GitLab CI Integration

The Qualys GitLab integration provides a native CI component for container vulnerability scanning with direct integration into the GitLab Security Dashboard. Scan results appear in the Security tab alongside other GitLab security features.

View Source Repository →

Capabilities

Container Vulnerability Scanning – Scan container images for OS and package vulnerabilities
Secrets Detection – Identify hardcoded secrets in container layers
Malware Detection – Scan for malware in container images
GitLab Security Dashboard – Native integration with container scanning and secret detection reports
Policy Evaluation – Use Qualys cloud policies or severity thresholds
Pipeline Gating – Fail pipelines based on scan results

Prerequisites

GitLab 16.0 or later
GitLab Runner with Docker executor
A Qualys subscription with Container Security permissions
A Qualys API access token stored as a CI/CD variable

Quick Start

Include the Qualys CI component in your .gitlab-ci.yml:

include:
  - component: gitlab.com/qualys/qualys-container-scan@1.0.0
    inputs:
      pod: "US3"
      image: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
      scan_types: "pkg,secret"
      fail_on_severity: "4"

Scan Modes

Mode	Description
`get-report`	Scan and generate vulnerability report (default)
`evaluate-policy`	Evaluate against Qualys cloud policies
`scan-only`	Scan without generating reports
`inventory-only`	Collect inventory without vulnerability matching

Scan Types

Type	Description
`pkg`	Package vulnerability scanning (default)
`secret`	Secrets detection
`malware`	Malware detection
`fileinsight`	File analysis and insight
`compliance`	Compliance checking

Exit Codes

The CI component uses exit codes to indicate scan results:

Code	Meaning
0	Success - scan passed thresholds/policy
1	Error - scan failed to complete
42	Policy DENY - scan failed policy evaluation
43	Policy AUDIT - scan requires review

Security Dashboard Integration

Scan results are automatically published to the GitLab Security Dashboard:

Container Scanning – gl-container-scanning-report.json
Secret Detection – gl-secret-detection-report.json

View results in your project's Security & Compliance > Vulnerability Report.

Next Steps

CI Component – Detailed component usage
Configuration – All configuration options