Qualys Container Scanning Connector for Azure DevOps

Release v1.1.0

Welcome to Qualys Container Security! Here, we help you get acquainted with the Qualys solutions for securing your Container environments like Images, Containers and Docker Hosts using the Qualys Cloud Security Platform.

Qualys Container Security provides a plugin for Azure DevOps to get the security posture for the container images built via the tool. The plugin can be configured to fail or pass the container image builds based on the vulnerabilities detected.

Prerequisites

To integrate Qualys Container with AzureDevops, the following prerequisites must be met:

• A valid Qualys subscription with the Container Security application activated.
• Access to Qualys Container Security application API endpoint from your build host.
• Requires the container sensor for CI/CD environment to be installed on the Azure DevOps build host. Refer to the Qualys Container Sensor Deployment Guide for instructions on installing the container cicd sensor. You must pass the following parameter while deploying the sensor for CI/CD environment --cicd-deployed-sensor or -c.
• Azure DevOps CICD tool version 1.0 or later.
• Internet connection for agent to be able to connect to the Qualys Cloud Platform. Install sensor with proxy option if agent is running behind proxy.
• The Azure DevOps services and agents should have an open connection to the Qualys Cloud Platform in order to get data from the Qualys Cloud Platform for vulnerability reporting.

  Qualys Container Scanning Connector automatically tags images built out of CI/CD pipeline with the tag qualys_scan_target:<image-sha> to mark them for scanning and only those images are scanned for vulnerabilities. Once the scanning is over, Qualys Container Sensor removes the tag. However, if an image has no other tag applied to it other than 'qualys_scan_target:<image-sha>', the sensor retains the tag to avoid removal of the image from the host.

Recommended Setup for Server-Agent Deployment

Qualys Container Scanning Connector for Azure DevOps must be deployed on the Azure DevOps services. Qualys Container Security Sensor should be installed where the docker daemon is running. If the docker daemon is running on Azure DevOps agent, install the Sensor on Azure DevOps agent. If the docker daemon is running on a remote host, install the sensor over there. Please refer to the Qualys Container Sensor Deployment Guide for deployment instructions.

The following figure shows the docker daemon running on the Azure DevOps agent.

The following figure shows the docker daemon running on a remote host.

The plugin makes a call to check if the sensor container is running on the host and if it is installed in the CI/CD mode.

Quick Start Steps

You can integrate Qualys Container Security Application with Azure Devops using the following steps:

1. Install Plugin
2. Scan CI/CD Images
3. Use Plugin
   • Define Container Image IDs
   • Enter Configuration Details

Additional Resources

You might already be familiar with Qualys Cloud Suite's features and user interface. If you are new to Qualys, we recommend the following addtional resources. 

• For information on using the Container Security UI to monitor vulnerabilities in Images, Containers, and Registries, refer to the Qualys Container Security User Guide.
• For information on deploying the sensor on MAC, CoreOS, and various orchestrators and cloud environments, refer to the Qualys Container Sensor Deployment Guide.
• For information on using the Container Security API, refer to the Qualys Container Security API Guide.