Jenkins Integration

The Qualys Jenkins plugin provides comprehensive security scanning for your Jenkins pipelines. It supports two scanner backends: QScanner (on-demand) and CICD Sensor (pre-installed), with support for container, code, and rootfs scanning.

View Source Repository →

Scanner Backends

Backend	Use Case	Authentication
QScanner	Ephemeral agents, cloud builds, no pre-installation	API Token
CICD Sensor	Dedicated build servers, faster scanning	Username/Password

Capabilities

Container Scanning – Scan Docker/OCI images for vulnerabilities
Code Scanning (SCA) – Scan source code for vulnerable dependencies
Rootfs Scanning – Scan filesystem directories directly
Secrets Detection – Identify hardcoded secrets
Malware Detection – Scan for malware in containers
SBOM Generation – Generate SPDX or CycloneDX SBOM
Jira Integration – Create Jira issues for vulnerabilities
Offline Scanning – Scan without uploading to Qualys platform
CloudBees CI – Full compatibility with CloudBees CI

Prerequisites

Jenkins 2.426.3 or later
Java 11 or later
A Qualys subscription with Container Security permissions
Docker (for container scanning)

Installation

From Update Center

Navigate to Manage Jenkins > Manage Plugins
Select the Available tab
Search for "Qualys Scanner"
Install and restart Jenkins

Manual Installation

Download the qualys-scanner.hpi file
Navigate to Manage Jenkins > Manage Plugins > Advanced
Upload the plugin file
Restart Jenkins

Quick Start - Pipeline

QScanner Backend

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                sh 'docker build -t myapp:${BUILD_NUMBER} .'
            }
        }
        stage('Security Scan') {
            steps {
                qualysScan(
                    credentialsId: 'qualys-api-token',
                    scannerBackend: 'qscanner',
                    scanType: 'container',
                    imageId: "myapp:${BUILD_NUMBER}",
                    maxCritical: 0,
                    maxHigh: 5,
                    scanSecrets: true,
                    publishSarif: true
                )
            }
        }
    }
}

CICD Sensor Backend

pipeline {
    agent { label 'qualys-sensor' }
    stages {
        stage('Security Scan') {
            steps {
                qualysScan(
                    scannerBackend: 'cicd_sensor',
                    cicdCredentialsId: 'qualys-username-password',
                    scanType: 'container',
                    imageId: "myapp:${BUILD_NUMBER}",
                    pollingInterval: 10,
                    vulnsTimeout: 600
                )
            }
        }
    }
}

Scan Types

Type	Description	QScanner	CICD Sensor
`container`	Container image scanning	Yes	Yes
`code`	Source code SCA scanning	Yes	No
`rootfs`	Filesystem directory scanning	Yes	No

Pipeline Result Object

Access scan results in pipeline scripts:

def result = qualysScan(
    credentialsId: 'qualys-api-token',
    scanType: 'container',
    imageId: 'myapp:latest'
)

echo "Total vulnerabilities: ${result.totalVulnerabilities}"
echo "Critical: ${result.criticalCount}"
echo "Policy result: ${result.policyResult}"
echo "Scan passed: ${result.thresholdsPassed}"

Next Steps

QScanner Backend – On-demand scanning configuration
CICD Sensor – Pre-installed sensor configuration
Configuration – All configuration options