QScanner Release 5.0.0
June 01, 2026
With the QScanner 5.0.0 release, the following features are offered.
- OAuth-based Authentication Support
- Support for Developer Scoped Token
- Support for Static Compliance Scan
- Build Pipeline Metadata Collection
- Improved Visibility & Continuous Assessment with Static Asset Tagging
- Enhancement in Tabular Report
- Improved Data Collection & File Insight Scan
- Updated GitLab Report File Names
- LZMA Compressed 'SBOM' Formats
- Flag Updates
OAuth-based Authentication Support
QScanner 5.0.0 introduces OAuth-based authentication for secure communication with Qualys Enterprise TruRisk™ Platform. This enhancement replaces long-lived, subscription-based tokens with short-lived, OAuth-enabled tokens that can be securely revoked and refreshed automatically. These tokens in QScanner are issued with fine‑grained permissions that define exactly what actions a token can perform. Instead of granting broad subscription‑wide access, each token is scoped to only the required capabilities, such as
- Running scans
- Viewing results
- Accessing specific resources
This update improves security, streamlines enterprise identity integration, and enables developers to securely scan container images without impacting production data. With this enhancement, QScanner is deprecating the --access-token flag. You are requested to use --client-id and --client-secret flags instead.
These flags and their values need to be generated from the Qualys Enterprise TruRisk™ Platform. To know more about this, refer to Qualys Container Security 1.43 Release Notes > Development Environment Scanning with QScanner.
Support for Developer Scoped Token
QScanner 5.0.0 introduces support for developer-scoped OAuth tokens designed specifically for development and CI/CD workflows. These tokens have limited permissions and ensure that development scans do not impact or clutter production environments.
This addresses a key challenge where frequent test scans from development pipelines interfere with production visibility. With dev-scoped tokens, teams can safely perform repeated scans, experiment with configurations, and validate images early in the lifecycle without affecting production security findings.
This enhancement enables clean separation between development and production workflows, improving collaboration, reducing noise in security dashboards, and supporting shift-left security practices.
Support for Static Compliance Scan
With this release, QScanner offers a Static Compliance scan for images using the --scan-types compliance option. Images are evaluated against built‑in compliance controls aligned with the CIS Docker Benchmark to determine an overall posture (PASS, FAIL, or SKIPPED) without requiring a container runtime. The scan also detects secrets across image layers and the Dockerfile history, providing actionable remediation findings. Compliance results can be used for CI/CD policy enforcement and are suitable for air‑gapped environments, enabling consistent compliance assessment across any runtime or remote image source.
Build Pipeline Metadata Collection
QScanner now automatically collects the build pipeline context from CI/CD environments during its scan. This includes repository details, branch, commit hash, author information, and other pipeline attributes sourced directly from available environment variables. This feature is enabled by default and can be disabled using the --collect-build-pipeline-metadata=false flag, providing flexibility for privacy or compliance‑sensitive workflows.
With this enhancement, QScanner achieves,
- Precise traceability of findings to the exact commit, branch, repository, and author
- Faster remediation with immediate ownership and actionable context, improving MTTR
- Improved supply chain visibility to quickly identify and contain impacted builds
- Stronger governance and compliance through enhanced audit trails and accountability
To support this enhancement, you need to add the following parameters in your respective CI/CD platform.
| Sr. No. | Parameters | GitLab | GitHub | Jenkins |
|---|---|---|---|---|
| 1 | Repository | CI_REPOSITORY_URL | GITHUB_REPOSITORY | JOB_URL |
| 2 | Branch | CI_COMMIT_BRANCH | GITHUB_REF_NAME | BRANCH_NAME, GIT_BRANCH |
| 3 | Commit Hash | CI_COMMIT_SHA | GITHUB_SHA | GIT_COMMIT |
| 4 | Commit Message | CI_COMMIT_MESSAGE | - | - |
| 5 | Commit Author Name | CI_COMMIT_AUTHOR | GITHUB_TRIGGERING_ACTOR | GIT_AUTHOR_NAME |
| 6 | Commit Author EMail | CI_COMMIT_AUTHOR | - | GIT_AUTHOR_EMAIL |
| 7 | Commit Timestamp | CI_COMMIT_TIMESTAMP | - | - |
| 8 | Last Build Commit | CI_COMMIT_BEFORE_SHA | - | GIT_PREVIOUS_COMMIT |
| 9 | Event | CI_PIPELINE_SOURCE | - | - |
If QScanner is not running in a build pipeline or is running within an unsupported build pipeline, scans will not be impacted. The fields in BuildPipelineMetadata object show values as 'Unknown'.
