QScanner Commands and Options

QScanner offers various options to cater to different scanning needs, allowing you to scan diverse targets and customize the scanning process based on your requirements. Following are the available commands and options for QScanner:

Environment Variables

QScanner supports the following environment variables.

Variable	Description
QUALYS_ACCESS_TOKEN	This is used to pass access token. It is recommended to avoid `--access-token` flag and use this environment variable.
QSCANNER_REGISTRY_USERNAME	This is used to pass registry username.
QSCANNER_REGISTRY_PASSWORD	This is used to pass registry password. It is recommended to avoid `--registry-password` flag and use this environment variable.
QSCANNER_REGISTRY_TOKEN	This is used to pass registry token. It is recommended to avoid `--registry-token` flag and use this environment variable.
CONTAINERD_ROOT_DIR	Set this environment variable with containerd root directory. If containerd root directory path is default (/var/lib/containerd) then no need to set this environment variable.
CONTAINERD_NAMESPACE	If namespace of target scan image is not default then set this environment variable with namespace of target scan image.
CONTAINERD_ADDRESS	Set this environment variable with containerd.sock file path. If containerd.sock file path is default(`//run/containerd/containerd.sock`) then no need to set this environment variable.
DOCKER_ROOT_DIR	Set this environment variable with docker root directory path. If docker root directory path is default (/var/lib/docker) then no need to set this environment variable.
PODMAN_ROOT_DIR	Set this environment variable with Podman root directory path. If Podman root directory path is default then no need to set this environment variable.
QSCANNER_ENABLED_JAVADB_REPOS	Use this to provide an ordered list of repositories from where to attempt download of java-db.
TMPDIR	Use this ENV variable to override default temp location that QScanner uses to create various temporary artifacts. The default is `/tmp`.

Commands and Targets

QScanner supports the following commands. Target refers to the entity on which the command performs its action.

Command	Description	Target
`image`	To scan a container image. The supported runtimes are: docker, containerd, and cri-o. For containerd, if your image is located in a namespace other than the default namespace of containerd, you can override it using the CONTAINERD_NAMESPACE variable. For example, export CONTAINERD_NAMESPACE=k8s.io.	Image name or Image SHA
`tar`	To scan an archive of a container image.	File path to the .tar file
`configure`	To create a configuration file for QScanner. Use this command to generate a configuration file consisting of all the flags and options. This helps you store commonly used configurations in a file and reuse them without having to provide them to QScanner on each run. For more information, see Creating a Configuration File.	The path where the configuration file is generated.
`clear-cache`	To clear the cache database. Local cache is created when running QScanner with --cache local option. For more details, see Caching.	N/A

Global Options

QScanner supports the following options irrespective of commands.

Argument	Description
`--access-token {string}`	Specify the access token to be used for the communication with the Qualys Enterprise TruRisk™ Platform.
`--cert-path {string}`	Specify the CA Certificate file.
`--config-file {string}`	Specify the QScanner configuration file. By default, it uses the qscanner.json file from the user's config directory. For example, in Linux, `/root/.config/qscanner.json` is used (if available) to load the QScanner configuration.
`--file-logging`	Specify this parameter to create a log file in the path specified by `--output-dir`.
`--gateway-url {string}`	Specify this to use a POD which is not listed in: https://www.qualys.com/platform-identification/ Format: `--gateway-url <gateway_url>` Example: `--gateway-url https://gateway.qg2.apps.qualys.com/cms/cli/v1.0`
`-h, --help`	Specify this parameter to access help for QScanner.
`-l, --log-level {string}`	Specify the log level: debug, info, error, warn, or fatal. The default value is "info". Format: `--log-level <level-string>` Example: To enable debug logging, use `--log-level debug`.
`-o, --output-dir {string}`	Specify the QScanner cache directory. This is the path where scan results are generated. The default path is: "`/root/qualys/qscanner/data`".
`--pod {string}`	Specify Qualys Platform (POD) gateway URL for the communication with the Qualys platform. You can find the gateway URL for your Qualys POD at: https://www.qualys.com/platform-identification/ Format: -`-pod <POD name>` Example: `--pod IN1`
`--proxy <proxy url>`	Enable proxy for HTTP communication. If not provided, it uses HTTP proxies as directed by the environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY (or the lowercase versions thereof).
`-q, --quiet`	Specify this parameter to enable the silent mode. In this mode, the console logs are disabled.
`--skip-verify-tls`	Specify this parameter to skip secure TLS verification.
`--secret-config-file <file_path>`	Specify the location of the secret rule configuration file.
`-v, --version`	Specify this parameter to know the QScanner version.

