Release 1.36

January 24, 2025

What’s New?

Enhancements in CI/CD Centralized Policy Management

With this release, you can enforce the 'Deny' action on an image using various new CI/CD Policy rule sub-types. Previously, you only had the IMAGESCAN_VULN_SEVERITYCOUNT policy rule sub-type to mark an image as 'Deny', but now Qualys Container Security has introduced a few additional rule sub-types to deny an image. Also, with this release, the 'Deny' action is renamed as 'Fail' whereas, 'Allow' action is considered as 'Pass'.

The following rule sub-types are introduced under Policies > Image Assessment > Create Policy / Edit PolicyRules > + Add RuleRule Sub Type

  • Block Known Vulnerability using QIDs
  • Block Known Vulnerability using CVEs
  • Limit Vulnerability using CVSS
  • Enforce Qualys Detection Score Threshold
  • Block Unauthorized Software

Using any of the above rule sub types, you can mark an Image as 'Fail'.

Moreover, you can use the Exclusion page to exclude the following entities from the CI/CD scan. 

  • QIDs
  • Non-patchable vulnerabilities
  • Vulnerabilities introduced in the last 45 days

To know more about this feature, refer to Container Security Online Help.

Enhancements in Admission Controller Centralized Policy Management

Qualys Container Security has introduced a new rule - POD Security - in Admission Controller policy. You can choose various options listed in Baseline and Restrictive sections. To know more about the available options, refer to Container Security Online Help. To know more about Admission Controller 1.1.0 features, refer to Admission Controller 1.1.0 Release Notes.

Also, similar to CI/CD Centralized Policy Management, many new rule sub-types are introduced under Image Security rule. 

Pod Security rule can be added only once per policy. You can update an existing POD security rule.

 

The following rule sub-types are introduced under Policies > Admission ControllerCreate Policy / Edit Policy > Rules > + Add Rule > Image Security > Rule Sub Type.

  • Block Known Vulnerability using QIDs
  • Block Known Vulnerability using CVEs
  • Limit Vulnerability using CVSS
  • Enforce Qualys Detection Score Threshold
  • Block Unauthorized Software
  • Block Images with Secrets
  • Block Specific Images 

Under You can use the Exclusion page to exclude the following entities from the Admission Controller scan. 

  • Images
  • Namespaces
  • Non-patchable vulnerabilities
  • Vulnerabilities introduced in the last 45 days

Using any of the above rule sub types and the enforced policy, you can either 'Fail' or 'Pass' the cluster admission with the image that is being evaluated. You can see the cluster admission events under Events > Cluster Admission.

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.