Compliance Scanning

Qualys supports compliance scanning/assessments of running containers and images. Perform Policy Compliance (PC) checks and configuration assessments on your running containers and container images. We support a subset of controls from CIS Docker benchmarks, which are applicable to running containers and container images. Customers can assess configuration risks in their running containers and images and remediate them accordingly based on the Qualys findings.

Prerequisites

- The container compliance feature must be enabled for your subscription. Please reach out to your Technical Account Manager or Qualys Support to have this feature enabled for your subscription.

- Upgrade the container sensors in your subscription to Container Sensor 1.7.0 (or later) to perform scanning of containers, images for vulnerabilities and compliance assessments.

How it works

The updated Qualys Container Sensor runs an additional scan of configurations in containers, images and uploads additional scan metadata to the Qualys backend. Based on the scan metadata, the backend performs an assessment against various industry standard benchmarks and controls for compliance assessment. The compliance scans of containers, images will be transparent to customers and will function in a similar real-time cloud native manner like the vulnerability scanning feature. The configuration scan results will be available in the UI and the API. In the UI, view Image and Container details to get compliance posture (PASS or FAIL) and control information.  

View compliance information

You'll see compliance information in the UI for your images and containers, when this feature is enabled. On the Images list and Containers list, you'll see a column called Compliance with the number of controls that have a posture of PASS and FAIL.  

Here's a sample list of containers:

Containers list with Compliance

Easily search images and containers by control ID, control criticality (MINIMAL, MEDIUM, SERIOUS, CRITICAL, URGENT) and control posture (PASS, FAIL).

searching controls

Drill down into the details for any image or container to see compliance information, including the list of controls that were scanned with control details (CID, criticality, statement, category, technologies).

Compliance in Control Details

Drill down into the details for any control to get control details, including the control category, policy and technologies.

control details

Compliance information can also be fetched using Compliance APIs. You can fetch compliance posture for an image or container, fetch control details, or fetch a list of controls. See the Compliance section of the Container Security API Guide for more information.