Cloud Platform
Platform
Solutions
Resources
Customers
Partners
Community
Support
Company
Login
Contact us
Try it
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
Compliance
Cloud Security
Qualys Security Conference 2023 – Now in Orlando – Register Today!

Part of Qualys TOTALCLOUD™

Qualys Container Security (CS)

Discover, track and continuously secure containers – from build to runtime

Qualys Container Security allows you to discover, track and continuously secure containers – from build to runtime. It provides deep visibility across on-premise container environments and managed containers across multiple cloud providers. Qualys Container Security is an integral part of Qualys TotalCloud solution, allowing organizations to start and stay secure in their cloud environments.

Detect Drift

Detect vulnerabilities and configurations drift in the running containers

Identify Risks

Analyze vulnerability scans on images and containers, and identify risks

Inventory Assets

Discover container environments: images, registries, associated containers

Highlights

Visibility into your container projects

Qualys Container Security (CS) gives you complete visibility of container hosts wherever they are in your global IT environment — on-premises and in the cloud. It gathers comprehensive topographic information about your container projects — images, image registries, and containers spun from the images. Dynamic and customizable dashboards provide complete inventory and security posture from containers to hosts.

Security for the entire DevOps pipeline

Containerized application development is an easy and open process, but it has a downside: The often inadvertent use of third-party software components with vulnerabilities. With Qualys CS, security teams can enforce policies to block the use of images with specific vulnerabilities or vulnerabilities above a certain severity threshold. Developers can do continuous vulnerability detection in the DevOps pipeline by deploying plugins for CI/CD tools like Jenkins, Bamboo, or REST APIs.

Threat identification, impact assessment, and remediation prioritization

By the nature of their deployment, containers have an increased surface area. With Qualys CS, you can search for images in your environment with high-severity vulnerabilities, unapproved packages, and older or test release tags. You can then assess their impact by identifying all containers — active or dormant — that use the unapproved, vulnerable images. Qualys CS helps you determine if these images are cached on different hosts and identify all the containers on exposed, vulnerable network ports running with privileges, which could lead to attacks.

REST APIs and Integrations

Qualys CS’s features are available as REST APIs. These are clearly documented with examples and easy test options in Swagger, enabling DevOps teams to integrate security across their CI/CD toolchain. You can further automate security data aggregation into SIEMs and ticketing processes with purpose-built connectors for Splunk.

Qualys Container Security: Container Security Overview | Qualys

Discover and inventory container assets

Qualys Container Security provides centralized, continuous discovery and tracking for containers and images. Deploy Qualys’ new native container sensor as a ‘side-car’ container on the docker hosts across build, registry, or active deployments located on-premises or clouds.

  • Provide users a quick overview of inventory via pre-built dashboards, and personalize or build your own with custom widgets.

  • Get a comprehensive topographic information of the container environments: images, registries, associated containers (active and dormant), and hosts.

  • View comprehensive metadata for every image, including labels, tags, installed software, layers, and the association information.

  • View comprehensive metadata for every container, including environment variables used during deployment, services, users, network information, exposed ports, privileged status, and association information to other containers built off the same parent image, in addition to the host or pod they are on.

  • Use filters for quick lookup based on all the attributes, save searches, and download search results in various formats such as CSV and PDF.

Qualys Container Security: Container Security Overview | Qualys
Qualys Container Security: Assets - Images view | Qualys

Perform container-native vulnerability analysis

Qualys CS provides comprehensive coverage and high-accuracy vulnerability scanning of images that allows security analysts to rapidly analyze the real threats and focus on remediation rather than wasting time clearing false positives, which are prevalent in results from other container scanning products.

  • Get comprehensive coverage, from standard Linux OS distributions to container-centric OSes (like CoreOS and Alpine), applications (like NGINX, PostgreSQL, MySQL, Redis, and MongoDB), and programming languages (like Python, NodeJS, RubyGems, GoLang, and Java).

  • Run vulnerability scans on images and running containers, and obtain detailed reports of vulnerable software with patchable version information.

  • Identify the composition of the image using layer details gathered by Qualys CS.

Qualys Container Security: Assets - Images view | Qualys
Qualys Container Security: Build Report example | Qualys

Vulnerability analysis in the DevOps pipeline

Qualys CS features a vulnerability analysis plugin for CI/CD tool Jenkins and soon for other CI/CD tools, including Bamboo, TeamCity, and CircleCI. You can download the plugins directly from within the container security module. With Qualys CS, security teams can participate in the DevOps process to gate vulnerable images entering the system while developers get actionable data to remediate vulnerabilities.

  • Configure policies for preventing vulnerable images from entering the repositories. Set policies based on criteria such as vulnerability severity and specific QIDs.

  • Review from within the plugin a summary of the build with its vulnerabilities, information on patchable software and fixed versions, and image layers where it is present.

Qualys Container Security: Build Report example | Qualys
Qualys Container Security: Image Details view | Qualys

Detect and block drifting runtimes

Container infrastructure is immutable, meaning containers must be identical to the images they are baked from. With Qualys CS, you can detect containers that break this immutable behavior and understand if unapproved executions and malicious events are happening in the running containers.

  • Detect drifting containers by vulnerabilities, software packages, and configuration.

  • Get a complete understanding of the anomaly via a granular classification of rogue vulnerabilities and software packages.

Qualys Container Security: Image Details view | Qualys
Qualys Container Security: Container Runtime Security (CRS) | Qualys

Monitor and block behaviors in running containers

Containers must be identical to the images they are generated from. When containers deviate from their parent images, it can be a sign that they have security or compliance flaws, creating a risk for your organization. With Qualys CS’ add-on Container Runtime Security (CRS) feature, you can monitor, allow or block behaviors inside running containers based on pre-defined policies.

  • Easily add lightweight security instrumentation to your container images in your build pipeline with policies to govern their runtime behavior around file access, network communications, and process activity

  • Get complete visibility into running containers through continuous collection of data about their file access, network communications, and process activity

  • Choose to monitor, allow or block specific container behavior based on policies. Policies can be created from scratch, chosen from the built-in policy library, or generated automatically from learned container behaviors

  • Dynamically update the policies applied to a running container without having to restart it

  • Get alerted instantly about runtime containers that violate security and compliance policies

  • See container runtime policy events and behavioral events on your Qualys dashboard and drill down for details

  • Protect running containers everywhere – on-premises, in private clouds, or in container-as-a-service (CaaS) public clouds

Qualys Container Security: Container Runtime Security (CRS) | Qualys
Qualys Container Security: Container Sensor | Qualys

Qualys' Container Sensor'

Qualys has developed a native sensor available as an image for Docker-based containers, which is deployed as a ‘side-car’ unprivileged container on Docker hosts.

  • Container Sensor supports Docker containers running on Linux and is deployable across Kubernetes, Docker Swarm, and other orchestration environments.

  • You can generate daemon sets for Kubernetes and download sample templates for Docker Swarm and other orchestration environments.

  • Container Sensor is self-updating and can be configured to communicate over proxies.

Qualys Container Security: Container Sensor | Qualys

Qualys TotalCloud Resources

Introducing Qualys TotalCloud

Read Blog

Qualys TotalCloud Datasheet

Download PDF

Use Qualys ­­Flow to Automate Detection & Remediation...

Read Blog

In-Depth Look Into Data-Driven Science Behind Qualys TruRisk

Read Blog

Why Is Snapshot Scanning Not Enough?

Read Blog

Additional Resources

Harden and defend your cloud. Sign up for Qualys TotalCloud.

Start your free trial today. No software to download or install. Email us to request a quote or call us at 1 (800) 745-4355.

Sign up