Discover, track and continuously secure containers – from build to runtime.
Container-ready security and compliance platform for global hybrid IT environments
The Qualys approach [to runtime security] empowers security to follow the container image with built-in instrumentation, enabling visibility and behavior enforcement for running containers across all types of container infrastructure.Frank Dickson Program Vice President, IDC Cybersecurity Products
Security and risk management leaders must address container security issues around vulnerabilities, visibility, compromise and compliance.Neil MacDonald VP and Distinguished Analyst, Gartner
Qualys Container Security provides centralized, continuous discovery and tracking for containers and images. Deploy Qualys’ new native container sensor as a ‘side-car’ container on the docker hosts across build, registry or active deployments located on premises or clouds.
Provide users a quick overview of inventory via pre-built dashboards, and personalize or build your own with custom widgets.
Get a comprehensive topographic information of the container environments: images, registries, associated containers (both active and dormant), and hosts.
View comprehensive metadata for every image including labels, tags, installed software, layers and the association information.
View comprehensive metadata for every container, including environment variables used during deployment, services, users, network information, exposed ports, privileged status, and association information to other containers built off the same parent image, in addition to the host or pod they are on.
Use smart filters for quick lookup based on all the attributes, save searches and download search results in various formats such as CSV and PDF.
Qualys CS provides wide coverage and high accuracy vulnerability scanning of images by understanding how all of an image’s layers work in unison. This allows security analysts to rapidly analyze the real threats and focus on remediation, rather than wasting time clearing false positives which are prevalent in results from other container scanning products.
Get comprehensive coverage, from standard Linux OS distributions to container-centric OSes (like CoreOS and Alpine), applications (like NGINX, PostGres, mySQL, Redis and MongoDB), and programming languages (like Python, NodeJS, RubyGems, GoLang and Java).
Run vulnerability scans on images and running containers, and obtain detailed reports of vulnerable software with patchable version information.
Identify the composition of the image using layer details gathered by Qualys CS.
Qualys CS features a vulnerability analysis plug-in for CI/CD tool Jenkins, and soon for other CI/CD tools including Bamboo, TeamCity, and CircleCI. You can download the plugins directly from within the container security module. With Qualys CS, security teams can participate in the DevOps process to gate vulnerable images entering the system, while developers get actionable data to remediate vulnerabilities.
Configure policies for preventing vulnerable images from entering the repositories. Set policies based on criteria such as vulnerability severity, and specific QIDs.
Review from within the plug-in a summary of the build with its vulnerabilities, information on patchable software and fixed versions, and image layers where it is present.
Container infrastructure is immutable in nature, which means containers need to be identical to the images they are baked from. With Qualys CS, you can detect containers that break this immutable behavior, and understand if there are unapproved executions and malicious events happening in the running containers.
Detect drifting containers by vulnerabilities, software packages and configuration.
Get a complete understanding of the anomaly via a granular classification of rogue vulnerabilities and software packages.
Containers must be identical to the images they are generated from. When containers deviate from their parent images, it can be a sign that they have security or compliance flaws, creating a risk for your organization. With Qualys CS’ add-on Container Runtime Security (CRS) feature, you can monitor, allow or block behaviors inside running containers, based on pre-defined policies.
Easily add a lightweight security instrumentation to your container images in your build pipeline with policies to govern their runtime behavior around file access, network communications and process activity
Get full visibility into running containers through continuous collection of data about their file access, network communications and process activity
Choose to monitor, allow or block specific container behavior based on policies. Policies can be created from scratch, chosen from the built-in policy library or generated automatically from learnt container behaviors
Dynamically update the policies applied to a running container without having to re-start it
Get alerted instantly about runtime containers that violate security and compliance policies
See container runtime policy events and behavioral events on your Qualys dashboard and drill down for details
Protect running containers everywhere – on premises, in private clouds, or in container-as-a-service (CaaS) public clouds
Qualys has developed a native sensor available as an image for Docker-based containers. It’s deployed as a ‘side-car’ unprivileged container on docker hosts.
Container Sensor supports Docker containers running on Linux, and deployable across Kubernetes, Docker Swarm and other orchestration environments.
You can generate daemon sets for Kubernetes, and download sample templates for Docker Swarm and other orchestration environments.
Container Sensor is self-updating and can be configured to communicate over proxies.
Qualys CS’s complete features are available as REST APIs. These are clearly documented with examples and easy test options in Swagger, enabling DevOps teams to integrate security across their CI/CD tool chain. You can further automate the aggregation of security data into SIEMs and ticketing processes with purpose-built connectors for Splunk and ServiceNow (coming soon).