Qualys IaC Security Integration with GitHub

Qualys IaC Security CLI shifts compliance validation earlier in the development pipeline by scanning infrastructure-as-code templates before deployment rather than after resources are live in the cloud. The solution evaluates configuration files against predefined controls to identify misconfigurations during the build phase, enabling teams to prevent misconfigurations before they happen. This approach reduces remediation costs and risk exposure by catching security issues when they are cheapest to fix, while integrations with popular CI/CD tools like Jenkins, GitHub, and GitLab embed scanning directly into existing development workflows.

The security scans in the current continuous integration and continuous deployment (CI/CD) environment are performed on cloud resources after deployment. This approach focuses on securing cloud resources once they are provisioned in the respective cloud accounts and helps identify configuration issues in already deployed resources.

With the introduction of the Infrastructure as Code (IaC) security feature in Qualys TotalCloud, organizations can validate IaC templates during development. The IaC Security feature evaluates templates against security and compliance policies, providing developers with visibility into configuration issues and policy violations during template creation and modification stages.

Qualys TotalCloud integrates with GitHub to secure Git repositories using GitHub Actions, enabling scans to IaC templates stored in GitHub repositories. The integration evaluates templates against Qualys TotalCloud security controls and reports detected misconfigurations for each workflow run. This provides visibility into the security posture of IaC templates stored in repositories and helps teams plan remediation activities accordingly. Follow this guide for more details.

For supported templates, other integrations, and features of Cloud IaC Security, refer to TotalCloud Online Help and TotalCloud API User Guide.

Scan IaC Templates at GitHub

The GitHub integration allows you to perform IaC scans on the pull and push requests at the GitHub repositories. We provide you with a GitHub actions template and options that can be configured to run based on various triggers.

You can perform IaC scan on either of the following:

  • The entire repository for the branch where the manual/scheduled event was performed.
  • The templates that were newly added to the branch.

The results within GitHub provide you with proactive visibility into the Cloud security by scanning the templates residing in GitHub repositories.

Pre-requisites

Following are the pre-requisites for scanning IaC templates at GitHub;

  • Ensure you have a valid Qualys Qualys TotalCloud (Cloud Security Assessment) app subscription.
  • Before you trigger IaC scans in GitHub, ensure that you configure the environment variables that are used in the actions.
  • Self-hosted runners must use a Linux operating system and have Docker installed to run this action.

Next step:

Configure Environment Variables

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: April, 2026