Connector Release 2.18 API

June 29, 2026

Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. In these API Release Notes, <qualys_gateway_url> is used in the sample API requests.

All endpoints require a QAS Bearer JWT token issued by the Qualys identity service.
Authorization: Bearer <qas-jwt-token>
Requests with a missing or invalid token return 401 Unauthorized. The token carries tenant identity (customerUuid, customerIntId) and is used to scope all data access automatically - you cannot access another tenant's data.

Service Accounts API

A service account represents a cloud provider account (e.g., a GCP project, AWS account, or Azure subscription) that Flexscan is authorized to scan. You must register a service account before configuring or scanning it.

Register Service Account

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/service-accounts/register
Method POST
DTD or XSD changes Not Applicable

This API registers a service account with the Qualys connector service and enables it for snapshot-based scanning.

Input parameters

Parameter Mandatory/Optional Data Type Description
accountId Mandatory String Cloud account identifier - GCP project ID, AWS account ID, or Azure subscription ID
cloudType Mandatory String Cloud provider: GCP, AWS, or AZURE (case-insensitive)

Sample - Register a GCP Service AccountSample - Register a GCP Service Account

API Request

curl -X POST \
  '<qualys_gateway_url>/flexscan-api/rest/v1/service-accounts/register' \
  -H 'Authorization: Bearer <qas-jwt-token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "accountId": "my-gcp-project-123",
    "cloudType": "GCP"
  }'

API Response

{
  "data": {
    "accountId": "my-gcp-project-XXX",
    "status": "REGISTERED",
    "registeredAt": "2026-05-28T11:30:00"
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Sample - Register an Azure Service AccountSample - Register an Azure Service Account

API Request

curl -X POST \
  '<qualys_gateway_url>/flexscan-api/rest/v1/service-accounts/register' \
  -H 'Authorization: Bearer <qas-jwt-token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "accountId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "cloudType": "AZURE"
  }'

API Response

{
  "data": {
    "accountId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "status": "REGISTERED",
    "registeredAt": "2026-05-28T11:30:00"
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Deregister Service Account

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/service-accounts/deregister
Method DELETE
DTD or XSD changes Not Applicable

This API deregisters a service account from the Qualys connector service. 

 This API removes only the connector registration, it does not delete the cloud infrastructure.

 When you trigger the Deregister API, the service account setup for the enabled regions will be removed. However, the associated subnets and VPCs will not be deleted automatically. You will need to manually delete the subnets and VPCs a few hours after the Deregister API completes.

Input parameters

Parameter Mandatory/Optional Data Type Description
accountId Mandatory String Cloud account identifier to deregister
cloudType Mandatory String Cloud provider: GCP, AWS, or AZURE (case-insensitive)

Sample - Deregister a Service AccountSample - Deregister a Service Account

API Request

curl -X DELETE \
  '<qualys_gateway_url>/flexscan-api/rest/v1/service-accounts/deregister' \
  -H 'Authorization: Bearer <qas-jwt-token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "accountId": "my-gcp-project-XXX",
    "cloudType": "GCP"
  }'

API Response

{
  "data": {
    "accountId": "my-gcp-project-XXX",
    "status": "DEREGISTERED",
    "deregisteredAt": "2026-05-28T11:35:00"
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:35:00Z"
  }
}

Setup Service Account

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/service-accounts/setup
Method POST
DTD or XSD changes Not Applicable

This API configures scan settings for a registered service account. It updates the scan configuration (regions, scan interval, resource types, scan types, tag filters) and provisions per-region infrastructure by publishing SETUP_REGION events.

If you remove any region(s) as part of a setup modification, the subnet associated with the removed region’s infrastructure will not be deleted automatically. You will need to manually delete the subnet for the removed region a few hours after the region removal process completes.

