CICD Sensor Backend
The CICD Sensor backend uses a pre-installed Qualys sensor on your build agents for container scanning. This approach provides faster scan times and reduced network traffic, making it ideal for dedicated build servers with persistent agents.
Overview
| Feature |
Description |
| Authentication |
Username/Password |
| Scanner Delivery |
Pre-installed on build agent |
| Scan Types |
Container only |
| Best For |
Dedicated build servers, high-volume scanning |
| Result Retrieval |
Polling-based |
How It Works
- The Qualys CICD Sensor runs as a daemon on your Jenkins agent
- The Jenkins plugin triggers a scan via the local sensor API
- The sensor scans the container image and uploads results to Qualys cloud
- The plugin polls Qualys cloud for scan results
- Results are returned to the pipeline for threshold evaluation
Installing the CICD Sensor
Linux Installation
# Download the sensor installer
curl -O https://qualys-sensor.s3.amazonaws.com/cicd-sensor/qualys-cicd-sensor-linux-amd64.tar.gz
# Extract and install
tar -xzf qualys-cicd-sensor-linux-amd64.tar.gz
cd qualys-cicd-sensor
sudo ./install.sh
# Configure the sensor
sudo qualys-cicd-sensor configure \
--activation-id YOUR_ACTIVATION_ID \
--customer-id YOUR_CUSTOMER_ID
# Start the sensor service
sudo systemctl start qualys-cicd-sensor
sudo systemctl enable qualys-cicd-sensor
Docker Installation
docker run -d \
--name qualys-cicd-sensor \
--restart always \
-v /var/run/docker.sock:/var/run/docker.sock \
-e ACTIVATION_ID=YOUR_ACTIVATION_ID \
-e CUSTOMER_ID=YOUR_CUSTOMER_ID \
qualys/cicd-sensor:latest
Setting Up Credentials
Create a Jenkins credential for Qualys username/password:
- Navigate to Manage Jenkins > Manage Credentials
- Select the appropriate domain (or global)
- Click Add Credentials
- Select Username with password
- Enter your Qualys platform username and password
- Set ID to
qualys-username-password
- Save the credential
Pipeline Examples
Basic Container Scan
pipeline {
agent { label 'qualys-sensor' }
stages {
stage('Build') {
steps {
sh 'docker build -t myapp:${BUILD_NUMBER} .'
}
}
stage('Security Scan') {
steps {
qualysScan(
scannerBackend: 'cicd_sensor',
cicdCredentialsId: 'qualys-username-password',
scanType: 'container',
imageId: "myapp:${BUILD_NUMBER}",
pollingInterval: 10,
vulnsTimeout: 600
)
}
}
}
}
With Thresholds and Policy
pipeline {
agent { label 'qualys-sensor' }
stages {
stage('Security Scan') {
steps {
qualysScan(
scannerBackend: 'cicd_sensor',
cicdCredentialsId: 'qualys-username-password',
scanType: 'container',
imageId: "myapp:${BUILD_NUMBER}",
maxCritical: 0,
maxHigh: 5,
usePolicy: true,
failOnAudit: true,
pollingInterval: 10,
vulnsTimeout: 600
)
}
}
}
}
CICD Sensor Parameters
Authentication
| Parameter |
Required |
Default |
Description |
cicdCredentialsId |
Yes |
- |
Jenkins credential ID for Qualys username/password |
qualysPod |
No |
US1 |
Qualys platform POD |
Scanner Configuration
| Parameter |
Required |
Default |
Description |
scannerBackend |
Yes |
- |
Set to 'cicd_sensor' |
scanType |
Yes |
- |
Set to 'container' |
Scan Target
| Parameter |
Required |
Default |
Description |
imageId |
Yes |
- |
Container image to scan (name:tag or digest) |
Polling Configuration
| Parameter |
Required |
Default |
Description |
pollingInterval |
No |
10 |
Interval in seconds between result polling attempts |
vulnsTimeout |
No |
600 |
Maximum time in seconds to wait for vulnerability results |
Threshold Configuration
| Parameter |
Required |
Default |
Description |
maxCritical |
No |
-1 |
Maximum critical vulnerabilities allowed |
maxHigh |
No |
-1 |
Maximum high vulnerabilities allowed |
maxMedium |
No |
-1 |
Maximum medium vulnerabilities allowed |
maxLow |
No |
-1 |
Maximum low vulnerabilities allowed |
Policy Configuration
| Parameter |
Required |
Default |
Description |
usePolicy |
No |
false |
Enable Qualys cloud policy evaluation |
failOnAudit |
No |
false |
Fail build when policy result is AUDIT |
Comparison: QScanner vs CICD Sensor
| Feature |
QScanner |
CICD Sensor |
| Installation |
None (downloaded at runtime) |
Pre-installed on agent |
| Authentication |
API Token |
Username/Password |
| Container Scanning |
Yes |
Yes |
| Code Scanning |
Yes |
No |
| Rootfs Scanning |
Yes |
No |
| Ephemeral Agents |
Ideal |
Not recommended |
| Dedicated Agents |
Supported |
Ideal |
| Scan Speed |
Includes download time |
Faster (no download) |
Accessing Scan Results
pipeline {
agent { label 'qualys-sensor' }
stages {
stage('Security Scan') {
steps {
script {
def result = qualysScan(
scannerBackend: 'cicd_sensor',
cicdCredentialsId: 'qualys-username-password',
scanType: 'container',
imageId: 'myapp:latest',
pollingInterval: 10,
vulnsTimeout: 600
)
echo "Total vulnerabilities: ${result.totalVulnerabilities}"
echo "Critical: ${result.criticalCount}"
echo "High: ${result.highCount}"
echo "Policy result: ${result.policyResult}"
if (!result.thresholdsPassed) {
currentBuild.result = 'UNSTABLE'
}
}
}
}
}
}
Troubleshooting
Sensor Not Found
Ensure the CICD sensor is installed and running on the agent:
sudo systemctl status qualys-cicd-sensor
Timeout Waiting for Results
Increase the vulnsTimeout parameter or check network connectivity to Qualys cloud.
Authentication Failed
Verify the username/password credentials are correct and the account has Container Security permissions.