Using QScanner

You can deploy QScanner in various environments such as container environments and operating systems. It can perform scanning on different targets such as images, image tars, and so on.

QScanner performs static scanning of the target to collect different types of information based on the scan types. QScanner performs the following types of scans:

  • Vulnerability scan (static)
  • Software Composition Analysis (SCA)

By default, both scans are performed.

The general syntax of the command for running QScanner is as follows:

qscanner <global_options> command <command_options> target

For information about QScanner commands and options, see Commands and Options.

You can perform the following actions using QScanner.

  1. Run QScanner to perform the required scans: Vulnerability scan and SCA.
    • To collect data and create a local inventory, use the inventory-only mode.
      For more information, see  .
      The command format for the inventory-only mode:
      qscanner image <image_name or imageId> --mode inventory-only
    • To collect data and upload it to the Qualys Enterprise TruRisk™ Platform, use the scan-only mode. For more information, see  .
      The command format for the scan-only mode:
      qscanner image <image_name or imageId> --mode scan-only --pod <POD name> --access-token <token>
      To know more about Qualys PODs, go to Qualys POD Identifiers.

  2. To fetch the QScanner report, run the following command:

    qscanner image <image_name or imageid> --mode get-report --pod <POD name>  --access-token <token> --output-dir <path_to_output_dir>

    For more information, see  .

  3. To evaluate a security policy for an image, run the following command:

    ./qscanner image demo-image:latest --mode evaluate-policy --pod <POD name> --access-token "$QTOKEN"

    You can use QScanner in a CI/CD pipeline and make use of the policy evaluation feature of Container Security to automate various operations such as passing or failing a build. For more information, see  .

  4. To Disable collection of certain language packages, run the following command:
    qscanner image sentry --disable-sca-languages <comma separated list of languages to be disabled>

    For example, to disable collection of Image packages in Ruby, .NET, and Node.js, run the following command:
    qscanner image sentry --disable-sca-languages ruby,.net,Node.js

    Language values are not case-sensitive.

     

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.