What’s New in Qualys Container Security 1.44: Extending Risk Visibility Across Serverless, Source Code, AI Workloads, and Runtime
Table of Contents
- Automated Scanning for AWS Lambda Functions
- Code Repository Scanning Now Available in Beta
- Expanded Container Compliance Scanning
- New Attack Paths for Shadow AI and EOL/EOS Software
- Runtime DNS Events for Faster Threat Investigation
- Expanded Label-Based Filtering for Kubernetes Workloads
- Optimized Image Scanning When Configurations Change
- Enhanced SCA Visibility and Reporting Controls
- Separate Scan Status for Registry Scans
- Secret Detection Renamed to Sensitive Data Detection
- Google Container Registry Deprecation
- Summary
Modern application environments are no longer limited to container images and running workloads. Teams are building with serverless functions, source code repositories, AI packages, model artifacts, MCP servers, third-party dependencies, and rapidly changing runtime behavior.
With Qualys Container Security 1.44.0, we are expanding container and cloud-native security visibility across more of the application lifecycle, from code and serverless workloads to runtime DNS activity, AI-related container insights, sensitive data detection, and more granular reporting controls.
This release helps security and DevOps teams identify risk earlier, investigate faster, and prioritize remediation using the Qualys Enterprise TruRisk™ Platform.
Automated Scanning for AWS Lambda Functions
Container Security 1.44 introduces automated scanning for AWS Lambda functions, enabling continuous security assessment of serverless workloads without manual intervention.
As organizations increasingly use serverless architectures to power cloud-native and AI-driven applications, security teams need visibility into functions as they are created and updated. With this release, Lambda functions can be automatically discovered and scanned, with results submitted back to the Qualys Enterprise TruRisk™ Platform.
Key capabilities include:
- Automated discovery and initial scanning of Lambda functions
- Event-driven scanning when functions are newly created or updated
- Cross-account and multi-region support
- Reduced operational overhead through event-driven automation
- Developer-driven scanning of individual Lambda functions using QScanner
This helps teams maintain up-to-date visibility into serverless risk across distributed AWS environments. The Cloud Formation templates can be accessed through the Serverless tab under Configurations.

Upon scanning, serverless Lambda functions can be viewed under assets.

Code Repository Scanning Now Available in Beta
Security teams can now extend visibility earlier into the development lifecycle with Code Repository Scanning, available in Beta.
A new Code tab under Assets provides centralized visibility into scanned repositories, including repository name, branch and commit details, commit author, scan timestamps, repository-level TruRisk™ Score, vulnerability summary, and compliance summary.

Teams can drill into repository details to review:
- Source information
- TruRisk™ Score
- Vulnerability findings
- Installed software inventory
- Associated container images
- Compliance results
- Evidence and remediation guidance for compliance findings

This enables security and engineering teams to identify vulnerabilities, software dependency risk, and compliance issues earlier, before they are packaged into container images or deployed into production.
For customers using TotalAI, compliance scanning can also help evaluate non-compliance in code used to build AI agents.
Expanded Container Compliance Scanning
Container Security 1.44 expands compliance scanning for running containers by adding support for static scanning. This release includes updates to the latest CIS Docker 1.7 benchmark, introduces new compliance checks, enhances scoring classification, and adds a new compliance posture state: Skipped.
The new Skipped state helps improve reporting accuracy by distinguishing failed evaluations from controls that cannot be evaluated when limited data is available.
Additional updates include:
- New CIS for Docker controls
- Removal of deprecated controls
- Simplified criticality classification
- Updated compliance posture reporting
Customers interested in enabling static compliance scanning for running containers should contact Qualys Customer Support.
Simplified Criticality Levels
Criticality levels have been simplified and consolidated to improve clarity. Ensure that any automation or validation scripts that rely on the existing criticality levels are updated accordingly.
| Previous Classification | New Classification |
| MINIMAL | LOW |
| MEDIUM, SERIOUS | MEDIUM |
| CRITICAL, URGENT | HIGH |

New Attack Paths for Shadow AI and EOL/EOS Software
Container Security 1.44 introduces 16 new Insights and Attack Paths to help teams identify emerging risks across AI and cloud-native environments.
These new insights improve visibility into:
- End-of-life software
- End-of-support software
- AI and machine learning packages
- AI models
- Model Context Protocol, or MCP, servers
The new insights help security teams identify toxic combinations of risk, such as publicly exposed containers running AI models or MCP servers, containers with excessive cloud permissions, containers with secrets, and containers with critical exploitable vulnerabilities.
As enterprises adopt AI-native applications, these insights give security teams a clearer way to identify where modern AI components intersect with traditional container risk.

