What’s New in Qualys Container Security 1.44: Extending Risk Visibility Across Serverless, Source Code, AI Workloads, and Runtime

Abhinav Mishra

Modern application environments are no longer limited to container images and running workloads. Teams are building with serverless functions, source code repositories, AI packages, model artifacts, MCP servers, third-party dependencies, and rapidly changing runtime behavior.

With Qualys Container Security 1.44.0, we are expanding container and cloud-native security visibility across more of the application lifecycle, from code and serverless workloads to runtime DNS activityAI-related container insightssensitive data detection, and more granular reporting controls.

This release helps security and DevOps teams identify risk earlier, investigate faster, and prioritize remediation using the Qualys Enterprise TruRisk™ Platform.

Automated Scanning for AWS Lambda Functions

Container Security 1.44 introduces automated scanning for AWS Lambda functions, enabling continuous security assessment of serverless workloads without manual intervention.

As organizations increasingly use serverless architectures to power cloud-native and AI-driven applications, security teams need visibility into functions as they are created and updated. With this release, Lambda functions can be automatically discovered and scanned, with results submitted back to the Qualys Enterprise TruRisk™ Platform.

Key capabilities include:

  • Automated discovery and initial scanning of Lambda functions
  • Event-driven scanning when functions are newly created or updated
  • Cross-account and multi-region support
  • Reduced operational overhead through event-driven automation
  • Developer-driven scanning of individual Lambda functions using QScanner

This helps teams maintain up-to-date visibility into serverless risk across distributed AWS environments. The Cloud Formation templates can be accessed through the Serverless tab under Configurations

Figure 1: Lambda Listing

Upon scanning, serverless Lambda functions can be viewed under assets. 

Figure 2: Lamda Function Listing

Code Repository Scanning Now Available in Beta

Security teams can now extend visibility earlier into the development lifecycle with Code Repository Scanning, available in Beta.

A new Code tab under Assets provides centralized visibility into scanned repositories, including repository name, branch and commit details, commit author, scan timestamps, repository-level TruRisk™ Score, vulnerability summary, and compliance summary.

Figure 3: Code Scan

Teams can drill into repository details to review:

  • Source information
  • TruRisk™ Score
  • Vulnerability findings
  • Installed software inventory
  • Associated container images
  • Compliance results
  • Evidence and remediation guidance for compliance findings
Figure 4: Repo Details

This enables security and engineering teams to identify vulnerabilities, software dependency risk, and compliance issues earlier, before they are packaged into container images or deployed into production.

For customers using TotalAI, compliance scanning can also help evaluate non-compliance in code used to build AI agents.

Expanded Container Compliance Scanning

Container Security 1.44 expands compliance scanning for running containers by adding support for static scanning. This release includes updates to the latest CIS Docker 1.7 benchmark, introduces new compliance checks, enhances scoring classification, and adds a new compliance posture state: Skipped.

The new Skipped state helps improve reporting accuracy by distinguishing failed evaluations from controls that cannot be evaluated when limited data is available.

Additional updates include:

  • New CIS for Docker controls
  • Removal of deprecated controls
  • Simplified criticality classification
  • Updated compliance posture reporting

Customers interested in enabling static compliance scanning for running containers should contact Qualys Customer Support.

Simplified Criticality Levels

Criticality levels have been simplified and consolidated to improve clarity. Ensure that any automation or validation scripts that rely on the existing criticality levels are updated accordingly.

Previous ClassificationNew Classification
MINIMALLOW
MEDIUM, SERIOUSMEDIUM
CRITICAL, URGENTHIGH

Figure 5: Container Compliance

New Attack Paths for Shadow AI and EOL/EOS Software

Container Security 1.44 introduces 16 new Insights and Attack Paths to help teams identify emerging risks across AI and cloud-native environments.

These new insights improve visibility into:

  • End-of-life software
  • End-of-support software
  • AI and machine learning packages
  • AI models
  • Model Context Protocol, or MCP, servers

The new insights help security teams identify toxic combinations of risk, such as publicly exposed containers running AI models or MCP servers, containers with excessive cloud permissions, containers with secrets, and containers with critical exploitable vulnerabilities.

As enterprises adopt AI-native applications, these insights give security teams a clearer way to identify where modern AI components intersect with traditional container risk.

Figure 6: AI Attack path

Runtime DNS Events for Faster Threat Investigation

Qualys Container Security now expands runtime visibility with DNS Events collected through the Container Runtime eBPF Sensor. Security teams can view DNS activity under:

Container Security > Events > Runtime > DNS Events

The new DNS Events view provides visibility into domain name resolution activity initiated by running containers. Events include timestamp, DNS activity type, source and destination IPs and ports, queried hostname, request status, initiating process, command-line details, and Kubernetes namespace.

