Bringing Continuous Assessment to Harbor: Scan on Push, Stay Secure Over Time
Table of Contents
Key Takeaways
- Harbor environments often run separate scanners, such as Trivy at build time and Qualys at runtime, leading to repeated full-image rescans across hundreds of thousands of images and increasing compute usage, scan time, and operational costs.
- Integrating QScanner with Harbor eliminates redundant rescanning by using SBOM-based continuous assessment, removing the need to repeatedly pull and reprocess container images.
- This shift significantly reduces infrastructure load on registries and cloud environments, lowering CPU, storage I/O, and network egress costs tied to large-scale scanning operations.
- By consolidating scanning workflows into a single system, security teams spend less time managing scan overhead and more time executing remediation, improving overall efficiency at scale.
DevSecOps harmony exists when development and security teams operate on a shared definition of risk using consistent data, identifiers, and prioritization logic across the lifecycle. In most container environments, this breaks early because build-time and runtime decisions rely on different tools and scoring systems.
This disconnect forces teams to reconcile findings rather than act on them, delaying remediation and fragmenting accountability. This blog shows how integrating Qualys QScanner as a Harbor scanner adapter creates a unified vulnerability model from registry to runtime, so both teams identify, prioritize, and remediate the same risks without translation overhead and with greater efficiency.
Scan Once, Stay Secure: A Better Developer Experience for Container Security
For many teams running Harbor today, security starts in the right place: at image push.
Developers build an image, push it to the registry, and Trivy scans it immediately. Policies can block promotion. Guardrails are enforced early. On paper, this is exactly what “shift-left” promised. But at scale, the model starts to break.
Because the real problem isn’t scanning. It’s everything that comes after.
The Hidden Cost of Shift-Left
Shift-left assumes that scanning at push is enough to keep you secure. In reality, it’s only a point-in-time answer. Vulnerabilities are constantly evolving, and new CVEs are disclosed every day. That means an image scanned yesterday can already be outdated today, even if nothing in the image itself has changed.
So, what happens next? Teams rescan. The same image gets pulled again, the same layers get unpacked again, and the same analysis runs again. Nothing about the artifact changed—only the vulnerability database did.
At a small scale, this is manageable. At enterprise scale—tens or hundreds of thousands of images—it becomes a constant loop of redundant work. Pipelines get heavier over time, registry and compute resources get strained, and cloud egress costs increase from repeated pulls. Eventually, teams start making tradeoffs:
- Scanning less frequently
- Batching scans
- Moving to scan-on-pull, all of which degrade the developer experience
What the QScanner Integration Solves
This integration is built for a very practical problem: How do you maintain strong image security in Harbor without creating constant rework for developers and platform teams?
QScanner changes that equation. It allows teams to keep the on-push workflow they already rely on in Harbor, while dramatically reducing the repeated effort required to maintain visibility over time. The result is a better developer experience, lower operational overhead, and a model that scales much more cleanly across large container environments.
This is the shift from one-time shift-left to continuous fix-left. The goal is not simply to find issues earlier. The goal is to reduce the total amount of work required to stay secure.
How QScanner Works with Harbor
When integrated as the Harbor scanner adapter, QScanner performs the initial scan when an image is pushed, just as teams expect. But instead of treating that scan as a one-time event, Qualys turns it into the starting point for continuous assessment.
On the first scan, QScanner generates a Software Bill of Materials (SBOM) for the image and sends it to the Qualys backend. From there, Qualys continuously re-evaluates that particular SBOM as vulnerability intelligence is updated. When new vulnerabilities are published, the system can determine whether the image is affected without pulling the image again or rerunning the full scan pipeline.
That architecture matters. It means the image is scanned once, but visibility continues to improve over time. Teams do not have to repeatedly pull the same artifact, reprocess the same layers, and spend the same compute cycles simply because the vulnerability database changed. They keep the immediate feedback loop of scanning on push, but without the long-term penalty of endless rescanning.