Command-specific Options

Here are the arguments specific to Image, Tar and Configure commands.

Argument	Description
`--cache <Cache type>`	Use cache for faster data collection. If multiple QScanner instances are spawned simultaneously, using this option you can block other instances. For concurrent usage, this option must not be used. For more information, see Caching.
`--cache-dir <string>`	Use to specify QScanner cache directory. (Default path - "`/root/.cache/qualys/qscanner`")
`--cache-cleanup-duration-threshold`	Specify thereshold of cache cleanup duration in seconds. Default Value: 4320h0m0s (6 months)
`--cache-cleanup-frequency`	Specify frequency of cache cleanup. Default Value: 720h0m0s (1 month)
`--enable-cache-cleanup`	Enables cache cleanup. Valid Values: true / false
`--exclude-dirs {strings}`	Specify directories where scanning should not be performed.
`--exit-if-os-not-found`	When specified, QScanner exits with error code 15, if QScanner is unable to collect the OS information.
`--exit-if-os-pkg-not-found`	QScanner exits with error code 12, if it is unable to collect OS installed packages. If `--exit-if-os-not-found` is also specified, it takes precedence.
`-f, --format {strings}`	Specify the format in which the inventory should be generated. If multiple options are provided, all of them are generated in the path specified by -`-output-dir`. QScanner supports .json and .db file formats. In `db` format option, the inventory is generated in SQLite DB format. This must be used if any mode other than `inventory-only` is specified.
`<command> --help`	Shows help file associated with the specified command.
`--limit-resource-usage`	Reduces memory consumption which leads to better performance of the scans.
`-m, --mode {string}`	Specify the scan mode. The valid values are: inventory-only: Performs data collection without uploading the data to the Qualys platform. scan-only: Performs data collection and uploads it to the Qualys platform. get-report: Scans the target, uploads the data to the Qualys platform, and fetches a generated report from the platform. evaluate-policy: Scans the target, evaluates the policies, and fetches the policy evaluation results. The default value is `get-report`. For more information, see QScanner Modes.
`--offline-scan`	Perform scan in the Offline mode. In this mode, QScanner doesn't communicate with any external entities. Valid Values: `true`/`false` Default value: `false` In Online mode, QScanner issues the API requests to identify dependencies. For example, QScanner must reach the URL “https://ghcr.io”. By default, the SCA scan is performed in Online mode as the package collection in this mode is more accurate than scans performed in Offline mode. Use this argument to disable the internet access for the SCA scan and run the scan in Offline mode instead. The quality of software package enumeration for Java substantially degrades when the scan is run in Offline mode. This can affect the accuracy of the vulnerability posture of the image. Hence, it is recommended to run the scan in Online mode.
`--poll-timeout {duration}`	Specify the poll timeout value. After the specified time has elapsed, QScanner does not poll the Qualys platform or perform any operation that requires polling. The default value is 10 minutes.
`--poll-wait-interval {duration}`	Specify the time interval between two poll requests. The default value is 1 minute.
`--report-format`	Specify this parameter to generate your vulnerability report in either SARIF or Json or tabular format. Format: `--report-format <sarif/table/json>` If multiple options are provided, all of them will be generated in the path specified by `--output-dir`. (default [table,json]) The default value is json, table.
`--scan-timeout {duration}`	Specify scan timeout duration. The default value is 5 minutes.
`--tags {strings}`	Specify the tags needed for policy evaluation. Policies are called for evaluation based on the combination of tags. If the specified combination does not match any policy, the default policy is called and evaluated.
`-t, --scan-types {strings}`	Specify the scans to perform. Currently, only pkg is available, which scans package vulnerabilities.