Input parameters

Parameter Mandatory/Optional Data Type Description
accountId Mandatory String Service account identifier (must be in REGISTERED state)
regions Mandatory Array of String Cloud regions to enable for scanning (e.g.,["us-east1", "eastus"])
scanInterval Optional Integer Scan interval in hours. Range: 24–720.
resourceTypes Optional Array of String Resource types to scan. Allowed value: vm.
vmScanTypes Optional Array of String VM scan types. Options: os, sca (case-insensitive).
mustHaveTags Optional Array of String Resources must have ALL of these tags (AND logic). Format: "key=value"
atLeastOneTag Optional Array of String Resources must have AT LEAST ONE of these tags (OR logic). Format: "key=value"
noneOfTheTag Optional Array of String Resources with ANY of these tags are excluded. Format: "key=value"

 All string list parameters are automatically converted to lowercase. For SCA scan types, the os parameter must also be included.
Currently, these input parameters are referred to as tags, but in GCP they are called labels.

Tag Behavior: If a tag parameter is set to an empty array ([]) or null, no filtering is applied for that parameter. When all three tag parameters are empty or null, all resources are scanned.

Tag Format Examples by Cloud:

  • AWS: "Environment=Production", "Owner:PlatformTeam" (both equals and colon separators are supported)
  • Azure: "environment=production", "owner=platform-team" (keys are case-sensitive)
  • GCP: "environment=production", "owner=platform-team" (only the equals separator is supported)

Sample - Setup a Service Account with Tag FiltersSample - Setup a Service Account with Tag Filters

API Request

curl -X POST \
  '<qualys_gateway_url>/flexscan-api/rest/v1/service-accounts/setup' \
  -H 'Authorization: Bearer <qas-jwt-token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "accountId": "my-gcp-project-XXX",
    "regions": ["us-east1", "us-west1"],
    "scanInterval": 24,
    "resourceTypes": ["vm"],
    "vmScanTypes": ["os"],
    "mustHaveTags": ["env=production"],
    "atLeastOneTag": ["team=platform", "team=infra"],
    "noneOfTheTag": ["ignore=true"]
  }'

API Response

{
  "data": {
    "status": "ACCEPTED",
    "accountId": "my-gcp-project-XXX",
    "cloudType": "GCP",
    "previousRegions": ["us-west1"],
    "currentRegions": ["us-east1", "us-west1"],
    "addedRegions": ["us-east1"],
    "removedRegions": [],
    "scanInterval": 24,
    "resourceTypes": ["vm"],
    "vmScanTypes": ["os"],
    "mustHaveTags": ["env=production"],
    "atLeastOneTag": ["team=platform", "team=infra"],
    "noneOfTheTag": ["ignore=true"]
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

List Service Accounts

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/service-accounts
Method GET
DTD or XSD changes Not Applicable

This API lists all service accounts belonging to the authenticated customer, with pagination.

Input parameters

Parameter Mandatory/Optional Data Type Description
page Optional Integer Page number (1-based).
Default: 1
limit Optional Integer Items per page. Range: 1–100.
Default: 25
sort Optional String Sort field and direction.
Format: field,direction.
Default: createdAt,desc

Sample - List Service AccountsSample - List Service Accounts

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/service-accounts?page=1&limit=25&sort=createdAt,desc' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": [
    {
      "accountId": "my-gcp-project-123",
      "cloudType": "GCP",
      "customerUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "connectorUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "portalUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "regions": ["us-east1", "us-west1"],
      "state": "REGISTERED",
      "createdAt": "2026-05-01T10:00:00",
      "updatedAt": "2026-05-28T11:30:00"
    }
  ],
  "errors": [],
  "meta": {
    "page": 1,
    "limit": 25,
    "total": 5,
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Get Service Account

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/service-accounts/{accountId}
Method GET
DTD or XSD changes Not Applicable

This API retrieves a specific service account by its identifier.

Input parameters

Parameter Mandatory/Optional Data Type Description
accountId Mandatory String (path) Service account identifier

Sample - List Service AccountsSample - List Service Accounts

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/service-accounts/my-gcp-project' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": {
    "accountId": "my-gcp-project",
    "cloudType": "GCP",
    "customerUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "connectorUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "portalUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "regions": ["us-east1", "us-west1"],
    "state": "REGISTERED",
    "createdAt": "2026-05-01T10:00:00",
    "updatedAt": "2026-05-28T11:30:00"
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Get Service Account State

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/service-accounts/{accountId}/state
Method GET
DTD or XSD changes Not Applicable

This API retrieves the current provisioning state and per-region cloudInfo for a service account.

