Qualys released QScanner – a console vulnerability scanner for container images. Feed it an image and get a list of vulnerabilities (a la Trivy).
It supports:
“Local Runtimes: Scan images from Docker, Containerd, or Podman.
Local Archives: Analyze Docker images or OCI layouts from local files.
Remote Registries: Connect to AWS ECR, Azure Container Registry, JFrog, GHCR, and more.”
Capabilities:
🔹 Detects OS package vulnerabilities
🔹 Software Composition Analysis (SCA) for Ruby, Rust, PHP, Java, Go, Python, .NET and Node.js applications.
🔹 Detects secrets (passwords, API keys and tokens)
But it’s not free. 🤷♂️💸🙂 All cases, except SBOM generation, require ACCESS_TOKEN and Platform POD. QScanner is the interface of Qualys Container Security module.
It can be used for:
🔸 scanning local images on developers’ desktops
🔸 integration into CI/CD pipelines
🔸 integration with registries
The concept is interesting. 👍