QScanner Commands and Options

QScanner offers various options to cater to different scanning needs, allowing you to scan diverse targets and customize the scanning process based on your requirements. Following are the available commands and options for QScanner:

Environment Variables

QScanner supports the following environment variables. 

Variable Description
QUALYS_ACCESS_TOKEN This is used to pass access token. It is recommended to avoid `--access-token` flag and use this environment variable.
QSCANNER_REGISTRY_USERNAME This is used to pass registry username. 
QSCANNER_REGISTRY_PASSWORD This is used to pass registry password. It is recommended to avoid `--registry-password` flag and use this environment variable.
QSCANNER_REGISTRY_TOKEN This is used to pass registry token. It is recommended to avoid `--registry-token` flag and use this environment variable.
CONTAINERD_ROOT_DIR Set this environment variable with containerd root directory. If containerd root directory path is default (/var/lib/containerd) then no need to set this environment variable.
CONTAINERD_NAMESPACE  If namespace of target scan image is not default then set this environment variable with namespace of target scan image.
CONTAINERD_ADDRESS Set this environment variable with containerd.sock file path. If containerd.sock file path is default(`//run/containerd/containerd.sock`) then no need to set this environment variable.
DOCKER_ROOT_DIR Set this environment variable with docker root directory path. If docker root directory path is default (/var/lib/docker) then no need to set this environment variable.
PODMAN_ROOT_DIR Set this environment variable with Podman root directory path. If Podman root directory path is default then no need to set this environment variable.
QSCANNER_ENABLED_JAVADB_REPOS Use this to provide an ordered list of repositories from where to attempt download of java-db.
TMPDIR Use this ENV variable to override default temp location that QScanner uses to create various temporary artifacts. The default is `/tmp`.

 

Commands and Targets

QScanner supports the following commands. Target refers to the entity on which the command performs its action.

Command Description Target
image To scan a container image. The supported runtimes are: docker, containerd, and cri-o.

For containerd, if your image is located in a namespace other than the default namespace of containerd, you can override it using the CONTAINERD_NAMESPACE variable. For example, export CONTAINERD_NAMESPACE=k8s.io.

Image name or Image SHA
tar To scan an archive of a container image. File path to the .tar file
configure To create a configuration file for QScanner. Use this command to generate a configuration file consisting of all the flags and options. This helps you store commonly used configurations in a file and reuse them without having to provide them to QScanner on each run.

For more information, see Creating a Configuration File.

The path where the configuration file is generated.

clear-cache To clear the cache database. Local cache is created when running QScanner with --cache local option.

For more details, see Caching.

N/A

Global Options

QScanner supports the following options irrespective of commands.

Argument Description
--access-token {string} Specify the access token to be used for the communication with the Qualys Enterprise TruRisk™ Platform.
--cert-path {string}  Specify the CA Certificate file.
--config-file {string} Specify the QScanner configuration file. By default, it uses the qscanner.json file from the user's config directory. 
For example, in Linux, /root/.config/qscanner.json is used (if available) to load the QScanner configuration.
--file-logging Specify this parameter to create a log file in the path specified by --output-dir.
--gateway-url {string} Specify this to use a POD which is not listed in: https://www.qualys.com/platform-identification/ 

Format: --gateway-url <gateway_url>
Example: 
--gateway-url https://gateway.qg2.apps.qualys.com/cms/cli/v1.0

-h, --help Specify this parameter to access help for QScanner.
-l, --log-level {string} Specify the log level: debug, info, error, warn, or fatal.
The default value is "info".

Format: --log-level <level-string>
Example:
 To enable debug logging, use --log-level debug.

-o, --output-dir {string} Specify the QScanner cache directory. This is the path where scan results are generated.

The default path is: "/root/qualys/qscanner/data".

