Container Runtime Security

Container Runtime Security (CRS) is a separately licensed feature of Container Security. It provides runtime behavior visibility & enforcement capabilities for running containers. This allows customers to address various use cases for running containers around security best practice enforcement, file access monitoring, network access control.

CRS requires instrumentation of container images with the Qualys Container Runtime Instrumentation, which injects probes into the container image. Customers can configure instrumented images, containers with granular policies which govern container behavior, visibility. Based on these runtime enforcement policies - runtime events, telemetry can be viewed obtained from the backend via UI, API.

CRS is not activated by default for existing or new customers. Currently CRS is supported for Linux OS based containers only. If you are interested in this feature, please contact your Qualys Account Manager or Qualys Support.


CRS is a separately licensed feature of Container Security and must be enabled.

Customers need to have at least one host/sensor license for Container Security Scanning capabilities. In addition to this, customers need to be licensed for an appropriate number of containers for CRS. CRS relies on instrumenting a container image with Qualys instrumentation. This allows for in-container behavior visibility and enforcement.

Start Here

Here’s a look at the deployment workflow for Container Runtime Security.

Step 1: Build image, Push to registry, and Scan with registry sensor

You’ll build the image and push it to the registry. Then you must scan the image with the registry sensor. This is a prerequisite for using runtime protection. You’ll need to scan each image you want to instrument.  

Step 2: Deploy the Instrumenter Service in your environment

This is the service that is needed to instrument your images. You’ll deploy this service in your environment. Then when you choose to instrument an image from the Container Security UI, the instrumenter service will be used to pull down the unprotected image, package our solution into it, and then push it back to the registry as a protected image.

Deploy the Instrumenter Service

Step 3: Instrument container images with Qualys instrumentation

After you build the image and push it into the registry, you’ll want to instrument that image with our runtime security solution so that when the image is spun up as a running container it’s protected. Once you have the protected image, you can run the image in your runtime environment as a running container. The alerts and notifications will be sent back to Qualys and you’ll be able to view the events from the UI.

Instrument container images

Step 4: Configure policies and instrumentation

Create runtime policies and then assign a policy to an instrumented image. You’ll also want to set the policy enforcement level (determines whether policy rules are enforced) and select the log mode (determines which policy hits get logged).

About policies

Create policies

Manage policies

Set policy enforcement

Apply policy to instrumented image

Configure instrumentation to select the log mode

Step 5: Run container from instrumented image

When ready, you can spawn containers from the instrumented image. The policy applied to the instrumented image gets enforced on the container and activities are logged as per the selected log mode.

Run container from instrumented image

Step 6: View your events

Runtime events will be listed on the Events tab. Here you can search events and drill-down into event details.

View your events

View event details on dashboard