Scanning Workflow
This section describes the detailed scanning workflow from image detection through result delivery.
CI/CD Scanning Workflow
┌─────────────────────────────────────────────────────────────────────┐
│ CI/CD Pipeline │
│ │
│ 1. Checkout 2. Build 3. Scan 4. Evaluate 5. Deploy │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Code │→ │ Image │→ │QScanner │→ │ Policy │→ │ Push │ │
│ │ │ │ │ │ │ │ Check │ │ │ │
│ └─────────┘ └─────────┘ └────┬────┘ └────┬────┘ └─────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────┐ ┌─────────┐ │
│ │ Reports │ │Pass/Fail│ │
│ │(SARIF, │ │ │ │
│ │ JSON) │ │ │ │
│ └─────────┘ └─────────┘ │
└─────────────────────────────────────────────────────────────────────┘Step-by-Step Process
- Image Reference – The scanner receives the container image reference (name:tag or digest)
- Image Pull – The image is pulled from the registry (using provided credentials if private)
- Layer Extraction – Container layers are extracted and analyzed
- Package Detection – OS and application packages are identified
- Vulnerability Matching – Packages are matched against the Qualys vulnerability database
- Secrets Scanning – Image layers are scanned for embedded secrets (if enabled)
- Report Generation – SARIF and JSON reports are generated
- Policy Evaluation – Results are evaluated against thresholds or cloud policies
- Result Output – Vulnerability counts and policy result are output for pipeline decisions
Code Scanning Workflow
┌─────────────────────────────────────────────────────────────────────┐
│ SCA Code Scanning │
│ │
│ 1. Checkout 2. Discover 3. Analyze 4. Evaluate 5. Report │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Code │→ │Manifests│→ │QScanner │→ │ Policy │→ │ SARIF/ │ │
│ │ │ │ │ │ SCA │ │ Check │ │ SBOM │ │
│ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │
└─────────────────────────────────────────────────────────────────────┘Code Scan Steps
- Directory Scan – Recursively scan source directory for package manifests
- Manifest Detection – Identify package.json, requirements.txt, pom.xml, etc.
- Dependency Resolution – Parse manifests and resolve transitive dependencies
- Vulnerability Matching – Match dependencies against vulnerability database
- Secrets Scanning – Scan source files for hardcoded secrets (if enabled)
- SBOM Generation – Generate SPDX or CycloneDX SBOM (if enabled)
- Report Generation – Create SARIF and JSON vulnerability reports
Report Types
| Report | Format | Purpose |
|---|---|---|
| SARIF | JSON (SARIF 2.1.0) | GitHub Security tab, Azure DevOps Advanced Security |
| JSON | JSON | Custom processing, archival |
| GitLab Security | JSON (GitLab format) | GitLab Security Dashboard |
| SPDX SBOM | JSON (SPDX 2.3) | Software inventory, compliance |
| CycloneDX SBOM | JSON (CycloneDX 1.4) | Software inventory, compliance |
Policy Evaluation Flow
Threshold-Based
Scan Results → Count by Severity → Compare to Thresholds → Pass/Fail
Example:
Critical: 2 vs max_critical: 0 → FAIL
High: 3 vs max_high: 5 → PASS
Medium: 10 vs max_medium: -1 → PASS (unlimited)Cloud Policy
Scan Results → Submit to Qualys API → Policy Engine → ALLOW/DENY/AUDIT
Policy Actions:
ALLOW → Pipeline continues
DENY → Pipeline fails (exit code 42)
AUDIT → Pipeline continues with warning (exit code 43)Result Delivery
Pipeline Outputs
All integrations provide outputs for use in subsequent pipeline steps:
vulnerability_count– Total vulnerabilities foundcritical_count,high_count,medium_count,low_countpolicy_result– ALLOW, DENY, AUDIT, or NONEscan_passed– Boolean indicating threshold/policy passsarif_path,json_path,sbom_path– Report file paths
Dashboard Integration
All scan results are available in the Qualys Container Security console:
- Centralized vulnerability visibility
- Historical trending and reporting
- Policy management and compliance tracking