Integration with GitHub

GitHub provides GitHub Actions to help development teams automate build, test, and security workflows directly from their repositories. QScanner integrates with GitHub Actions, enabling you to scan container images or package artifacts during the Continuous Integration (CI) phase. QScanner in GitHub CI detects vulnerabilities, open‑source or package risks, and embedded secrets. The resultant scan report is supported in SARIF (GitHub Actions Compliant), Tabular and JSON formats.

Scan Image in GitHub using QScanner Binary

You can scan your image locally using QScanner binary and publish the scan result on GitHub where you publish the image.

Follow the steps mentioned below to scan your image.

  1. Build your code.
  2. Generate build artifact – container image.
  3. Download the QScanner binary in GitHub runner.
  4. Scan the generated image using QScanner.
    QScanner can scan both the image that is available locally in runtime (For example, Docker) or the image tar.
    QScanner generates the vulnerabilities report in SARIF format. 
  5. Upload the SARIF report to GitHub using CodeQL Action.

Once the SARIF report is uploaded, you will see the findings in GitHub’s Security tab under Code scanning.

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: April, 2026