Use Cases

QScanner has various use cases as mentioned below. 

• Scanning for vulnerabilities

  QScanner detects known vulnerabilities according to the versions of installed packages. The following packages are supported:
   - OS packages
   - Supported SCA Languages
  For example,
  $ ./qscanner --pod US3 --access-token $QUALYS_ACCESS_TOKEN image redhat/ubi8:latest

• Scan on image push in AWS ECR

  QScanner can be launched to scan for vulnerabilities in images that get pushed into Amazon ECR. The push event can be triggered via Event bridge. For more details, refer to AWS ECR.

• Generating SBOM

  You can generate an SBOM for your target container image by running QScanner. QScanner supports SBOM in the following formats.
  - SPDX JSON: QScanner uploads this format to your Qualys Cloud Platform account from which you can download it.
  - SPDX TLV
  - Cyclone DX: You can download this format from your Qualys Cloud Platform account.
  For example,
  $ ./qscanner --format cyclonedx,spdx-tlv image centos
  For more details, refer to Data Collection Formats. 

• CI/CD pipeline

  QScanner can be executed with --mode evaluate-policy and integrated in CI/CD pipeline. The exit code of QScanner could be used used to pass or fail builds.
  For example,
  $ ./qscanner --pod US3 --access-token $QUALYS_ACCESS_TOKEN --mode get-report --tags dev,all image openjdk

• GitHub action

  QScanner can be used to generate vulnerability report in SARIF format which can be consumed by GitHub Actions. For more details, refer to Report Formats.
  For example,
  $ ./qscanner --pod US3 --access-token $QUALYS_ACCESS_TOKEN --report-format table,sarif image python

SARIF report generated by the QScanner is in compliance with the GitHub Actions tab. Online validator tool may show QScanner SARIF report as non-compliant.