 The state is scoped to the authenticated customer's tenant - you cannot query another customer's accounts.

Input parameters

Parameter Mandatory/Optional Data Type Description
accountId Mandatory String (path) Service account identifier

Sample - List Service AccountsSample - List Service Accounts

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/service-accounts/my-gcp-project-123/state' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": {
    "accountId": "my-gcp-project-123",
    "cloudType": "GCP",
    "state": "REGISTERED",
    "cloudInfo": {
      "us-east1": {
        "vnetId": "/subscriptions/.../virtualNetworks/qualys-vnet-eastus",
        "storageAccountName": "qualysstore123"
      }
    }
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Target Accounts API

A target account is a child cloud account, or subscription scoped under a parent service account (e.g., an AWS member account in an AWS Organization, or an Azure target subscription). Target accounts inherit infrastructure from the parent service account but can have independent scan configurations.

Setup Target Account

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/target-accounts/setup
Method POST
DTD or XSD changes Not Applicable

This API configures scan settings for a target account. Updates only the target account record - does not modify the parent service account or trigger new infrastructure provisioning.

Validation Rules

  • Target account regions must be a subset of (or equal to) the parent service account's configured regions.
  • vmScanTypes must be a subset of the parent service account's vmScanTypes.
  • If the parent service account has ["os"], the target may specify ["os"] but not ["os", "sca"].

Input parameters

Parameter Mandatory/Optional Data Type Description
accountId Mandatory String (path) Target account identifier
regions Mandatory Array of String Regions to scan - must be subset of parent service account's regions
scanInterval Optional Integer Scan interval in hours. Range: 24–720.
Default: 24
resourceTypes Optional Array of String Resource types to scan. Allowed value: vm.
Default: ["vm"]
vmScanTypes Optional Array of String VM scan types. Options: os, sca, secret.
Must be subset of parent service account's vmScanTypes.
Default: ["os"]
mustHaveTags Optional Array of String Resources must have ALL of these tags (AND logic).
Format: "key=value"
atLeastOneTag Optional Array of String Resources must have AT LEAST ONE of these tags (OR logic).
Format: "key=value"
noneOfTheTag Optional Array of String Resources with ANY of these tags are excluded.
Format: "key=value"

Tag Behavior: If a tag parameter is set to an empty array ([]) or null, no filtering is applied for that parameter. When all three tag parameters are empty or null, all resources are included in the scan.
Currently, these parameters are referred to as tags, however, in GCP they are called labels.

Target Account Tag Fallback: For target accounts, null tag values inherit the configuration from the parent service account. Setting a tag parameter to an empty array ([]) overrides the parent configuration and disables filtering for that parameter.

Tag Format Examples by Cloud:

  • AWS: "Environment=Production", "Owner:PlatformTeam" (supports both equals (=) and colon (:) separators)
  • Azure: "environment=production", "owner=platform-team" (keys are case-sensitive)
  • GCP: "environment=production", "owner=platform-team" (only the equals (=) separator is supported)

Sample - Setup a Target AccountSample - Setup a Target Account

API Request

curl -X POST \
  '<qualys_gateway_url>/flexscan-api/rest/v1/target-accounts/setup' \
  -H 'Authorization: Bearer <qas-jwt-token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "accountId": "target-xxxxxxxx",
    "regions": ["us-east1"],
    "scanInterval": 48,
    "resourceTypes": ["vm"],
    "vmScanTypes": ["os"],
    "mustHaveTags": ["env=staging"]
  }'

API Response

{
  "data": {
    "status": "ACCEPTED",
    "accountId": "target-xxxxxxxxx",
    "serviceAccountId": "my-gcp-project-123",
    "cloudType": "GCP",
    "previousRegions": [],
    "currentRegions": ["us-east1"],
    "addedRegions": ["us-east1"],
    "removedRegions": [],
    "scanInterval": 48,
    "resourceTypes": ["vm"],
    "vmScanTypes": ["os"],
    "mustHaveTags": ["env=staging"],
    "atLeastOneTag": null,
    "noneOfTheTag": null
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

List Target Accounts

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/target-accounts
Method GET
DTD or XSD changes Not Applicable

This API lists target accounts belonging to the authenticated customer. Always scoped to the JWT tenant - you cannot access another customer's data. Supports optional filters.

