Use Cases
QScanner has various use cases as mentioned below.
- Scanning for vulnerabilities
QScanner detects known vulnerabilities according to the versions of installed packages. The following packages are supported:
- OS packages
- Supported SCA Languages
For example,
$ ./qscanner --pod US3 --access-token $QUALYS_ACCESS_TOKEN image redhat/ubi8:latest
- Scan on image push in AWS ECR
QScanner can be launched to scan for vulnerabilities in images that get pushed into Amazon ECR. The push event can be triggered via Event bridge. For more details, refer to AWS ECR.
- Generating SBOM
You can generate an SBOM for your target container image by running QScanner. QScanner supports SBOM in the following formats.
- SPDX JSON: QScanner uploads this format to your Qualys Cloud Platform account from which you can download it.
- SPDX TLV
- Cyclone DX: You can download this format from your Qualys Cloud Platform account.
For example,
$ ./qscanner --format
cyclonedx
,spdx-tlv image centos
For more details, refer to Data Collection Formats. - CI/CD pipeline
QScanner can be executed with
--mode evaluate-policy
and integrated in CI/CD pipeline. The exit code of QScanner could be used used to pass or fail builds.
For example,
$ ./qscanner --pod US3 --access-token $QUALYS_ACCESS_TOKEN --mode get-report --tags dev,all image openjdk
- GitHub action
QScanner can be used to generate vulnerability report in SARIF format which can be consumed by GitHub Actions. For more details, refer to Report Formats.
For example,
$ ./qscanner --pod US3 --access-token $QUALYS_ACCESS_TOKEN --report-format table,sarif image python
SARIF report generated by the QScanner is in compliance with the GitHub Actions tab. Online validator tool may show QScanner SARIF report as non-compliant.