Qualys CI/CD Security Integration
Welcome to the Qualys CI/CD Security Integration documentation. This guide provides comprehensive information on integrating Qualys container and code security scanning into your CI/CD pipelines.
Shift security left by scanning container images and source code for vulnerabilities during your build process. Identify issues before they reach production with policy-based gating and automated issue tracking.
Supported Platforms
GitHub Actions
Two reusable actions for container and code scanning with SARIF upload and GitHub Issues integration.
GitLab CI
Native CI component with GitLab Security Dashboard integration for container scanning.
Jenkins
Full-featured plugin with dual scanner backends (QScanner and CICD Sensor) and Jira integration.
Azure DevOps
Pipeline extension with container and code scanning tasks, SARIF publishing, and work item creation.
Key Features
- Container Vulnerability Scanning – Scan Docker/OCI images for OS and application package vulnerabilities
- Software Composition Analysis (SCA) – Scan source code for vulnerable dependencies
- Secrets Detection – Identify hardcoded secrets, API keys, and credentials
- SBOM Generation – Generate Software Bill of Materials in SPDX or CycloneDX format
- Policy Evaluation – Use centralized Qualys cloud policies for consistent enforcement
- Threshold Gating – Configure maximum allowed vulnerabilities per severity level
- Issue Tracking – Automatically create GitHub Issues, Jira tickets, or Azure Work Items