Key Benefits of the QScanner-Harbor Integration
The value of the QScanner integration shows up quickly, especially for teams managing Harbor at scale.
- Preserve the on-push developer experience: Developers still get immediate feedback when images are pushed, without introducing slower workflows or forcing a move away from push-time scanning.
- Eliminate the overhead of repeated rescanning: Teams no longer need to keep pulling and reprocessing the same images whenever new vulnerabilities are disclosed.
- Reduce infrastructure and cloud costs: Continuous assessment reduces repeated compute, storage I/O, registry load, and cloud egress associated with full-image rescans.
- Scale more efficiently across large image volumes: As environments grow to thousands or hundreds of thousands of images, the scanning model remains sustainable rather than becoming a resource drain.
- Stay current without adding rework: Security visibility improves as vulnerability intelligence evolves, yet developers are not stuck repeating the same scan cycle.
- Prioritize what actually matters: QScanner integrates Qualys Detection Score (QDS) into the workflow, helping teams focus on vulnerabilities with higher real-world exploitability and threat relevance rather than chasing every raw CVE equally.
- Support modern heterogeneous environments: QScanner supports AMD64 and ARM images and can be deployed as a standalone container or in Kubernetes, making it easier to adopt across diverse build and runtime environments.
A Better Model for Developer On-Push Security
Harbor’s built-in Trivy integration makes it easy to get started with image scanning, but at scale, traditional point-in-time scanning creates real operational friction. The challenge is not catching issues on push. The challenge is staying current without constantly repeating the same work.
QScanner introduces a better model for Harbor: scan on push, then continuously assess over time. That means teams can keep the fast feedback loop developers want, without taking on the ongoing cost of endless rescans as new vulnerabilities emerge.
For developer and platform teams, that means less repeated work and faster pipelines. For the organization, it means lower infrastructure cost and a more sustainable approach to container security at scale.
The table below summarizes the key differences between the previous Trivy-based approach and the new QScanner integration with Harbor:
| Dimension | Trivy – Before | Qualys QScanner – After |
| Vulnerability Format | CVE only | QID + CVE + QDS |
| Used by | Dev team only | Dev team + SecOps team |
| Scoring basis | CVSS base score | QDS – exploitability-aware |
| Rescan method | Full image pull every time | SBOM re-evaluation – no image pull |
| Compute cost at scale | High – full scan each time | Low – Continuous Assessment |
| Compliance reporting | Manual export/mapping needed | Manual export/mapping needed |
| False positive rate | Higher – NVD-only source | Lower – Qualys TRU curated |
Conclusion
Integrating Qualys QScanner as the Harbor registry adapter is not just a tool swap. It is a strategic alignment between development-time and runtime security practices. It eliminates friction between Dev and SecOps teams, brings enterprise-grade vulnerability intelligence into the CI/CD pipeline, and dramatically reduces the operational cost of continuously assessing registry images.
For organizations looking to unify vulnerability assessment across the container lifecycle, this integration establishes a single, consistent model for identifying, prioritizing, and remediating risk without fragmentation across tools and teams. For enterprises already leveraging Qualys, it extends existing vulnerability intelligence seamlessly into the registry layer, reinforcing consistency without introducing additional operational overhead.
Heading to KubeCon + CloudNativeCon Europe 2026? Visit Qualys booth #791 to see how QScanner eliminates heavy rescanning and enables continuous SBOM-based assessment in Harbor.
Frequently Asked Questions (FAQs)
What changes with QID compared to CVE?
QID provides a curated identifier with enriched context, mapping to CVEs but adding exploitability and remediation intelligence.
How does SBOM rescanning work in Harbor?
The SBOM generated during the first scan is re-evaluated against updated vulnerability data without re-pulling the image.
Does this impact registry performance?
Yes. It reduces CPU, storage I/O, and network usage by eliminating repeated full-image scans.
Can policies be enforced at push time?
Yes. Harbor policies can block images based on QDS thresholds.
Is multi-architecture support available?
Yes. Both ARM and AMD64 images are supported with the same scanning workflow.