Get Started with Qualys CI/CD Security Integration

Qualys CI/CD Security Integration enables teams to shift security left by identifying vulnerabilities and secrets early in the development lifecycle. Rather than discovering security issues after deployment, you can evaluate container images and source code during the build process, providing continuous visibility into your application security posture.

The integration scans container images for OS and application vulnerabilities, detects hardcoded secrets, and generates SBOM (Software Bill of Materials). Scan results can be used to gate deployments based on configurable thresholds or centralized Qualys cloud policies.

Scanning Capabilities

• Container Vulnerability Scanning – Scan Docker/OCI container images for vulnerabilities in OS packages and application dependencies
• Software Composition Analysis (SCA) – Scan source code repositories for vulnerable dependencies across multiple package managers
• Secrets Detection – Identify hardcoded secrets, API keys, passwords, and sensitive data in container layers and source code
• SBOM Generation – Generate Software Bill of Materials in SPDX or CycloneDX format
• Policy-Based Evaluation – Enforce security policies with centralized Qualys cloud policies
• Threshold Gating – Configure maximum allowed vulnerabilities per severity level

Supported CI/CD Platforms

Platform	Integration Type	Scan Types
GitHub Actions	Reusable Actions	Container, Code (SCA)
GitLab CI	CI Component	Container, Secrets, Malware
Jenkins	Jenkins Plugin	Container, Code, Rootfs
Azure DevOps	Pipeline Extension	Container, Code (SCA)

Prerequisites

Before you begin, ensure you have:

• A valid Qualys subscription with Container Security permissions enabled
• A Qualys API access token with Container Security scope
• Access to your target CI/CD platform

Choose Your Platform