QScanner Commands and Options
QScanner offers various options to cater to different scanning needs, allowing you to scan diverse targets and customize the scanning process based on your requirements. Following are the available commands and options for QScanner:
Environment Variables
QScanner supports the following environment variables.
Variable | Description |
---|---|
QUALYS_ACCESS_TOKEN | This is used to pass access token. It is recommended to avoid `--access-token` flag and use this environment variable. |
QSCANNER_REGISTRY_USERNAME | This is used to pass registry username. |
QSCANNER_REGISTRY_PASSWORD | This is used to pass registry password. It is recommended to avoid `--registry-password` flag and use this environment variable. |
QSCANNER_REGISTRY_TOKEN | This is used to pass registry token. It is recommended to avoid `--registry-token` flag and use this environment variable. |
CONTAINERD_ROOT_DIR | Set this environment variable with containerd root directory. If containerd root directory path is default (/var/lib/containerd) then no need to set this environment variable. |
CONTAINERD_NAMESPACE | If namespace of target scan image is not default then set this environment variable with namespace of target scan image. |
CONTAINERD_ADDRESS | Set this environment variable with containerd.sock file path. If containerd.sock file path is default(`//run/containerd/containerd.sock`) then no need to set this environment variable. |
DOCKER_ROOT_DIR | Set this environment variable with docker root directory path. If docker root directory path is default (/var/lib/docker) then no need to set this environment variable. |
PODMAN_ROOT_DIR | Set this environment variable with Podman root directory path. If Podman root directory path is default then no need to set this environment variable. |
QSCANNER_ENABLED_JAVADB_REPOS | Use this to provide an ordered list of repositories from where to attempt download of java-db. |
TMPDIR | Use this ENV variable to override default temp location that QScanner uses to create various temporary artifacts. The default is `/tmp`. |
Commands and Targets
QScanner supports the following commands. Target refers to the entity on which the command performs its action.
Command | Description | Target |
---|---|---|
image |
To scan a container image. The supported runtimes are: docker, containerd, and cri-o.
For containerd, if your image is located in a namespace other than the default namespace of containerd, you can override it using the CONTAINERD_NAMESPACE variable. For example, export CONTAINERD_NAMESPACE=k8s.io. |
Image name or Image SHA |
tar |
To scan an archive of a container image. | File path to the .tar file |
configure |
To create a configuration file for QScanner. Use this command to generate a configuration file consisting of all the flags and options. This helps you store commonly used configurations in a file and reuse them without having to provide them to QScanner on each run.
For more information, see Creating a Configuration File. |
The path where the configuration file is generated. |
clear-cache |
To clear the cache database. Local cache is created when running QScanner with --cache local option.
For more details, see Caching. |
N/A |
Global Options
QScanner supports the following options irrespective of commands.
Argument | Description |
---|---|
--access-token {string} |
Specify the access token to be used for the communication with the Qualys Enterprise TruRisk™ Platform. |
--cert-path {string} |
Specify the CA Certificate file. |
--config-file {string} |
Specify the QScanner configuration file. By default, it uses the qscanner.json file from the user's config directory. For example, in Linux, /root/.config/qscanner.json is used (if available) to load the QScanner configuration. |
--file-logging |
Specify this parameter to create a log file in the path specified by --output-dir . |
--gateway-url {string} |
Specify this to use a POD which is not listed in: https://www.qualys.com/platform-identification/
Format: |
-h, --help |
Specify this parameter to access help for QScanner. |
-l, --log-level {string} |
Specify the log level: debug, info, error, warn, or fatal. The default value is "info". Format: |
-o, --output-dir {string} |
Specify the QScanner cache directory. This is the path where scan results are generated.
The default path is: " |
--pod {string} |
Specify Qualys Platform (POD) gateway URL for the communication with the Qualys platform. You can find the gateway URL for your Qualys POD at: https://www.qualys.com/platform-identification/
Format: - |
--proxy <proxy url> |
Enable proxy for HTTP communication. If not provided, it uses HTTP proxies as directed by the environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY (or the lowercase versions thereof). |
-q, --quiet |
Specify this parameter to enable the silent mode. In this mode, the console logs are disabled. |
--skip-verify-tls |
Specify this parameter to skip secure TLS verification. |
--secret-config-file <file_path> |
Specify the location of the secret rule configuration file. |
-v, --version |
Specify this parameter to know the QScanner version. |
Command-specific Options
Here are the arguments specific to Image, Tar and Configure commands.
Argument | Description |
---|---|
--cache <Cache type> |
Use cache for faster data collection.
If multiple QScanner instances are spawned simultaneously, using this option you can block other instances. For concurrent usage, this option must not be used. For more information, see Caching. |
--cache-dir <string> |
Use to specify QScanner cache directory. (Default path - " /root/.cache/qualys/qscanner ") |
--cache-cleanup-duration-threshold |
Specify thereshold of cache cleanup duration in seconds. Default Value: 4320h0m0s (6 months) |
--cache-cleanup-frequency |
Specify frequency of cache cleanup. Default Value: 720h0m0s (1 month) |
--enable-cache-cleanup |
Enables cache cleanup. Valid Values: true / false |
--exclude-dirs {strings} |
Specify directories where scanning should not be performed. |
--exit-if-os-not-found |
When specified, QScanner exits with error code 15, if QScanner is unable to collect the OS information. |
--exit-if-os-pkg-not-found |
QScanner exits with error code 12, if it is unable to collect OS installed packages. If --exit-if-os-not-found is also specified, it takes precedence. |
-f, --format {strings} |
Specify the format in which the inventory should be generated. If multiple options are provided, all of them are generated in the path specified by --output-dir . QScanner supports .json and .db file formats.
In |
<command> --help |
Shows help file associated with the specified command. |
--limit-resource-usage |
Reduces memory consumption which leads to better performance of the scans. |
-m, --mode {string} |
Specify the scan mode.
The valid values are:
The default value is |
--offline-scan |
Perform scan in the Offline mode. In this mode, QScanner doesn't communicate with any external entities. Valid Values: true /false Default value: false In Online mode, QScanner issues the API requests to identify dependencies. For example, QScanner must reach the URL “https://ghcr.io”. By default, the SCA scan is performed in Online mode as the package collection in this mode is more accurate than scans performed in Offline mode. Use this argument to disable the internet access for the SCA scan and run the scan in Offline mode instead. The quality of software package enumeration for Java substantially degrades when the scan is run in Offline mode. This can affect the accuracy of the vulnerability posture of the image. Hence, it is recommended to run the scan in Online mode. |
--poll-timeout {duration} |
Specify the poll timeout value. After the specified time has elapsed, QScanner does not poll the Qualys platform or perform any operation that requires polling. The default value is 10 minutes. |
--poll-wait-interval {duration} |
Specify the time interval between two poll requests. The default value is 1 minute. |
--report-format |
Specify this parameter to generate your vulnerability report in either SARIF or Json or tabular format. Format: --report-format <sarif/table/json> If multiple options are provided, all of them will be generated in the path specified by --output-dir . (default [table,json])The default value is json, table. |
--scan-timeout {duration} |
Specify scan timeout duration. The default value is 5 minutes. |
--tags {strings} |
Specify the tags needed for policy evaluation. Policies are called for evaluation based on the combination of tags. If the specified combination does not match any policy, the default policy is called and evaluated. |
-t, --scan-types {strings} |
Specify the scans to perform. Currently, only pkg is available, which scans package vulnerabilities. |