Input parameters

Parameter Mandatory/Optional Data Type Description
serviceAccountId Optional String Filter by parent service account ID
cloudType Optional String Filter by cloud type: AWS, AZURE, GCP, or OCI (case-insensitive)
state Optional String Filter by parent service account state: REGISTERED, ACTIVE, INACTIVE, ERROR
page Optional Integer Page number (1-based). Default: 1
limit Optional Integer Items per page. Range: 1–100. Default: 25
sort Optional String Sort field and direction. Default: createdAt,desc

Sample - List Target Accounts Filtered by Service AccountSample - List Target Accounts Filtered by Service Account

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/target-accounts?serviceAccountId=my-gcp-project-123&page=1&limit=25' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": [
    {
      "accountId": "target-xxxxxxx",
      "serviceAccountId": "my-gcp-project-xxxxxxx",
      "cloudType": "GCP",
      "customerUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "connectorUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "portalUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "regions": ["us-east1", "us-west1"],
      "serviceAccountState": "REGISTERED",
      "createdAt": "2026-05-01T10:00:00",
      "updatedAt": "2026-05-28T11:30:00"
    }
  ],
  "errors": [],
  "meta": {
    "page": 1,
    "limit": 25,
    "total": 3,
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Get Target Account

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/target-accounts/{accountId}
Method GET
DTD or XSD changes Not Applicable

This API retrieves a specific target account by its identifier, including parent service account details.

Input parameters

Parameter Mandatory/Optional Data Type Description
accountId Mandatory String (path) Target account identifier

Sample - Get a Target AccountSample - Get a Target Account

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/target-accounts/target-account-456' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": {
    "accountId": "target-xxxxxxx",
    "serviceAccountId": "my-gcp-projectxxxx",
    "cloudType": "GCP",
    "customerUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "connectorUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "portalUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "regions": ["us-east1", "us-west1"],
    "createdAt": "2026-05-01T10:00:00",
    "updatedAt": "2026-05-28T11:30:00",
    "serviceAccount": {
      "accountId": "my-gcp-project-123",
      "cloudType": "GCP",
      "state": "REGISTERED",
      "regions": ["us-east1", "us-west1"]
    }
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Get Target Account State

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/target-accounts/{accountId}/state
Method GET
DTD or XSD changes Not Applicable

This API retrieves the provisioning state and per-region cloudInfo for a target account. State is derived from the parent service account. Scoped to the authenticated customer.

Input parameters

Parameter Mandatory/Optional Data Type Description
accountId Mandatory String (path) Target account identifier

Sample - Get Target Account StateSample - Get Target Account State

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/target-accounts/target-account-456' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": {
    "accountId": "target-account-xxxx",
    "cloudType": "GCP",
    "state": "REGISTERED",
    "cloudInfo": {
      "us-east1": {
        "vnetId": "/subscriptions/.../virtualNetworks/qualys-vnet-eastus",
        "storageAccountName": "qualysstore123"
      }
    }
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Scan Logs API

Provides read-only access to scan status records. Each record represents a single VM/resource scan attempt. Sensitive internal fields (resultFileNamecorrelationIds) are excluded by default.

List Scan Logs

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/scan/logs
Method GET
DTD or XSD changes Not Applicable

This API lists all scan status records for the authenticated customer, paginated and sorted by last update time.

