About the Container Sensor

Qualys Container Sensor is designed for native support of Docker environments. Sensor is packaged and delivered as a Docker Image. Download the image and deploy it as a Container alongside with other application containers on the host.

The sensor is docker based, can be deployed on hosts in your data center or cloud environments like AWS ECS, Azure Container Service or Google Container Service. Sensor currently is only supported on Linux Operating systems like CentOS, Ubuntu, RHEL, Debian and requires docker daemon of version 1.12 and higher to be available.

Since they are docker based, the sensor can be deployed into orchestration tool environments like Kubernetes, Mesos or Docker Swarm just like any other application container.

Upon installation, the sensor does automatic discovery of Images and Containers on the deployed host, provides a vulnerability analysis of them, and additionally it monitors and reports on the docker related events on the host. The sensor container runs in non-privileged mode. It requires a persistent storage for storing and caching files.

Currently, the sensor only scans Images and Containers, for getting a vulnerability posture on the Host, you would require Qualys Cloud Agents or a scan through Qualys Virtual Scanner Appliance. Currently doesn’t do inventory collection specific to orchestration tools and identifies the nodes/slaves as just docker hosts.

Note: Qualys Container Security does not support scanning images in Docker-in-Docker setup as the sensor cannot listen to events generated by the inner Docker.

What data does the Container Sensor collect?

The Qualys Container Security sensor fetches the following information about Images and Containers in your environment:

- Inventory of Images and Containers in your environment from commands such as docker ps that lists all containers.

- Metadata information about Images and Containers from commands such as docker inspect and docker info that fetches low level information on docker objects.

- Event information about Images and Containers from the docker host for docker events like created, started, killed, push, pull, etc.

- Vulnerabilities found on Images and Containers. This is the output of the vulnerability management manifests run for identifying vulnerability information in Images and Containers. This is primarily software package listing, services running, ports, etc.

For example, package manager outputs like rpm -qa, npm. This is supported across various Linux distributions (CentOS, Ubuntu, CoreOS, etc) and across images like Python, NodeJS, Ruby, and so on.

Looking for more information?

System support

Installing Sensors

Sensor network configuration

Proxy Support

Sensor updates

Installing the sensor on a MAC

Installing the sensor on CoreOS

Deploying Sensor in Orchestrators and Cloud Environments