Qualys released QScanner – a console vulnerability scanner for container images. Feed it an image and get a list of vulnerabilities (a la Trivy).
It supports:
“Local Runtimes: Scan images from Docker, Containerd, or Podman.
Local Archives: Analyze Docker images or OCI layouts from local files.
Remote Registries: Connect to AWS ECR, Azure Container Registry, JFrog, GHCR, and more.”
Capabilities:
🔹 Detects OS package vulnerabilities
🔹 Software Composition Analysis (SCA) for Ruby, Rust, PHP, Java, Go, Python, .NET and Node.js applications.
🔹 Detects secrets (passwords, API keys and tokens)
But it’s not free. 🤷♂️💸🙂 All cases, except SBOM generation, require ACCESS_TOKEN and Platform POD. QScanner is the interface of Qualys Container Security module.
It can be used for:
🔸 scanning local images on developers’ desktops
🔸 integration into CI/CD pipelines
🔸 integration with registries
The concept is interesting. 👍
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.