GitLab CI Configuration Reference

This page provides a complete reference for all configuration options available in the Qualys GitLab CI Component.

All Component Inputs

Authentication

Input	Required	Default	Description
access_token	Yes	$QUALYS_ACCESS_TOKEN	Qualys API access token for authentication
pod	Yes	-	Qualys platform POD identifier

Available PODs

POD	Region	API URL
US1	United States	qualysapi.qualys.com
US2	United States	qualysapi.qg2.apps.qualys.com
US3	United States	qualysapi.qg3.apps.qualys.com
US4	United States	qualysapi.qg4.apps.qualys.com
EU1	Europe	qualysapi.qualys.eu
EU2	Europe	qualysapi.qg2.apps.qualys.eu
IN1	India	qualysapi.qg1.apps.qualys.in
CA1	Canada	qualysapi.qg1.apps.qualys.ca
AU1	Australia	qualysapi.qg1.apps.qualys.com.au
AE1	UAE	qualysapi.qg1.apps.qualys.ae
JP1	Japan	qualysapi.qg1.apps.qualys.co.jp
KSA1	Saudi Arabia	qualysapi.qg1.apps.qualys.sa

Scan Target

Input	Required	Default	Description
image	Yes*	-	Container image to scan (name:tag or digest). Required if image_tar not specified.
image_tar	No	-	Path to tar archive of the image
platform	No	linux/amd64	Target platform for multi-arch images

Scan Configuration

Input	Required	Default	Description
scan_mode	No	get-report	Scan operation mode: get-report, evaluate-policy, scan-only, inventory-only
scan_types	No	pkg	Comma-separated scan types: pkg, secret, malware, fileinsight, compliance

Threshold Configuration

Input	Required	Default	Description
fail_on_severity	No	-	Fail if vulnerabilities at or above this severity (1-5)
max_critical	No	-1	Maximum critical vulnerabilities allowed (-1 = unlimited)
max_high	No	-1	Maximum high vulnerabilities allowed (-1 = unlimited)
max_medium	No	-1	Maximum medium vulnerabilities allowed (-1 = unlimited)
max_low	No	-1	Maximum low vulnerabilities allowed (-1 = unlimited)

Policy Configuration

Input	Required	Default	Description
use_policy	No	false	Enable Qualys cloud policy evaluation
fail_on_audit	No	false	Fail pipeline when policy result is AUDIT

Output Configuration

Input	Required	Default	Description
output_format	No	gitlab	Report output format: gitlab, json, sarif
offline_mode	No	false	Scan without uploading to Qualys platform

Advanced Options

Input	Required	Default	Description
scan_timeout	No	600	Maximum scan duration in seconds
log_level	No	info	Logging verbosity: debug, info, warn, error
stage	No	test	GitLab CI stage for the scan job

CI/CD Variables

Configure these variables in Settings > CI/CD > Variables:

Variable	Required	Description	Recommended Settings
QUALYS_ACCESS_TOKEN	Yes	Qualys API access token	Masked, Protected
QUALYS_POD	No	Qualys platform POD	-

Output Artifacts

Artifact	Description	GitLab Integration
gl-container-scanning-report.json	Container vulnerabilities in GitLab format	Security Dashboard - Container Scanning
gl-secret-detection-report.json	Secrets findings in GitLab format	Security Dashboard - Secret Detection
qualys-scan-results.json	Full Qualys scan results	Downloadable artifact

Exit Codes

Code	Meaning	Pipeline Result
0	Scan passed all thresholds/policy	Success
1	Scan error or failed to complete	Failed
42	Policy DENY - failed policy evaluation	Failed
43	Policy AUDIT - requires review	Failed (if fail_on_audit) or Success

Example: Full Configuration

include:
  - component: gitlab.com/qualys/qualys-container-scan@1.0.0
    inputs:
      access_token: $QUALYS_ACCESS_TOKEN
      pod: "US3"
      image: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
      platform: "linux/amd64"
      scan_mode: "get-report"
      scan_types: "pkg,secret,malware"
      fail_on_severity: "4"
      max_critical: 0
      max_high: 5
      max_medium: 20
      use_policy: false
      fail_on_audit: false
      output_format: "gitlab"
      offline_mode: false
      scan_timeout: 900
      log_level: "info"
      stage: "security"

stages:
  - build
  - test
  - security
  - deploy

build:
  stage: build
  image: docker:latest
  services:
    - docker:dind
  before_script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  script:
    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

deploy:
  stage: deploy
  script:
    - echo "Deploying application..."
  only:
    - main
  needs:
    - qualys-container-scan

Example: Policy-Based Scanning

include:
  - component: gitlab.com/qualys/qualys-container-scan@1.0.0
    inputs:
      pod: "EU1"
      image: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
      scan_mode: "evaluate-policy"
      use_policy: true
      fail_on_audit: true

Example: Multiple Scan Types

include:
  - component: gitlab.com/qualys/qualys-container-scan@1.0.0
    inputs:
      pod: "US3"
      image: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
      scan_types: "pkg,secret,malware,compliance"
      fail_on_severity: "5"

Requirements

• GitLab 16.0 or later
• GitLab Runner with Docker executor
• Docker-in-Docker (dind) service for building images
• Qualys subscription with Container Security permissions