{“lastseen”:”2025-10-06T14:05:15″,”description”:”## Introduction\\n\\nContainerized applications power the backbone of modern software delivery. But with speed comes risk. Vulnerabilities and embedded secrets can slip through the cracks long before they hit production. The result? Alert fatigue, noisy false positives, and critical exposures that disrupt sprints and delay releases. That\u2019s why Qualys is introducing a new Pipeline Integration capability for **Qualys Container Security (KCS)** , also available with **Qualys TotalCloud** , giving teams the ability to identify and address issues in real time within their CI\/CD workflows. For organizations already using **Qualys VMDR** , this is a game-changer: the same trusted vulnerability management capabilities you rely on for endpoints and servers are now seamlessly integrated into your container security pipeline.\\n\\nUnlike other market solutions that only detect issues and may create noise, Qualys KCS with QScanner goes beyond detection to provide **actionable vulnerability and secret scanning** directly in your GitHub CI pipeline. Qualys prioritizes risks using an accurate lens based on 25+ threat feeds, including VMDR, and leveraging the Qualys Threat Research Unit (TRU). This ensures developers work in harmony with security teams to fix issues by focusing on higher-priority risks.\\n\\nThis means developers and security teams can stop chasing noisy alerts after deployment and start preventing risky code from ever leaving the build stage. With security embedded without slowing down builds, you reduce operational overhead, cut down on rework, and align security with your development velocity. All in a single, unified solution that integrates with your existing Qualys ecosystem.\\n\\n## The Case of NPM Supply Chain Attack\\n\\nThe Node Package Manager (NPM) is a default manager for the JavaScript runtime environment Node.js. It’s an important tool for JavaScript developers, enabling them to efficiently share and manage code packages. On **September 8, 2025** , attackers compromised 18 widely used NPM packages \u2014 including _chalk, debug, ansi-styles, and strip-ansi_ \u2014 collectively downloaded **2.6 billion times per week**. The malicious versions contained obfuscated JavaScript designed to intercept cryptocurrency transactions. The attack was stealthy, scalable, and devastating.\\n\\nOrganizations unknowingly pulled these poisoned packages into their builds, shipping tainted code into production environments.\\n\\nThis incident wasn\u2019t just a wake-up call \u2014 it was a **blueprint for how fragile modern software supply chains can be**.\\n\\n## Enter QScanner: Your CI Pipeline\u2019s First Line of Defense\\n\\nFor many modern teams, security often comes _after_ the build is done \u2014 in post-deployment scans or manual reviews. But by then, it\u2019s often too late or too expensive to fix. What you really need is a way to **\u201cshift left\u201d.** That\u2019s where **QScanner** comes in. Let\u2019s say you have a build process where:\\n\\n * Source code is compiled via **GitHub Actions.**\\n * A container image is built as a **pipeline artifact.**\\n * This image is pushed to a registry (Docker Hub, ECR, GCR, etc.).\\n\\n\\n\\n**But before pushing** , you want to ensure:\\n\\n * There are **no known vulnerabilities** in the OS packages or application dependencies.\\n * The image doesn\u2019t contain **hardcoded secrets** (e.g., API keys, passwords).\\n * The image **meets your organization\u2019s security policies.**\\n\\n\\n\\nThis step is critical because fixing vulnerabilities or removing secrets after deployment, or missing several and resolving the wrong ones, is not only costlier but also increases your organization\u2019s exposure window.\\n\\n## Integration with GitHub Actions\\n\\n### Scan the Image with QScanner in GitHub\\n\\nBefore you invoke QScanner to scan your container image, your GitHub Actions pipeline needs to perform some foundational steps. These steps ensure that a **valid, scannable image** is available \u2014 and that it\u2019s built consistently in a way that QScanner can analyze effectively.\\n\\nHere\u2019s what needs to happen **before QScanner comes into play** :\\n\\n 1. Build your code.\\n 2. Generate build artifact – container image.\\n 3. Download QScanner binary.\\n 4. Scan the generated image using qscanner. QScanner can scan both the image that is available locally in runtime (e.g. docker) or the image tar.\\n 5. Get vulnerabilities.\\n 6. Generate GitHub Actions Compliant SARIF report. This report gets generated by QScanner by default along with a summarized tabular report.\\n 7. Upload the SARIF report via codeql-action.\\n\\n_Fig. Configuring GitHub actions to execute QScanner_\\n\\n### Detect vulnerabilities\\n\\nWhen you integrate **QScanner with GitHub Actions** and output results in **SARIF format** , your findings don\u2019t just stay in logs \u2014 they\u2019re surfaced directly in GitHub\u2019s **Security tab** under **Code scanning alerts**.\\n\\nThis is where **security meets developer workflow. Instead of forcing developers to learn new tools or switch contexts, QScanner brings the insights directly into the GitHub environment they already use every day.**\\n\\n### Where to find it?