Release 1.36 API
January 18, 2025
Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.
What's New?
With this release, Container Security has introduced new rules and rule types for Admission Controller and CI/CD Policies. Along with this, Container Security now supports OAuth and OpenID Connect Authentication Standards.
Update in Admission Controller and CI/CD Policies
With Container Security 1.36 release, Container Security has introduced some new rules and rule types in the Admission Controller and CI/CD Policies. The following APIs are updated for both Admission Controller Policy and CI/CD Policy.
- Show Details of a Centralized Policy -
GET /csapi/v1.3/centralizedPolicy/{policyId} - Create a Centralized Policy -
POST /csapi/v1.3/centralizedPolicy - Update a Centralized Policy -
PUT /csapi/v1.3/centralizedPolicy/{policyId} - Activate or Deactivate a Centralized Policy
PUT /csapi/v1.3/centralizedPolicy/{policyId}/mode
Updated API: Show Details of a Centralized Policy
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/centralizedPolicy/{policyId} |
| Method | GET |
| DTD XSD Changes | No |
Output ParametersOutput Parameters
The table below shows the updated response parameters.
|
Parameter |
Data Type |
Description |
|---|---|---|
| centralized PolicyRules | array | Indicates array for the centralized policy rules to be included. |
| type | string | A part of 'centralized PolicyRules' array. Indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New values: - PODSECURITY |
| kind | string | Indicates the kind of centralized policy rules. Valid values for Admission Controller Policy: - IMAGE_SECURITY - POD_SECURITY Valid value for CI/CD Policy: - IMAGE_SECURITY |
| exclusionPolicyRules | array | Indicates array for the rule values to be excluded. Is available only if the particular rule is set and enabled for the policy. |
| type | string
|
A part of 'exclusionPolicyRules' array. It indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New values: - EX_IMAGESCAN_VULN_QID_AGE |
| kind | string | A part of 'exclusionPolicyRules' array. Indicates the kind of centralized policy rules. Valid value: EXCLUSION |
Sample: Show Details of a Centralized PolicySample: Show Details of a Centralized Policy
API Request
curl -X 'GET' \ '<qualys_base_url>/csapi/v1.3/centralizedPolicy/462c9a8e-0114-42d0-8a89-a6edd0d0c52b'\ -H 'accept: application/json' \ -H 'Authorization: Bearer <token>
API Response for a Centralized Admission Controller Policy
{
"uuid": "462c9a8e-0114-42d0-8a89-a6edd0d0c52b",
"policyName": "TESTcreate",
"policyType": "K8S_ADMISSION_CONTROLLER",
"policyMode": "ACTIVE",
"description": "",
"createdBy": "john_doe",
"created": "1735541197955",
"updatedBy": "john_doe",
"updated": "1735541197955",
"centralizedPolicyRules": [
{
"name": "Pod Security",
"type": "PODSECURITY",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"options\":[{\"id\":\"rw_hostpath\",\"enabled\":true},
{\"id\":\"container_hostport\",\"enabled\":true},{\"id\":\"hostPid_hostIpc\",\"enabled\":true},{\"id\":\"host_process\",\"enabled\":true},{\"id\":\"privileged_containers\",\"enabled\":true},{\"id\":\"non_default_procMount\",\"enabled\":false},{\"id\":\"insecure_capabilites\",\"enabled\":false},{\"id\":\"root_container\",\"enabled\":true},{\"id\":\"privilege_escalation\",\"enabled\":false}]}",
"kind": "POD_SECURITY"
},
{
"name": "Block Known Vulnerability using QIDs",
"type": "IMAGESCAN_VULN_RESTRICTED_QIDS",
"action": "FAIL",
"isEnabled": false,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"values\":[234010]}",
"kind": "IMAGE_SECURITY"
},
{
"name": "Limit Vulnerability using Severity",
"type": "IMAGESCAN_VULN_SEVERITYCOUNT",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"operator\":\"GREATER_THAN\",\"severityLevel\":3,\"threshold\":1}",
"kind": "IMAGE_SECURITY"
},
{
"name": "Block Images with Secrets",
"type": "IMAGESCAN_VULN_SECRETS_SEVERITYCOUNT",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"value\":\"CRITICAL\",\"operator\":\"GREATER_THAN\",\"threshold\":\"2\"}",
"kind": "IMAGE_SECURITY"
}
],
"exclusionPolicyRules": [
{
"name": "Exclude Images",
"type": "EX_IMAGESCAN_VULN_IMAGES",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"values\":[\".*ubuntu.*\",\"img.*\"]}",
