GitHub Actions Integration

The Qualys GitHub integration provides two reusable GitHub Actions for security scanning: one for container images and one for source code (SCA). Both actions support SARIF upload to the GitHub Security tab and automatic issue creation.

View Source Repository →

Available Actions

Action	Purpose	Path
Container Scan	Scan Docker/OCI container images for vulnerabilities	`qualys/qualys-github/container-scan@v1`
Code Scan	Scan source code for vulnerable dependencies (SCA)	`qualys/qualys-github/code-scan@v1`

Capabilities

Container Vulnerability Scanning – Scan images for OS and application package vulnerabilities
Software Composition Analysis – Scan repositories for vulnerable dependencies
Secrets Detection – Identify hardcoded secrets in container layers and source code
SBOM Generation – Generate SPDX or CycloneDX SBOM (code scan only)
Policy Evaluation – Use Qualys cloud policies or local thresholds
SARIF Upload – Publish results to GitHub Security tab
Issue Creation – Automatically create GitHub Issues for vulnerabilities
Multi-Architecture – Scan linux/amd64 and linux/arm64 images

Prerequisites

A Qualys subscription with Container Security permissions
A Qualys API access token stored as a GitHub secret
GitHub Actions enabled on your repository

Quick Start

Container Scan

name: Container Security Scan

on:
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      issues: write
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Scan container
        uses: qualys/qualys-github/container-scan@v1
        with:
          qualys_access_token: ${{ secrets.QUALYS_ACCESS_TOKEN }}
          qualys_pod: US3
          image_id: myapp:${{ github.sha }}
          max_critical: 0
          max_high: 5
          upload_sarif: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Code Scan

name: Code Security Scan

on:
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: Scan code
        uses: qualys/qualys-github/code-scan@v1
        with:
          qualys_access_token: ${{ secrets.QUALYS_ACCESS_TOKEN }}
          qualys_pod: US3
          generate_sbom: true
          sbom_format: spdx
          scan_secrets: true
          upload_sarif: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Workflow Outputs

Both actions provide outputs for use in subsequent steps:

Output	Description
`vulnerability_count`	Total vulnerabilities found
`critical_count`	Critical severity count
`high_count`	High severity count
`medium_count`	Medium severity count
`low_count`	Low severity count
`policy_result`	ALLOW, DENY, AUDIT, or NONE
`scan_passed`	true/false based on thresholds or policy
`sarif_path`	Path to SARIF report file
`json_path`	Path to JSON report file
`sbom_path`	Path to SBOM file (code scan only)
`issues_created`	Number of GitHub Issues created

Next Steps

Container Scan – Detailed container scanning options
Code Scan – Detailed code scanning options
Configuration – All configuration options