys POD to be used easily.
See Appendix: POD Identifiers.


Q6. Vulnerability report is generated in a tabular format on console. How can I use it conveniently by some automation program?
Answer: Vulnerability report is shown in a table on console. For details you can refer the full report JSON file generated at <output_dir>/<prefix>_Report.json. This JSON contains:

  • Metadata about the target being scanned
  • Inventory- Details of OS and SCA packages
  • Layer mapping
  • Vulnerability report
  • Policy Evaluation result

 

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: April, 2026