Qualys Containerized Scanner Appliance

Release v1.2

Updated on: July 15, 2025

The Qualys Containerized Scanner Appliance(QCSA) allows users to deploy a Qualys scanner as a container. You can create multiple Containerized Scanners using the QCSA Docker image and a Qualys subscription plan. QCSA leverages Docker's benefits, including faster deployment, enhanced efficiency, and optimized resource management. Additionally, it supports the same and automatic updates as the Qualys Virtual Scanner Appliances.

QCSA Features 

The QCSA offers the following features:

  • Supports scanning for Vulnerability Management (VM), Policy Compliance (PC), Web Application Scanning (WAS), and MAP Scans.
  • Scan status and reports for supported scan types are accessible from the Qualys Enterprise TruRisk™ Platform.

  • Supports Docker Engine and Podman as container runtimes, both in rootful mode.

  • Supports proxy configuration.
  • Supports Bridge networking, Host networking & Macvlan networking.
  • Supports IPv6 Networking.
  • Allows creating multiple containerized scanners on one Linux Host, as long as the total resources allocated to the containerized scanner are within the Linux Host's resource limits. 
  • Supports running in 64-bit mode exclusively when 32-bit binary execution is disabled on the Linux Host. 
  • Supports a FIPS-enabled container runtime environment. This means you can create and run QCSA containerized scanners on a FIPS-enabled Docker/Podman Linux host.
  • Qualys strongly recommends against running a containerized scanner in rootless mode, as it may impact scan performance and the consistency of vulnerability results.
  • The containerized scanner, when running in 64-bit only mode, has limited support for certain target technologies.
  • Avoid over-committing resources, as it can cause the container or host to malfunction. For example, if you over-commit swap, insufficient swap space on the host may result in the guest operating systems being forcibly shut down, rendering them inoperable.
  • A low cgroups PID limit (total number of processes and threads allowed inside a container) on a Linux host may prevent the QCSA containerized scanner from executing larger scans. This PID limit can be removed by running the containerized scanner with the option '--pid-limit -1', or the PID limit check can be overridden by running the containerized scanner with the option '-e DISREGARD_PID_LIMIT=yes'.
  • If no specific network mode is provided, container runtimes (Docker/Podman) use bridge networking by default when creating containers. To use a different network mode, such as host or macvlan, specify it explicitly using the --network <network_name> option in the containerized scanner creation command. For implementation details, refer to the Bridge network driver and Docker container, or Manage Podman networks as described in Docker's and  Podman official documentation

The current version of QCSA has a few limitations. For details, see Limitations.