Release 1.38

April 22, 2025

What’s New?

Qualys Kubernetes Posture Management

With this release, Qualys Container Security can manage your Kubernetes (K8s) Posture. It refers to a set of practices and processes aimed at securing your K8s environments. Qualys is developing this feature in phases. In this first phase, Qualys K8s Posture Management with the help of Cluster Sensor, supports Policy evaluation based on the CIS Benchmarks offered by various Cloud Providers. See the Supported Cloud Providers and CIS Benchmark Policies table. The Cluster Sensor evaluates your posture data based on the controls assigned to it. The evaluation result is communicated to you on your Qualys Enterprise TruRisk™ Platform account. You can also get this information using K8s Posture APIs. As of now, Qualys provides more than 200 controls for your K8s posture evaluation.

Your data is saved as a Control file. The Cluster Sensor uses this Control file and carries out a scan using CIS compliance.

Qualys CS offers K8s Posture Management as a default feature, but it can be disabled using the Helm Chart during Cluster Sensor installation.

 

Pre-requisites

  • Qualys Cluster Sensor 1.2.0
  • Unified Helm chart - 2.4.0

For this feature to work on your Cloud Provider, you must install Cluster Sensor 1.2.0 or later using Unified Helm Chart 2.4.0 or later. To know how to install Cluster Sensor using Unified Helm chart, refer to Installing Cluster Sensor.

Supported Cloud Providers and CIS Benchmark Policies

Qualys K8s Posture Management currently supports the following Cloud Providers.

Cloud Provider Qualys K8s Posture Management Support Supported CIS Benchmark Version
Azure Supported CIS Azure Kubernetes Service (AKS) Benchmark v1.6.0
AWS Supported CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.6.0
GCP GKE Standard Cluster Supported CIS Google Kubernetes Engine (GKE) Benchmark v1.7.0
GKE Autopilot Not supported -
Self-managed K8s Supported CIS Kubernetes Benchmark v1.10
Openshift Supported CIS Red Hat Openshift Container Platform V1.7.0
OCI Not supported -

 

To support this feature, a new tab - Postures is introduced, which shows you details of all K8s Controls in your account (Container Security > Postures > Kubernetes Posture). The Kubernetes Posture page provides details such as all CIDs found in your postures along with the details of the Controls used for the evaluation. It tells you about the Criticality level and security posture of the controls.

You can click on a control to see more details of the evaluation. It shows you a list of resources evaluated against the control.

For more details on the interface of this feature, refer to the CS Online Help.

 

Ability to Block Old Images 

Old images may contain outdated dependencies or flaws, or they may be incompetent for their intended use, which can make a system vulnerable.

With this release, under Image Security rule, a new sub-type 'Block Older Images' is introduced. Using this rule, you can block container images older than the days specified at the time of policy creation. With the help of the new rule, only the latest images will be considered for evaluation. This is a further enhancement in Qualys Container Security Centralized Policy Management and it is applicable only to the K8s Admission Controller Policies. 

Image age is calculated based on its creation date.

You can apply the new rule (Block Older Images) to a policy,

  • During policy creation - Container Security > Policies > Admission Controller > Create Policy > Rules > Rule Sub-Type
    OR
  • By editing existing admission controller policy - Container Security > Policies > Admission Controller > Quick Actions > Edit > Rules > Rule Sub-Type.  

You can block images older than 1, 2, 3, 6, or 12 months. You can use Custom duration option to block image older than '30' to '1095' days.

Rule screen showing selected rule sub type as Block Older Image

 

Support 'First Detected' Information in Container Vulnerability Report

Qualys CS now supports the First Detected column in the Container Vulnerability report. Earlier, this column was available with Image Vulnerability report. This column shows when a specific vulnerability was first identified in a container during the scan. It helps track the history of vulnerabilities and provides insights into how long a vulnerability has been present in a given container.

You can select the First Detected column by selecting its checkbox on the Report Display page, while generating a Container Vulnerability report - Container Security > Reports > Create Report > Basic Details > Report Source - Container Vulnerability > Report Schedule > Report Display

The First Detected column is displayed in the downloaded Container Vulnerability report.

 

Enhancement in Sensor Download Page

With this release, Qualys Container Security has simplified its Sensor Download page. You can now choose the Sensor type based on your Container environment.

In addition, Qualys CS Sensor now supports the following Cloud Providers as new Container environments for the Runtime sensor installation type.  

  • Amazon EKS
  • Google GKE
  • Azure AKS
  • Oracle OKE
  • Amazon ECS
  • Redhat Openshift

For more information on the CS Sensor Download page, refer to CS Online Help.

 

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.