Input parameters

Parameter Mandatory/Optional Data Type Description
page Optional Integer Page number (1-based).
Default: 1
limit Optional Integer Items per page. Range: 1–500.
Default: 100
sort Optional String Sort field and direction.
Default: updatedAt,desc

Sample - List Scan LogsSample - List Scan Logs

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/scan/logs?page=1&limit=100&sort=updatedAt,desc' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": [
    {
      "scanUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "cloudType": "GCP",
      "resourceId": "projects/my-project/zones/us-west1-a/instances/my-vm",
      "resourceName": "my-vm",
      "resourceType": "VM",
      "customerUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "portalUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "serviceAccountId": "my-gcp-projectxxxx",
      "targetAccountId": "target-accountxxxxx",
      "targetRegion": "us-west1",
      "targetZone": "us-west1-a",
      "scannerPlatform": "LINUX",
      "storageCount": 1,
      "scanPriority": 1,
      "scanAttempts": 1,
      "scanType": "OS",
      "scanStatus": "COMPLETED",
      "expiresAt": "2026-06-04T11:30:00",
      "stateReason": null,
      "createdAt": "2026-05-28T10:00:00",
      "updatedAt": "2026-05-28T11:30:00"
    }
  ],
  "errors": [],
  "meta": {
    "page": 1,
    "limit": 100,
    "total": 540,
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Get Scan Logs

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/scan/logs/{scanUuid}
Method GET
DTD or XSD changes Not Applicable

This API retrieves a single scan log record by its UUID. Use includeDetails=true to include internal diagnostic fields.

Input parameters

Parameter Mandatory/Optional Data Type Description
scanUuid Mandatory UUID (path) Scan record UUID (primary key)
includeDetails Optional Boolean Include resultFileName and correlationIds in the response.
Default: false

Sample - Get Scan Logs without DetailsSample - Get Scan Logs without Details

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/scan/logs/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": {
    "scanUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "cloudType": "GCP",
    "resourceId": "projects/my-project/zones/us-west1-a/instances/my-vm",
    "resourceName": "my-vm",
    "resourceType": "VM",
    "customerUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "portalUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "serviceAccountId": "my-gcp-project-XXX",
    "targetAccountId": "target-account-XXXXX",
    "targetRegion": "us-west1",
    "targetZone": "us-west1-a",
    "scannerPlatform": "LINUX",
    "storageCount": 1,
    "scanPriority": 1,
    "scanAttempts": 2,
    "scanType": "OS",
    "scanStatus": "COMPLETED",
    "expiresAt": "2026-06-04T11:30:00",
    "stateReason": null,
    "createdAt": "2026-05-28T10:00:00",
    "updatedAt": "2026-05-28T11:30:00"
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Sample - Get Scan Logs with DetailsSample - Get Scan Logs with Details

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/scan/logs/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx?includeDetails=true' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": {
    "scanUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "... (all fields from above) ...",
    "resultFileName": "GCP/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/my-gcp-project-XXX/f184d531-ScanResult.json",
    "correlationIds": "[\"corr-001\",\"corr-002\"]"
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Audit Trail API

Provides visibility into the execution history of the scan workflow. Events are stored in OpenSearch; resource state is cross-referenced from the Oracle database (RESOURCE_SCAN_STATUS).

Get Resource Audit Trail

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/audit/resource/{scanUuid}
Method GET
DTD or XSD changes Not Applicable

This API returns the complete audit trail for a scanned resource across all its workflows. Looks up the resource by scanUuid, validates customer ownership, then queries OpenSearch for all workflow events linked to that resource.

Input parameters

Parameter Mandatory/Optional Data Type Description
scanUuid Mandatory UUID (path) Scan record UUID — primary key from the scan logs API

Sample - Get Resource Audit TrailSample - Get Resource Audit Trail

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/audit/resource/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": {
    "scanUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "resourceId": "projects/my-project/zones/us-west1-a/instances/XXXXXX",
    "resourceName": "my-vm",
    "resourceType": "VM",
    "cloudType": "GCP",
    "serviceAccountId": "my-gcp-project-XXXXX",
    "accountId": "target-account-XXXX",
    "region": "us-west1",
    "zone": "us-west1-a",
    "scannerPlatform": "LINUX",
    "scanStatus": "COMPLETED",
    "correlationIds": ["gcp-scan-corr-001", "gcp-scan-corr-002"],
    "totalWorkflows": 2,
    "totalEvents": 16,
    "createdAt": "2026-05-28T10:00:00",
    "updatedAt": "2026-05-28T11:30:00",
    "workflows": [
      {
        "correlationId": "gcp-scan-corr-001",
        "eventCategory": "SCAN",
        "status": "SUCCESS",
        "startedAt": "2026-05-28T10:00:00Z",
        "lastEventAt": "2026-05-28T11:00:00Z",
        "totalEvents": 8,
        "events": [
          {
            "eventId": "evt-001",
            "eventType": "ROOT",
            "stepType": "ROOT",
            "status": "SUCCESS",
            "receivedAt": "2026-05-28T10:00:00Z",
            "sequenceNumber": 1
          }
        ]
      }
    ]
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