Improved Visibility & Continuous Assessment with Static Asset Tagging
QScanner 5.0.0 introduces static asset tagging using the --qualys-tags flag, allowing you to assign and manage tags directly from the Command Line Interface (CLI). Tags are automatically created if they do not already exist, making it easier to organize, search, and manage assets within Qualys Enterprise TruRisk™ Platform.
This addresses a key challenge where teams struggle to track, organize, and continuously monitor assets across pipelines and environments. By linking findings to meaningful tags, QScanner improves visibility, helping teams correlate assets with ownership, build context, and lifecycle stage. This reduces operational overhead and simplifies security management.
With Asset tagging, QScanner evolves from just a scanner to a solution supporting ongoing, intelligence-driven risk management, combining build-time detection, asset traceability, and continuous Qualys Enterprise TruRisk™ Platform evaluation. Using asset tags, you can easily identify assets that originated from specific pipelines or releases. Additionally, you can enable Continuous Assessment (CA) by prefixing tags with qca_scan, allowing assets to be automatically re-evaluated for new vulnerabilities without re-scanning.
QScanner does not support Asset Tagging in inventory-only mode. To know more about QScanner modes, refer to QScanner Modes.
With the introduction of the --qualys-tags flag, QScanner now deprecates the --policy-tags flag.
Enhancement in Tabular Report
In the QDS column, QScanner now shows the QDS severity level along with the QDS score. Displaying QDS severity alongside the score helps you quickly understand risk levels without additional interpretation.
Along with this, the Tabular report also shows Policy Evaluation details, such as the evaluation summary and its result. This enables quick assessment of compliance status directly within the report.
| Old Tabular Report | New Tabular Report |
|---|---|
 |
 |
To know more about QScanner reports, refer to QScanner Report Formats.
Improved Data Collection & File Insight Scan
With this release, QScanner has upgraded its Data collection during SCA scan and File Insight Scan.
Data Collection in Software Composition Analysis
With this release, QScanner has upgraded its Software Composition Analysis (SCA) by improving the collection of the following software languages.
- Java
- NodeJS
Additionally, QScanner has improved its code-scanning mechanism by supporting the parsing of the following files.
- bun.lock - A bun.lock file is a lockfile generated by the Bun package manager that records the exact versions of dependencies installed for a project.
- uv.lock - A uv.lock file is a lockfile created by the uv (Python package manager) that records the exact versions of all dependencies resolved for a project.
Detection of AI-based QIDs in 'File Insight' Scan
QScanner supports the File Insight scan which scans your image and provides details based on the built-in rules. With this release, the File Insight scan has added new rules, using which it can provide Artificial Intelligence-based QIDs details. With this enhancement, QScanner now reports AI model files using the File Insight scan. The following are the advantages of this enhancement.
- Enhanced AI Asset Visibility
Automatically identifies AI/ML model files within container images, giving teams clear visibility into embedded AI components. - Improved Risk Awareness
Helps security teams detect and assess potential risks associated with AI artifacts, including unmonitored or unauthorized models. - Stronger Governance & Compliance
Supports emerging AI governance requirements by enabling tracking and auditing of AI assets within images.
Updated GitLab Report File Names
The following GitLab Report file names are updated.
| Old File Name | New File Name |
|---|---|
| $ARTIFACT_ID-gitlab_vuln_report.json | $ARTIFACT_ID-GitLabVulnReport.json |
| $ARTIFACT_ID-gitlab_secret.json | $ARTIFACT_ID-GitLabSecretReport.json |
This enhancement helps you with:
- Improved Consistency & Standardization
Updated naming conventions make report files easier to recognize, manage, and integrate across pipelines. - Better CI/CD Integration
Consistent file names simplify automation and reduce errors in GitLab pipeline configurations and artifact handling.
To know more about QScanner reports, refer to QScanner Report Formats.
LZMA Compressed 'SBOM' Formats
Earlier, Changelist.db file was LZMA-compressed. With this release, QScanner supports SBOM formats (SPDX, CycloneDX) in LZMA compressed format. LZMA compression reduces SBOM file size, improving storage efficiency, accelerating transfers, and optimizing CI/CD pipeline performance.
To know more about QScanner Data Collection formats, refer to QScanner Data Collection Formats.
Flag Updates
With this release, QScanner is deprecating the '--poll-timeout' and '--poll-wait-interval' arguments. Instead, you are requested to use the newly introduced '--max-network-retries' and '--network-retry-wait-min'arguments.
| Old Argument | New Argument |
|---|---|
| --poll-timeout | --max-network-retries |
| --poll-wait-interval | --network-retry-wait-min |
Known Issues
There are no known limitations in this release.