\\n\\nIn your GitHub repository:\\n\\n 1. Go to the **Security** tab\\n 2. Click on **Code scanning alerts**\\n\\n\\n\\nHere, GitHub displays a **centralized list of issues** detected during your builds \u2014 including:\\n\\n * CVEs (vulnerabilities in packages\/libraries)\\n * Secrets (tokens, credentials, keys)\\n * File locations and line-level context\\n * Severity and actionable remediation guidance\\n\\n_Fig. Viewing vulnerabilities natively in GitHub Actions_\\n\\n## Scan for Embedded Secrets\\n\\nWhen you run qscanner with **- scan-types pkg,secret**, it will also scan your container image\u2019s filesystem for **exposed credentials**. It uses 85+ system detectors and supports custom rules to flag secrets like:\\n\\n * AWS keys\\n * Database credentials\\n * API tokens\\n * SSH keys, and more\\n\\n\\n\\nFound something sensitive? The report shows **exact file paths and line context** so you can fix it before it leaves your CI\/CD environment. Catching these issues early not only prevents security incidents but also helps maintain compliance with internal policies and industry regulations.\\n\\n_Fig. Secret detectors can be configured from UI._\\n\\n## Enforce Policies with Centralized Evaluation\\n\\nWant to **automate enforcement** across teams or builds? You can run qscanner with **- mode evaluate-policy**. You can define **custom policy rules** in the Qualys platform \u2014 for example:\\n\\n * Block any image with Critical or High vulnerabilities\\n * Flag images containing secrets\\n * Enforce Qualys Detection Score (QDS) threshold.\\n\\n\\n\\nThese rules are evaluated automatically using the **Qualys Centralized Policy Engine** , and the results are available in the QScanner console. Depending on the results of the policy evaluation, you can pass or fail the build. This kind of automated governance ensures consistent enforcement of your organization\u2019s security standards across every repository and every team, without manual intervention.\\n\\n_Fig. Configuring centralized policy to block specific QIDs_\\n\\n_Fig. QScanner failing during execution because of policy evaluation failure_\\n\\n_Fig. CICD events can be viewed on UI to know about the details of failure._\\n\\n_Fig. Details of the QID in the Knowledge Base_\\n\\n## Why QScanner belongs in your CI\/CD\\n\\nIntegrating QScanner into your CI\/CD pipelines offers more than just scanning- it delivers intelligent, real-time security feedback that keeps your container images safe from the start. With this integration, you gain:\\n\\n * **Shift-left security** : Detect vulnerabilities and secrets _before_ they reach production\\n * **Policy enforcement** : Block non-compliant images automatically with QDS thresholds and central policy rules\\n * **Native developer experience** : QScanner\u2019s SARIF output integrates directly into GitHub\u2019s UI \u2014 no extra tools, log parsing or dashboards.\\n * **Inline PR visibility** : Developers see vulnerabilities and secrets right in pull requests, with file paths and context\\n * **Security and development alignment** : Security gates become part of the dev workflow, not an afterthought\\n * **Automation made simple** : Use GitHub\u2019s built-in actions to upload reports and enforce quality gates in just a few lines of YAML\\n * **DevSecOps alignment** without slowing down builds\\n * **Risk-based prioritization** using QDS\\n * **Faster remediation** : Clear, prioritized findings help developers fix issues quickly and confidently\\n * **Cleaner, safer container images** in every release\\n\\n\\n\\nWith **QScanner and GitHub Actions** , you turn your CI pipeline into a **first line of defense** \u2014 ensuring every image your team builds is secure, compliant, and production-ready.\\n\\nReady to embed security directly into your workflows? Learn more about QScanner at https:\/\/docs.qualys.com\/en\/qscanner\/release-notes\/qscanner\/qscanner_introduction.htm\\n\\n## Final Takeaway\\n\\nThe new QScanner integration with GitHub Actions is more than just another scan step in your CI\/CD pipeline; it\u2019s a critical shift-left capability that lets you catch vulnerabilities, embedded secrets, and policy violations before they ever become production issues. By leveraging Qualys\u2019 deep vulnerability intelligence and centralized policy enforcement, DevSecOps teams can create harmony with security teams to optimize efforts and outcomes. They can move fast without sacrificing security, all while reducing noise and focusing on truly actionable findings.\\n\\nWhether you\u2019re already a Qualys VMDR customer looking to extend trusted protection into your container workflows or you\u2019re evaluating solutions that truly align security with developer velocity, QScanner with GitHub CI integration delivers a clear advantage over point tools. Start building cleaner, safer container images today, and see how easy it can be to secure your software supply chain from the inside out.\\n\\nSupply chain attacks are no longer rare \u2014 they\u2019re inevitable. The question isn\u2019t _if_ your pipeline will be targeted, but _when_. With QScanner embedded in your CI\/CD workflows, you gain the visibility, intelligence, and automation needed to **catch threats before they ship**. Don\u2019t wait for the next NPM-style compromise. Shift left with QScanner \u2014 and secure your software supply chain from the inside out.\\n\\n* * *\\n\\n**Schedule a call with a Qualys Cloud Security technical expert to learn more.**\\n\\nSchedule Now\\n\\n* * *”,”published”:”2025-10-06T13:00:00″,”modified”:”2025-10-06T13:00:00″,”type”:”qualysblog”,”title”:”How to Prevent NPM Supply Chain Attacks in CI\/CD Pipelines with Container Security”,”source”:””,”references”:””,”id”:”QUALYSBLOG:0356815023E672964B78882FEB49F766″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.qualys.com\/category\/product-tech”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-06T14:05:15″,”description”:”## Introduction\\n\\nContainerized applications power the backbone of modern software delivery. But with speed comes risk. Vulnerabilities and embedded secrets can slip through the cracks long…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,120,7,11,5],"class_list":["post-20362","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n