Tips for Achieving a Successful Container/Image Scan

Document created by Alex Mandernack Employee on Jan 13, 2020Last modified by Alex Mandernack Employee on Jan 28, 2020
Version 9Show Document
  • View in full screen mode

Outlined below are some general tips to achieving a successful container and/or container image scan.


  • Ensure that the Qualys CS Sensor is deployed on the container host that has the container/image(s) you wish to scan.
  • Ensure that the Qualys CS Sensor deployed is up to date (running the most current/latest available).
  • Ensure that the latest sensor is being used, we are regularly providing enhancements and bug fixes.
  • Ensure that the host is running Docker, specifically version 1.12 or later.
  • Ensure that the Docker host is an OS supported by Qualys CS: Ubuntu, Red Hat Enterprise Linux, Debian, CentOS, MAC, CoreOS
  • Ensure that the Container/Image OS is an OS supported by Qualys CS: Ubuntu, Red Hat Enterprise Linux, Debian, CentOS, Alpine, Amazon Linux, Amazon Linux 2.
  • Container/Image is not a scratch image.
  • Container/Image supports shell access.
  • Container/Image Package Manager is RPM, DPKG, or Alpine.
  • Ensure the CS Sensor has connectivity to the Qualys Cloud Platform via port 443 (proxy is supported).
  • Ensure the CS Sensor is running in the correct mode, note there are 3 different modes: General, Registry, CI. See the CS User Guide for details on each. Verify the sensor type by examining the logs, or looking in the Qualys console at the Configurations>Sensors tab.
  • If the CS Sensor has just come online (recently spun up) ensure it has had enough time to download and apply manifest updates from the Qualys Platform and is ready for scanning (this can take a few minutes depending on many factors).


Tips for a successful image scan via a registry scan.


See the registry scanning documentation prior to proceeding:

AWS Elastic Container Registry (ECR) Scanning Tips 


  • Follow all above tips regarding the image/host level requirements.
  • Ensure the host has enough disk space to support the image. We recommend a minimum of 20GB of disk space (assuming default sensor configuration), however depending on the size of the images to be pulled/scanned, and the concurrent number of scans set (max of 10), you may require more. A general image size assumption may need to be made. A safe number may be upwards of 100GB or more, depending on the above factors.
  • Ensure the image was built by Docker 1.12 or later.
  • Image must meet Docker image manifest v2 specification (Image Manifest V 2, Schema 2 | Docker Documentation), v1 is not supported.
  • Ensure the image was created within the last 90 days if using automatic or on-demand "By date" options.
  • Ensure the Docker host (with CS Sensor installed in Registry mode) has a sufficient and stable network connection to both the registry and Qualys Cloud Platform.


AWS Elastic Container Registry scanning tips

AWS Elastic Container Registry (ECR) Scanning Tips  


GCP Google Container Registry scanning tips

GCP Google Container Registry (GCR) Scanning Tips 


What to do if none of the above works for me?

  • Checking the sensor logs is generally a good place to start. (The CS User Guide details this out)
  • Open a Qualys support ticket and engage your TAM.
    • Provide sensor log(s)
    • Screenshots
    • Errors encountered
    • Run the diagnostic script (p. 37 of Sensor Deployment Guide)
    • As much detail as possible surrounding the environment and issue



Note: All of the above tips can be found in the Container Security User Guide and Sensor Deployment Guide. Please read the guides for full explanations and details, as well as the latest and up to date information. 

3 people found this helpful