Home GitHub Actions Container Scan

GitHub Actions Container Scan

The Container Scan action scans Docker/OCI container images for vulnerabilities, secrets, and malware. It supports local images, registry images, and tar archives, with optional SARIF upload and GitHub Issue creation.

Action Path: qualys/qualys-github/container-scan@v1

Inputs

Authentication

Input Required Default Description
qualys_access_token Yes - Qualys API access token for authentication
qualys_pod Yes - Qualys platform POD (US1, US2, US3, US4, EU1, EU2, IN1, CA1, AU1, AE1, JP1, KSA1)

Scan Target

Input Required Default Description
image_id Yes - Container image to scan (name:tag, digest, or local image ID)
image_tar No - Path to a tar archive of the image (alternative to image_id)
platform No linux/amd64 Target platform for multi-arch images (linux/amd64, linux/arm64)

Scan Options

Input Required Default Description
scan_secrets No false Enable secrets detection in container layers
scan_malware No false Enable malware detection in container
offline_mode No false Scan without uploading results to Qualys platform

Thresholds and Policy

Input Required Default Description
max_critical No -1 Maximum allowed critical vulnerabilities (-1 = unlimited)
max_high No -1 Maximum allowed high vulnerabilities (-1 = unlimited)
max_medium No -1 Maximum allowed medium vulnerabilities (-1 = unlimited)
max_low No -1 Maximum allowed low vulnerabilities (-1 = unlimited)
use_policy No false Use Qualys cloud policy evaluation instead of thresholds
fail_on_audit No false Fail the action if policy result is AUDIT

GitHub Integration

Input Required Default Description
upload_sarif No false Upload SARIF report to GitHub Security tab
create_issues No false Create GitHub Issues for vulnerabilities
issue_severities No 4,5 Severity levels to create issues for (1-5, comma-separated)
issue_labels No security,vulnerability Labels to apply to created issues

Complete Example

name: Container Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      issues: write
    steps:
      - uses: actions/checkout@v4

      - name: Build container image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Scan container
        id: scan
        uses: qualys/qualys-github/container-scan@v1
        with:
          qualys_access_token: ${{ secrets.QUALYS_ACCESS_TOKEN }}
          qualys_pod: US3
          image_id: myapp:${{ github.sha }}
          scan_secrets: true
          scan_malware: true
          max_critical: 0
          max_high: 5
          upload_sarif: true
          create_issues: true
          issue_severities: '4,5'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Check scan results
        if: always()
        run: |
          echo "Total vulnerabilities: ${{ steps.scan.outputs.vulnerability_count }}"
          echo "Critical: ${{ steps.scan.outputs.critical_count }}"
          echo "High: ${{ steps.scan.outputs.high_count }}"
          echo "Scan passed: ${{ steps.scan.outputs.scan_passed }}"

Scanning Remote Images

To scan images from private registries, authenticate before running the scan:

- name: Login to Docker Hub
  uses: docker/login-action@v3
  with:
    username: ${{ secrets.DOCKERHUB_USERNAME }}
    password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Scan remote image
  uses: qualys/qualys-github/container-scan@v1
  with:
    qualys_access_token: ${{ secrets.QUALYS_ACCESS_TOKEN }}
    qualys_pod: US3
    image_id: myorg/myapp:latest

Scanning Tar Archives

Scan a previously exported image tar file:

- name: Export and scan image
  run: docker save myapp:latest -o myapp.tar

- name: Scan tar archive
  uses: qualys/qualys-github/container-scan@v1
  with:
    qualys_access_token: ${{ secrets.QUALYS_ACCESS_TOKEN }}
    qualys_pod: US3
    image_tar: myapp.tar

Policy Evaluation

Use Qualys cloud policies instead of local thresholds:

- name: Scan with policy
  uses: qualys/qualys-github/container-scan@v1
  with:
    qualys_access_token: ${{ secrets.QUALYS_ACCESS_TOKEN }}
    qualys_pod: US3
    image_id: myapp:${{ github.sha }}
    use_policy: true
    fail_on_audit: true

Outputs

Output Description
vulnerability_count Total number of vulnerabilities found
critical_count Number of critical severity vulnerabilities
high_count Number of high severity vulnerabilities
medium_count Number of medium severity vulnerabilities
low_count Number of low severity vulnerabilities
secrets_count Number of secrets detected
malware_count Number of malware detections
policy_result Policy evaluation result (ALLOW, DENY, AUDIT, or NONE)
scan_passed true/false based on thresholds or policy
sarif_path Path to SARIF report file
json_path Path to JSON report file
issues_created Number of GitHub Issues created

Next Steps

  • Code Scan - Scan source code for vulnerable dependencies
  • Configuration - Complete configuration reference
  • Overview - Return to GitHub Actions overview
© 2026 Qualys, Inc. All rights reserved.