--pod {string} Specify Qualys Platform (POD) gateway URL for the communication with the Qualys platform.  You can find the gateway URL for your Qualys POD at: https://www.qualys.com/platform-identification/ 

Format: --pod <POD name>
Example: 
--pod IN1

--proxy <proxy url> Enable proxy for HTTP communication. If not provided, it uses HTTP proxies as directed by the environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY (or the lowercase versions thereof).
-q, --quiet Specify this parameter to enable the silent mode. In this mode, the console logs are disabled.
--skip-verify-tls Specify this parameter to skip secure TLS verification.
--secret-config-file <file_path> Specify the location of the secret rule configuration file.
-v, --version Specify this parameter to know the QScanner version.

Command-specific Options

Here are the arguments specific to Image, Tar and Configure commands.

Argument Description
--cache <Cache type> Use cache for faster data collection.

If multiple QScanner instances are spawned simultaneously, using this option you can block other instances. For concurrent usage, this option must not be used.

For more information, see Caching.

--cache-dir <string> Use to specify QScanner cache directory.
(Default path -  "/root/.cache/qualys/qscanner")
--cache-cleanup-duration-threshold Specify thereshold of cache cleanup duration in seconds.
Default Value: 4320h0m0s (6 months)
--cache-cleanup-frequency Specify frequency of cache cleanup.
Default Value: 720h0m0s (1 month)
--enable-cache-cleanup Enables cache cleanup.
Valid Values: true / false
--exclude-dirs {strings} Specify directories where scanning should not be performed.
--exit-if-os-not-found When specified, QScanner exits with error code 15, if QScanner is unable to collect the OS information.
--exit-if-os-pkg-not-found QScanner exits with error code 12, if it is unable to collect OS installed packages.
If --exit-if-os-not-found is also specified, it takes precedence.
-f, --format {strings} Specify the format in which the inventory should be generated. If multiple options are provided, all of them are generated in the path specified by --output-dir. QScanner supports .json and .db file formats.

In db format option, the inventory is generated in SQLite DB format. This must be used if any mode other than inventory-only is specified.

<command> --help Shows help file associated with the specified command.
--limit-resource-usage Reduces memory consumption which leads to better performance of the scans.
-m, --mode {string} Specify the scan mode.

The valid values are:

  • inventory-only: Performs data collection without uploading the data to the Qualys platform.
  • scan-only: Performs data collection and uploads it to the Qualys platform.
  • get-report: Scans the target, uploads the data to the Qualys platform, and fetches a generated report from the platform.
  • evaluate-policy: Scans the target, evaluates the policies, and fetches the policy evaluation results.  

The default value is get-report. For more information, see QScanner Modes.

--offline-scan Perform scan in the Offline mode. In this mode, QScanner doesn't communicate with any external entities.
Valid Values: true/false
Default value: false

In Online mode, QScanner issues the API requests to identify dependencies. For example, QScanner must reach the URL “https://ghcr.io”.
By default, the SCA scan is performed in Online mode as the package collection in this mode is more accurate than scans performed in Offline mode. 
Use this argument to disable the internet access for the SCA scan and run the scan in Offline mode instead.

 The quality of software package enumeration for Java substantially degrades when the scan is run in Offline mode. This can affect the accuracy of the vulnerability posture of the image. Hence, it is recommended to run the scan in Online mode. 

--poll-timeout {duration} Specify the poll timeout value. After the specified time has elapsed, QScanner does not poll the Qualys platform or perform any operation that requires polling.
The default value is 10 minutes.
--poll-wait-interval {duration} Specify the time interval between two poll requests.
The default value is 1 minute.
--report-format Specify this parameter to generate your vulnerability report in either SARIF or Json or tabular format.
Format: --report-format <sarif/table/json>

If multiple options are provided, all of them will be generated in the path specified by --output-dir. (default [table,json])
The default value is json, table.
--scan-timeout {duration} Specify scan timeout duration.
The default value is 5 minutes.
--tags {strings}  Specify the tags needed for policy evaluation. Policies are called for evaluation based on the combination of tags. If the specified combination does not match any policy, the default policy is called and evaluated.
-t, --scan-types {strings} Specify the scans to perform. Currently, only pkg is available, which scans package vulnerabilities.