How It Works
Qualys CI/CD Security Integration provides a unified approach to container and code vulnerability scanning across development pipelines. This section explains the core concepts and architecture.
Architecture Overview
The integration ecosystem consists of two main layers:
┌─────────────────────────────────────────────────────────────────────────┐
│ CI/CD Platform Layer │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ GitHub │ │ GitLab │ │ Azure │ │ Jenkins │ │
│ │ Actions │ │ CI │ │ DevOps │ │ │ │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │ │ │
│ └────────────────┴────────────────┴────────────────┘ │
│ │ │
│ QScanner │
│ (Local Scanning) │
└─────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────┐
│ Qualys Cloud Platform │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Container Security API │ │
│ │ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │ │
│ │ │ Vuln DB │ │ Policy │ │ Reporting │ │ SBOM │ │ │
│ │ │ │ │ Engine │ │ │ │ Storage │ │ │
│ │ └───────────┘ └───────────┘ └───────────┘ └───────────┘ │ │
│ └─────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘Core Components
QScanner
The QScanner is a lightweight binary used in CI/CD pipelines for local container image and code scanning. It:
- Pulls container images from registries
- Analyzes image layers for vulnerabilities
- Scans source code for vulnerable dependencies
- Detects secrets and sensitive data
- Generates SARIF, JSON, and SBOM reports
- Evaluates against configured thresholds or cloud policies
CICD Sensor (Jenkins)
For Jenkins environments, the CICD Sensor provides an alternative scanning backend:
- Pre-installed on build agents for faster scanning
- Uses username/password authentication
- Supports container scanning only
- Better suited for dedicated build servers
Scanning Modes
| Mode | Description | Use Case |
|---|---|---|
get-report |
Scan and generate vulnerability report | Default mode for most pipelines |
evaluate-policy |
Evaluate against Qualys cloud policies | Centralized policy enforcement |
scan-only |
Scan without generating reports | Quick validation scans |
inventory-only |
Collect inventory without vulnerability matching | SBOM generation |
Vulnerability Detection
The scanning engine detects vulnerabilities in:
- OS Packages – Vulnerabilities in base image OS packages (apt, yum, apk)
- Application Dependencies – Language-specific package vulnerabilities:
- Node.js (npm, yarn)
- Python (pip, pipenv, poetry)
- Java (Maven, Gradle)
- Ruby (gem, bundler)
- Go (modules)
- .NET (NuGet)
- Rust (cargo)
- Secrets – Hardcoded API keys, passwords, tokens, and credentials
Policy Evaluation
Two approaches to policy enforcement:
Local Thresholds
Configure maximum allowed vulnerabilities per severity:
max_critical: 0 # Fail on any critical
max_high: 5 # Allow up to 5 high
max_medium: -1 # No limit on medium
max_low: -1 # No limit on lowCloud Policy Evaluation
Use centrally managed policies in the Qualys platform:
- Consistent policy enforcement across all integrations
- Policy inheritance and override capabilities
- Audit trail for policy changes
- Policy actions: ALLOW, DENY, AUDIT
Report Formats
| Format | Purpose |
|---|---|
| SARIF | Static Analysis Results Interchange Format for GitHub/Azure security tabs |
| JSON | Detailed vulnerability data for custom processing |
| GitLab Security | Native GitLab Security Dashboard format |
| SPDX | Software Bill of Materials (SBOM) |
| CycloneDX | Alternative SBOM format |