"kind": "EXCLUSION"
},
{
"name": "Exclude if patch not available",
"type": "EX_IMAGESCAN_VULN_PATCH_NOT_AVAILABLE",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{}",
"kind": "EXCLUSION"
},
{
"name": "Exclude Namespaces",
"type": "EX_NAMESPACES",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"values\":[\"default\"]}",
"kind": "EXCLUSION"
},
{
"name": "Exclude by Qid Age",
"type": "EX_IMAGESCAN_VULN_QID_AGE",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"value\":15}",
"kind": "EXCLUSION"
}
],
"version": 1,
"isDefault": false,
"tagIds": null,
"k8sFilters": [
{
"cluster": {
"clusterUid": "51250330-b7a3-4958-9858-390c8b6c7cde",
"clusterName": "ekstestqa-vultest"
},
"namespace": null
}
]
}
API Response for a Centralized CI/CD Policy
{
"uuid": "8700e7bd-5093-4ec9-ab18-0a33101e71db",
"policyName": "Test_acme",
"policyType": "CICD",
"policyMode": "ACTIVE",
"description": "",
"createdBy": "john_doe",
"created": "1737003027712",
"updatedBy": "john_doe",
"updated": "1737003027712",
"centralizedPolicyRules": [
{
"name": "Block Unauthorized Software",
"type": "IMAGESCAN_VULN_RESTRICTED_SOFTWARES",
"action": "FAIL",
"isEnabled": false,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"values\":[\"python\"]}",
"kind": "IMAGE_SECURITY"
},
{
"name": "Block Known Vulnerability using CVEs",
"type": "IMAGESCAN_VULN_RESTRICTED_CVES",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"values\":[\"CVE-2014-9999\"]}",
"kind": "IMAGE_SECURITY"
},
{
"name": "Enforce Qualys Detection Score Threshold",
"type": "IMAGESCAN_VULN_QDS_SEVERITY",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"value\":\"CRITICAL\"}",
"kind": "IMAGE_SECURITY"
},
{
"name": "Limit Vulnerability using Severity",
"type": "IMAGESCAN_VULN_SEVERITYCOUNT",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"operator\":\"GREATER_THAN\",\"severityLevel\":3,\"threshold\":1}",
"kind": "IMAGE_SECURITY"
},
{
"name": "Block Known Vulnerability using QIDs",
"type": "IMAGESCAN_VULN_RESTRICTED_QIDS",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"values\":[123456]}",
"kind": "IMAGE_SECURITY"
},
{
"name": "Limit Vulnerability using CVSS",
"type": "IMAGESCAN_VULN_CVSSV3_SEVERITYCOUNT",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"value\":\"CRITICAL\",\"operator\":\"GREATER_THAN\",\"threshold\":1}",
"kind": "IMAGE_SECURITY"
}
],
"exclusionPolicyRules": [
{
"name": "Exclude by Qid Age",
"type": "EX_IMAGESCAN_VULN_QID_AGE",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"value\":45}",
"kind": "EXCLUSION"
},
{
"name": "Exclude QIDS",
"type": "EX_IMAGESCAN_VULN_QIDS",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{\"values\":[12345]}",
"kind": "EXCLUSION"
},
{
"name": "Exclude if patch not available",
"type": "EX_IMAGESCAN_VULN_PATCH_NOT_AVAILABLE",
"action": "FAIL",
"isEnabled": true,
"stopProcessing": false,
"sortOrder": 0,
"metaData": "{}",
"kind": "EXCLUSION"
}
],
"version": 1,
"isDefault": false,
"tagIds": [
{
"uuid": "147658af-8ea3-487e-8299-b8896df30e8c",
"id": 141831342,
"name": "Abc_Test",
"backgroundColor": "#000000",
"foregroundColor": "#000000",
"icon": null,
"criticalityScore": 0,
"tagType": null
},
{
"uuid": "cdd248ce-dd86-4a1e-83e6-34f64261aef9",
"id": 144711802,
"name": "testq",
"backgroundColor": "#000000",
"foregroundColor": "#000000",
"icon": null,
"criticalityScore": 0,
"tagType": null
}
],
"k8sFilters": null
}
Updated API: Create a Centralized Policy
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/centralizedPolicy |
| Method | POST |
| DTD XSD Changes | No |
Input ParametersInput Parameters
|
Parameter |
Mandatory/Optional |
Data Type |
Description |
|---|---|---|---|
| centralized PolicyRules | Mandatory | array | Indicates array for the centralized policy rules to be included. |
| type | Mandatory | string
|
Indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New values: - PODSECURITY |
| kind | Mandatory | string | Indicates the kind of centralized policy rules. Valid values for Admission Controller Policy: - IMAGE_SECURITY - POD_SECURITY Valid value for CI/CD Policy: - IMAGE_SECURITY |
| exclusionPolicyRules | Optional | array | Indicates array for the rule values to be excluded. Is available only if the particular rule is set and enabled for the policy. |