Get Workflow Timeline

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/audit/workflows/{correlationId}
Method GET
DTD or XSD changes Not Applicable

This API returns the complete ordered event chain for a single workflow identified by its correlation ID. Events are sorted by receivedAt and sequenceNumber.

Input parameters

Parameter Mandatory/Optional Data Type Description
correlationId Mandatory String (path) Workflow correlation ID (obtained from the audit trail or scan log)

Sample - Get Resource Audit TrailSample - Get Resource Audit Trail

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/audit/workflows/gcp-scan-corr-001' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": {
    "correlationId": "gcp-scan-corr-001",
    "eventCategory": "SCAN",
    "cloudType": "GCP",
    "serviceAccountId": "my-gcp-project-XXXX",
    "status": "SUCCESS",
    "startedAt": "2026-05-28T10:00:00Z",
    "lastEventAt": "2026-05-28T11:00:00Z",
    "totalEvents": 8,
    "events": [
      {
        "eventId": "evt-001",
        "eventType": "ROOT",
        "stepType": "ROOT",
        "status": "SUCCESS",
        "receivedAt": "2026-05-28T10:00:00Z",
        "sequenceNumber": 1,
        "details": {}
      },
      {
        "eventId": "evt-002",
        "eventType": "DISCOVER_TARGET_VMS",
        "stepType": "DISCOVER_TARGET_VMS",
        "status": "SUCCESS",
        "receivedAt": "2026-05-28T10:05:00Z",
        "sequenceNumber": 2,
        "details": {}
      }
    ]
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}

List Workflows

New or Updated API New
API Endpoint (New) /flexscan-api/rest/v1/audit/workflows
Method GET
DTD or XSD changes Not Applicable

Lists workflows with optional filters. Results are returned most-recent-first by receivedAt.

Input parameters

Parameter Mandatory/Optional Data Type Description
status Optional String Filter by workflow status: SUCCESS, FAILED, IN_PROGRESS, MAX_RETRIES_EXCEEDED (case-insensitive)
eventCategory Optional String Filter by category: DISCOVERY, SNAPSHOT, SCAN, MANAGEMENT (case-insensitive)
serviceAccountId Optional String Filter by service account ID
cloudType Optional String Filter by cloud provider: AWS, AZURE, GCP, OCI (case-insensitive)
stepType Optional String Filter by step/event type (e.g., ROOT, DISCOVER_TARGET_VMS) (case-insensitive)
page Optional Integer Page number (1-based).
Default: 1
limit Optional Integer Items per page. Range: 1–500.
Default: 100

Sample - List Scan Workflows for a Service AccountSample - List Scan Workflows for a Service Account

API Request

curl -X GET \
  '<qualys_gateway_url>/flexscan-api/rest/v1/audit/workflows?serviceAccountId=my-gcp-project-XXXX&eventCategory=SCAN&status=SUCCESS&page=1&limit=100' \
  -H 'Authorization: Bearer <qas-jwt-token>'

API Response

{
  "data": {
    "workflows": [
      {
        "correlationId": "gcp-scan-corr-001",
        "eventCategory": "SCAN",
        "cloudType": "GCP",
        "serviceAccountId": "my-gcp-project-123",
        "status": "SUCCESS",
        "totalEvents": 8,
        "startedAt": "2026-05-28T10:00:00Z",
        "lastEventAt": "2026-05-28T11:00:00Z"
      }
    ],
    "total": 150,
    "page": 1,
    "limit": 100
  },
  "errors": [],
  "meta": {
    "timestamp": "2026-05-28T11:30:00Z"
  }
}