Go to Configurations > Sensors, and then click Download Sensor to download the sensor tar file. You can see various sensor types.
General (Host) Sensor: Scan any host other than registry / build (CI/CD).
Registry Sensor: Scan images in a registry (public / private).
For Registry you need to append the install command with --registry-sensor or -r
Build (CI/CD) Sensor: Scan images on CI/CD pipeline (Jenkins / Bamboo).
For CI/CD you need to append the install command with --cicd-deployed-sensor or -c
Download the QualysContainerSensor.tar.xz file and run the commands generated directly from the screen on the docker host. Note the requirements for installing the sensor, the sensor needs a minimum of 1 GB persistent storage on the host.
A quick overview of the “installsensor.sh” script command line parameters options:
- ActivationId : Activation Id for the container sensor, auto-generated based on your subscription.
- CustomerId : Qualys subscription’s customerId, auto-generated based on your subscription.
- Storage : Directory where the sensor would store the files. Default: /usr/local/qualys/sensor/data. Create it if not already available or you can specify a custom directory location [Optional]
- ImageFile : Location of the Sensor ImageFile, defaults to the local directory [Optional]
- LogLevel : Configuration to set the logging level for sensor, accepts 0 to 5 [Optional]
- HostIdSearchDir : Directory to map the marker file created by Qualys Agent or Scanner appliance on the host, update if modified [Optional]
- CpuUsageLimit : CPU usage limit in percentage for sensor. Valid range is in between 0-100 [Optional]
- ConcurrentScan : Number of docker/registry asset scans to run in parallel [Optional]
- Proxy : IPv4/IPv6 address or FQDN of the proxy server [Optional]
- ProxyCertFile : Proxy certificate file path [Optional]
ProxyCertFile is applicable only if Proxy has valid certificate file. If this option is not provided then Sensor would try to connect to the server with given https Proxy settings only.
If only ProxyCertFile is provided without Proxy then Sensor would simply ignore the ProxyCertFile and it would try to connect to the server without any https proxy settings.
- --silent or -s : Run installsensor.sh in non-interactive mode [Optional]
- --disable-auto-update : Do not let sensor update itself automatically [Optional]
- --cicd-deployed-sensor or -c : Run Sensor in CI/CD environment
- --registry-sensor or -r : Run sensor to list and scan registry assetsPlatform notes
- --enable-console-logs : Print logs on console. These logs can be retrieved using the docker logs command.
- DockerHost : IPv4 address or FQDN:Port#. The address on which the docker daemon is configured to listen. [optional]
- DockerSocketDirectory : Docker socket directory path. [optional]
Deploying Sensor in Orchestrators and Cloud Environments