Features
Qualys CI/CD Security Integration provides comprehensive security scanning capabilities for your build pipelines.
Container Vulnerability Scanning
Scan Docker/OCI container images for known vulnerabilities:
- OS Package Scanning – Detect vulnerabilities in base image OS packages (apt, yum, apk, etc.)
- Application Dependencies – Scan language-specific packages:
- Node.js (npm, yarn)
- Python (pip, pipenv, poetry)
- Java (Maven, Gradle)
- Ruby (gem, bundler)
- Go (modules)
- .NET (NuGet)
- Rust (cargo)
- Multi-Architecture Support – Scan images for linux/amd64, linux/arm64 platforms
- Storage Driver Options – Optimize scanning with docker-overlay2, containerd-overlayfs, or podman-overlay
Software Composition Analysis (SCA)
Scan source code repositories for vulnerable dependencies:
- Dependency Detection – Automatically detect package manifests (package.json, requirements.txt, pom.xml, etc.)
- Transitive Dependencies – Identify vulnerabilities in nested dependencies
- Directory Exclusion – Exclude test directories, vendor folders, or specific paths
- Offline Scanning – Scan without uploading to Qualys platform (Jenkins, Azure DevOps)
Secrets Detection
Identify hardcoded secrets before they reach production:
- API Keys and Tokens – AWS, GCP, Azure, GitHub, Slack, and other service tokens
- Private Keys – SSH keys, TLS certificates, PGP keys
- Credentials – Database passwords, connection strings, authentication tokens
- Container Layers – Scan all image layers for embedded secrets
SBOM Generation
Generate Software Bill of Materials for compliance and inventory:
- SPDX Format – Industry-standard SPDX 2.3 JSON output
- CycloneDX Format – OWASP CycloneDX JSON output
- Both Formats – Generate both simultaneously for different tooling requirements
Policy Enforcement
Threshold-Based Gating
Configure maximum allowed vulnerabilities per severity:
max_critical: 0– Fail on any critical vulnerabilitymax_high: 5– Allow up to 5 high-severity findingsmax_medium: -1– No limit (unlimited)max_low: -1– No limit
Cloud Policy Evaluation
Use centralized Qualys platform policies:
- Policy Tags – Apply policies by tag (e.g., "production", "pci")
- Policy Actions – ALLOW, DENY, or AUDIT based on findings
- Centralized Management – Update policies without changing pipeline code
Reporting and Integration
SARIF Reports
- GitHub Security tab integration
- Azure DevOps Advanced Security
- VS Code SARIF Viewer compatibility
Issue/Work Item Creation
- GitHub Issues – Automatic issue creation with CVE details
- Jira Integration – Create Jira tickets (Jenkins)
- Azure Work Items – Create bugs in Azure Boards
- Duplicate Prevention – Check for existing issues before creation
Native Security Dashboards
- GitLab Security Dashboard (container scanning, secret detection reports)
- GitHub Code Scanning alerts
Platform-Specific Features
| Feature | GitHub | GitLab | Jenkins | Azure DevOps |
|---|---|---|---|---|
| Container Scan | Yes | Yes | Yes | Yes |
| Code Scan (SCA) | Yes | Yes | Yes | Yes |
| Secrets Detection | Yes | Yes | Yes | Yes |
| SBOM Generation | Code only | No | Yes | Yes |
| Malware Detection | No | Yes | Yes | No |
| Rootfs Scanning | No | No | Yes | No |
| Offline Scanning | No | No | Yes | Yes |
| Issue Creation | GitHub | - | Jira | Work Items |
| Dual Backends | No | No | Yes | No |