Runtime DNS Events for Faster Threat Investigation
Qualys Container Security now expands runtime visibility with DNS Events collected through the Container Runtime eBPF Sensor. Security teams can view DNS activity under:
Container Security > Events > Runtime > DNS Events
The new DNS Events view provides visibility into domain name resolution activity initiated by running containers. Events include timestamp, DNS activity type, source and destination IPs and ports, queried hostname, request status, initiating process, command-line details, and Kubernetes namespace.
This enables teams to:
- Correlate DNS activity with container, process, and namespace context
- Investigate external communication patterns
- Attribute DNS requests to specific workloads and processes
- Better understand runtime network behavior
Together with existing process and file events, DNS visibility strengthens runtime detection and investigation workflows.

Expanded Label-Based Filtering for Kubernetes Workloads
Container Security 1.44 enhances label-based filtering across Kubernetes environments, making it easier to discover, organize, and analyze workloads at scale.
Label-based filtering is now extended across:
- Pod labels
- Namespace labels
- Cluster labels
- Node labels for Red Hat OpenShift clusters
These labels are mapped to container entities, helping teams filter containers using Kubernetes metadata and better align views to ownership, environment, application, namespace, or operational structure.
Optimized Image Scanning When Configurations Change
Previously, images were re-scanned whenever the image content changed. With Container Security 1.44, images are now automatically re-scanned when relevant scan configurations are updated. This means scan results can reflect the latest enabled policies and settings across:
- Vulnerability scanning
- Compliance scanning
- Malware scanning
- Sensitive data scanning
This helps ensure image findings remain aligned to the customer’s current security and compliance configuration.
Enhanced SCA Visibility and Reporting Controls
Container Security 1.44 introduces new controls for managing Software Composition Analysis, or SCA, vulnerability visibility.
A new Include SCA Vulnerabilities toggle is available on the Images and Containers asset pages, allowing teams to compare vulnerability counts with and without SCA findings. Note that this will not affect the collection of SCA vulnerabilities. It simply enables the user to toggle between seeing all vulnerabilities versus only OS Vulnerabilities.
Reporting has also been enhanced so teams can choose whether to include or exclude SCA vulnerabilities when creating reports. This gives customers greater flexibility to tailor reporting for different audiences, including security teams, compliance teams, developers, and leadership.

Additionally, a new sensor profile option allows customers to configure whether SCA data is collected during scans by the General Sensor or Registry Sensor (qcs-sensor).

Separate Scan Status for Registry Scans
Registry scan transparency is improved with separate status tracking for each configured scan type. Container Security now tracks scan status individually for:
- Vulnerabilities
- Compliance findings
- Sensitive data
- Malware
Each scan type includes its own status and error details. Scan types that are not enabled are clearly marked as Not Configured. The overall scan job status is now derived from the combined outcome of all configured scan types, resulting in clearer states such as Completed, Failed, Partially Completed, and In Progress.
This makes it easier to troubleshoot scan issues, validate configured scan types, and understand why specific results may or may not be available.
Secret Detection Renamed to Sensitive Data Detection
With Container Security 1.44, Secret Detection is renamed to Sensitive Data Detection to reflect expanded capabilities. Sensitive Data Detection now supports broader DSPM use cases, including detection of:
- PII
- PCI data
- PHI
This release also introduces enhanced rule metadata, improved detection precision, exception rules, content exclusions, stronger validation, and better reliability across re-scans.
Customers can also filter container images by detected sensitive data category using the new QQL token:
container.image.hasSensitiveDataCategory
These enhancements help reduce false positives, improve scan efficiency, and support more accurate sensitive data risk visibility in container images.
Google Container Registry Deprecation
Starting with Container Security 1.44, Google Container Registry, or GCR, is deprecated and no longer available as a selectable registry type in the Create New Registry workflow.
Existing GCR integrations remain supported through Qualys Container Security APIs. Customers can continue to scan previously onboarded GCR images and access historical GCR scan data.
For all new Google registry integrations and scanning needs, customers should transition to Google Artifact Registry, which is fully supported and available in the registry selection workflow.
Summary
Container Security 1.44 expands Qualys cloud-native security coverage across the modern application lifecycle.
With this release, customers gain:
- Automated AWS Lambda scanning for serverless workloads
- Code Repository Scanning in Beta
- Expanded static compliance scanning for containers
- New AI, MCP, EOL, and EOS insights
- Runtime DNS Events powered by the eBPF Sensor
- Improved Kubernetes label-based filtering
- Smarter image re-scanning based on configuration changes
- Enhanced SCA visibility and reporting controls
- More granular registry scan status tracking
- Expanded Sensitive Data Detection and DSPM capabilities
- Alignment with Google Artifact Registry for new Google registry integrations
Together, these capabilities help organizations secure cloud-native applications from code to cloud to runtime with the context, prioritization, and risk visibility of the Qualys Enterprise TruRisk™ Platform.