This enables teams to:

  • Correlate DNS activity with container, process, and namespace context
  • Investigate external communication patterns
  • Attribute DNS requests to specific workloads and processes
  • Better understand runtime network behavior

Together with existing process and file events, DNS visibility strengthens runtime detection and investigation workflows.

Figure 7: DNS Events

Expanded Label-Based Filtering for Kubernetes Workloads

Container Security 1.44 enhances label-based filtering across Kubernetes environments, making it easier to discover, organize, and analyze workloads at scale.

Label-based filtering is now extended across:

  • Pod labels
  • Namespace labels
  • Cluster labels
  • Node labels for Red Hat OpenShift clusters

These labels are mapped to container entities, helping teams filter containers using Kubernetes metadata and better align views to ownership, environment, application, namespace, or operational structure.

Optimized Image Scanning When Configurations Change

Previously, images were re-scanned whenever the image content changed. With Container Security 1.44, images are now automatically re-scanned when relevant scan configurations are updated. This means scan results can reflect the latest enabled policies and settings across:

  • Vulnerability scanning
  • Compliance scanning
  • Malware scanning
  • Sensitive data scanning

This helps ensure image findings remain aligned to the customer’s current security and compliance configuration.

Enhanced SCA Visibility and Reporting Controls

Container Security 1.44 introduces new controls for managing Software Composition Analysis, or SCA, vulnerability visibility.

A new Include SCA Vulnerabilities toggle is available on the Images and Containers asset pages, allowing teams to compare vulnerability counts with and without SCA findings. Note that this will not affect the collection of SCA vulnerabilities. It simply enables the user to toggle between seeing all vulnerabilities versus only OS Vulnerabilities.

Reporting has also been enhanced so teams can choose whether to include or exclude SCA vulnerabilities when creating reports. This gives customers greater flexibility to tailor reporting for different audiences, including security teams, compliance teams, developers, and leadership.

Figure 8: SCA Vulnerabilities Toggle

Additionally, a new sensor profile option allows customers to configure whether SCA data is collected during scans by the General Sensor or Registry Sensor (qcs-sensor).

Figure 9: Scan Settings

Separate Scan Status for Registry Scans

Registry scan transparency is improved with separate status tracking for each configured scan type. Container Security now tracks scan status individually for:

  • Vulnerabilities
  • Compliance findings
  • Sensitive data
  • Malware

Each scan type includes its own status and error details. Scan types that are not enabled are clearly marked as Not Configured. The overall scan job status is now derived from the combined outcome of all configured scan types, resulting in clearer states such as Completed, Failed, Partially Completed, and In Progress.

This makes it easier to troubleshoot scan issues, validate configured scan types, and understand why specific results may or may not be available.

Secret Detection Renamed to Sensitive Data Detection

With Container Security 1.44, Secret Detection is renamed to Sensitive Data Detection to reflect expanded capabilities. Sensitive Data Detection now supports broader DSPM use cases, including detection of:

  • PII
  • PCI data
  • PHI

This release also introduces enhanced rule metadata, improved detection precision, exception rules, content exclusions, stronger validation, and better reliability across re-scans.

Customers can also filter container images by detected sensitive data category using the new QQL token:

container.image.hasSensitiveDataCategory

These enhancements help reduce false positives, improve scan efficiency, and support more accurate sensitive data risk visibility in container images.

Google Container Registry Deprecation

Starting with Container Security 1.44, Google Container Registry, or GCR, is deprecated and no longer available as a selectable registry type in the Create New Registry workflow.

Existing GCR integrations remain supported through Qualys Container Security APIs. Customers can continue to scan previously onboarded GCR images and access historical GCR scan data.

For all new Google registry integrations and scanning needs, customers should transition to Google Artifact Registry, which is fully supported and available in the registry selection workflow.

Summary

Container Security 1.44 expands Qualys cloud-native security coverage across the modern application lifecycle.

With this release, customers gain:

  • Automated AWS Lambda scanning for serverless workloads
  • Code Repository Scanning in Beta
  • Expanded static compliance scanning for containers
  • New AI, MCP, EOL, and EOS insights
  • Runtime DNS Events powered by the eBPF Sensor
  • Improved Kubernetes label-based filtering
  • Smarter image re-scanning based on configuration changes
  • Enhanced SCA visibility and reporting controls
  • More granular registry scan status tracking
  • Expanded Sensitive Data Detection and DSPM capabilities
  • Alignment with Google Artifact Registry for new Google registry integrations

Together, these capabilities help organizations secure cloud-native applications from code to cloud to runtime with the context, prioritization, and risk visibility of the Qualys Enterprise TruRisk™ Platform.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *