Home GitHub Actions Configuration

GitHub Actions Configuration Reference

This page provides a complete reference for all configuration options available in the Qualys GitHub Actions for container and code scanning.

Common Inputs

These inputs are shared between both Container Scan and Code Scan actions.

Authentication

Input Required Default Description
qualys_access_token Yes - Qualys API access token. Store as a GitHub secret.
qualys_pod Yes - Qualys platform POD identifier.

Available PODs

POD Region API URL
US1 United States qualysapi.qualys.com
US2 United States qualysapi.qg2.apps.qualys.com
US3 United States qualysapi.qg3.apps.qualys.com
US4 United States qualysapi.qg4.apps.qualys.com
EU1 Europe qualysapi.qualys.eu
EU2 Europe qualysapi.qg2.apps.qualys.eu
IN1 India qualysapi.qg1.apps.qualys.in
CA1 Canada qualysapi.qg1.apps.qualys.ca
AU1 Australia qualysapi.qg1.apps.qualys.com.au
AE1 UAE qualysapi.qg1.apps.qualys.ae
JP1 Japan qualysapi.qg1.apps.qualys.co.jp
KSA1 Saudi Arabia qualysapi.qg1.apps.qualys.sa

Threshold Configuration

Input Required Default Description
max_critical No -1 Maximum critical vulnerabilities allowed. Set to -1 for unlimited.
max_high No -1 Maximum high vulnerabilities allowed. Set to -1 for unlimited.
max_medium No -1 Maximum medium vulnerabilities allowed. Set to -1 for unlimited.
max_low No -1 Maximum low vulnerabilities allowed. Set to -1 for unlimited.

Policy Configuration

Input Required Default Description
use_policy No false Enable Qualys cloud policy evaluation.
fail_on_audit No false Fail the action when policy result is AUDIT.

GitHub Integration

Input Required Default Description
upload_sarif No false Upload results to GitHub Security tab as SARIF.
create_issues No false Create GitHub Issues for vulnerabilities found.
issue_severities No 4,5 Comma-separated severity levels for issue creation (1=Info, 2=Low, 3=Medium, 4=High, 5=Critical).
issue_labels No security,vulnerability Comma-separated labels to apply to created issues.

Advanced Options

Input Required Default Description
offline_mode No false Scan without uploading to Qualys platform.
scan_timeout No 600 Maximum scan duration in seconds.
log_level No info Logging verbosity: debug, info, warn, error.

Container Scan Inputs

Inputs specific to the Container Scan action.

Input Required Default Description
image_id Yes* - Container image to scan (name:tag or digest). Required if image_tar not specified.
image_tar No - Path to tar archive of the image.
platform No linux/amd64 Target platform for multi-arch images.
scan_secrets No false Enable secrets detection in container layers.
scan_malware No false Enable malware detection.

Code Scan Inputs

Inputs specific to the Code Scan action.

Input Required Default Description
scan_path No . Path to directory to scan.
exclude_dirs No - Comma-separated directories to exclude.
include_dev No false Include development dependencies.
scan_secrets No false Enable secrets detection in source code.
generate_sbom No false Generate a Software Bill of Materials.
sbom_format No spdx SBOM format: spdx or cyclonedx.
sbom_output No sbom.json Output filename for the SBOM.

Common Outputs

These outputs are available from both actions.

Output Description
vulnerability_count Total number of vulnerabilities found.
critical_count Number of critical vulnerabilities.
high_count Number of high vulnerabilities.
medium_count Number of medium vulnerabilities.
low_count Number of low vulnerabilities.
secrets_count Number of secrets detected.
policy_result Policy evaluation result: ALLOW, DENY, AUDIT, or NONE.
scan_passed Boolean indicating if scan passed thresholds/policy.
sarif_path Path to generated SARIF report.
json_path Path to generated JSON report.
issues_created Number of GitHub Issues created.

Container Scan Outputs

Output Description
malware_count Number of malware detections.
image_digest Digest of the scanned image.

Code Scan Outputs

Output Description
packages_count Total number of packages/dependencies found.
sbom_path Path to generated SBOM file.

Required Permissions

Configure the following permissions in your workflow:

permissions:
  contents: read          # Required for checkout
  security-events: write  # Required for SARIF upload
  issues: write           # Required for issue creation

Environment Variables

Variable Description
GITHUB_TOKEN Required for SARIF upload and issue creation. Pass as env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Example: Full Configuration

name: Complete Security Scan

on:
  push:
    branches: [main]

jobs:
  container-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      issues: write
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Scan container
        uses: qualys/qualys-github/container-scan@v1
        with:
          qualys_access_token: ${{ secrets.QUALYS_ACCESS_TOKEN }}
          qualys_pod: US3
          image_id: myapp:${{ github.sha }}
          platform: linux/amd64
          scan_secrets: true
          scan_malware: true
          max_critical: 0
          max_high: 5
          max_medium: 20
          use_policy: false
          upload_sarif: true
          create_issues: true
          issue_severities: '4,5'
          issue_labels: 'security,container,vulnerability'
          scan_timeout: 900
          log_level: info
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  code-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: Scan code
        uses: qualys/qualys-github/code-scan@v1
        with:
          qualys_access_token: ${{ secrets.QUALYS_ACCESS_TOKEN }}
          qualys_pod: US3
          scan_path: '.'
          exclude_dirs: 'node_modules,vendor,dist,build'
          include_dev: false
          scan_secrets: true
          generate_sbom: true
          sbom_format: spdx
          sbom_output: sbom.json
          max_critical: 0
          max_high: 10
          upload_sarif: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Next Steps

© 2026 Qualys, Inc. All rights reserved.