Qualys IaC Security Integration with GitHub

The security scans are conducted on cloud resources after deployment in the current continuous integration and continuous deployment (CICD) environment. As a result, you secure your cloud resources post-deployment to respective Cloud accounts.

With an introduction of the Infrastructure as Code (IaC) security feature by Qualys Qualys TotalCloud, you can now secure your IaC templates before the cloud resources are deployed in your cloud environments. The IaC Security feature helps you shift cloud security and compliance posture to the left, allowing evaluation of cloud resources for misconfigurations much earlier during the development phase.

Qualys TotalCloud offers an integration with GitHub to secure Git repositories using GitHub actions that can be used to scan your IaC templates from GitHub repositories. It continuously verifies security misconfigurations against Qualys TotalCloud security controls and displays the misconfigurations for each run. You have continuous visibility of the security posture of your IaC Templates at GitHub repositories and plan for remediation. Follow this guide for more details.

For supported templates, other integrations, and features of Cloud IaC Security, refer to TotalCloud Online Help and TotalCloud API User Guide.

Scan IaC Templates at GitHub

The GitHub integration allows you to perform IaC scans on the pull and push requests at the GitHub repositories. We provide you with a GitHub actions template and options that can be configured to run based on various triggers.

You can perform IaC scan on either of the following:

  • The entire repository for the branch where the manual/scheduled event was performed.
  • The templates that were newly added to the branch.

The results within GitHub provide you with proactive visibility into the Cloud security by scanning the templates residing in GitHub repositories.

Pre-requisites

Following are the pre-requisites for scanning IaC templates at GitHub;

  • Ensure you have a valid Qualys Qualys TotalCloud (Cloud Security Assessment) app subscription.
  • Before you trigger IaC scans in GitHub, ensure that you configure the environment variables that are used in the actions.
  • Self-hosted runners must use a Linux operating system and have Docker installed to run this action.

Next step:

Configure Environment Variables

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: February, 2026