| type | Mandatory | string
|
A part of 'exclusionPolicyRules' array. It indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New values: - EX_IMAGESCAN_VULN_QID_AGE |
| kind | Mandatory | string | A part of 'exclusionPolicyRules' array. Indicates the kind of centralized policy rules. Valid value: EXCLUSION |
Sample: Create a Centralized PolicySample: Create a Centralized Policy
API Request for a Centralized Admission Controller Policy
curl -X 'POST' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \
-d '{
"policyName": "TESTcreate",
"description": "",
"centralizedPolicyRules": [
{
"name": "Limit Vulnerability using Severity",
"type": "IMAGESCAN_VULN_SEVERITYCOUNT",
"isEnabled": true,
"kind": "IMAGE_SECURITY",
"metaData": {
"operator": "GREATER_THAN",
"severityLevel": 3,
"threshold": 1
},
},
{
"name": "Block Images with Secrets",
"type": "IMAGESCAN_VULN_SECRETS_SEVERITYCOUNT",
"isEnabled": true,
"kind": "IMAGE_SECURITY",
"metaData": {
"value": "CRITICAL",
"operator": "GREATER_THAN",
"threshold": "2"
},
},
{
"name": "Block Known Vulnerability using QIDs",
"type": "IMAGESCAN_VULN_RESTRICTED_QIDS",
"isEnabled": false,
"kind": "IMAGE_SECURITY",
"metaData": {
"values": [
234010
]
},
},
{
"name": "Pod Security",
"type": "PODSECURITY",
"isEnabled": true,
"kind": "POD_SECURITY",
"metaData": {
"options": [
{
"id": "rw_hostpath",
"enabled": true
},
{
"id": "container_hostport",
"enabled": true
},
{
"id": "hostPid_hostIpc",
"enabled": true
},
{
"id": "host_process",
"enabled": true
},
{
"id": "privileged_containers",
"enabled": true
},
{
"id": "non_default_procMount",
"enabled": false
},
{
"id": "insecure_capabilites",
"enabled": false
},
{
"id": "root_container",
"enabled": true
},
{
"id": "privilege_escalation",
"enabled": false
}
]
},
}
],
"exclusionPolicyRules": [
{
"isEnabled": true,
"sortOrder": 0,
"kind": "EXCLUSION",
"metaData": {
"value": 15
},
"name": "Exclude by Qid Age",
"type": "EX_IMAGESCAN_VULN_QID_AGE"
},
{
"isEnabled": true,
"sortOrder": 0,
"kind": "EXCLUSION",
"metaData": {},
"name": "Exclude if patch not available",
"type": "EX_IMAGESCAN_VULN_PATCH_NOT_AVAILABLE"
},
{
"isEnabled": true,
"sortOrder": 0,
"kind": "EXCLUSION",
"metaData": {
"values": [
".*ubuntu.*",
"img.*"
]
},
"name": "Exclude Images",
"type": "EX_IMAGESCAN_VULN_IMAGES"
},
{
"isEnabled": true,
"sortOrder": 0,
"kind": "EXCLUSION",
"metaData": {
"values": [
"default"
]
},
"name": "Exclude Namespaces",
"type": "EX_NAMESPACES"
}
],
"policyMode": "ACTIVE",
"policyType": "K8S_ADMISSION_CONTROLLER",
"isDefault": false,
"tagIds": [],
"k8sFilters": [
{
"cluster": {
"clusterUid": "51250330-b7a3-4958-9858-390c8b6c7cde",
"clusterName": "ekstestqa-vultest"
},
"namespace": null
}
]
}'
API Request for a Centralized CI/CD Policy
curl -X 'POST' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \
-d ' {
"policyName":"Acme_DataCenter",
"description":"",
"centralizedPolicyRules":[
{
"name":"Limit Vulnerability using Severity",
"type":"IMAGESCAN_VULN_SEVERITYCOUNT",
"isEnabled":true,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"operator":"GREATER_THAN",
"severityLevel":3,
"threshold":1
},
"action":"FAIL"
},
{
"name":"Block Known Vulnerability using QIDs",
"type":"IMAGESCAN_VULN_RESTRICTED_QIDS",
"isEnabled":true,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"values":[
123456
]
},
"action":"FAIL"
},
{
"name":"Block Known Vulnerability using CVEs",
"type":"IMAGESCAN_VULN_RESTRICTED_CVES",
"isEnabled":true,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"values":[
"CVE-2014-9999"
]
},
"action":"FAIL"
},
{
"name":"Limit Vulnerability using CVSS",
"type":"IMAGESCAN_VULN_CVSSV3_SEVERITYCOUNT",
"isEnabled":true,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"value":"CRITICAL",
"operator":"GREATER_THAN",
"threshold":1
},
"action":"FAIL"
},
{
"name":"Enforce Qualys Detection Score Threshold",
"type":"IMAGESCAN_VULN_QDS_SEVERITY",
"isEnabled":true,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"value":"CRITICAL"
},
"action":"FAIL"
},
{
"name":"Block Unauthorized Software",
"type":"IMAGESCAN_VULN_RESTRICTED_SOFTWARES",
"isEnabled":false,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"values":[
"python"
]
},
"action":"FAIL"
}
],
"exclusionPolicyRules":[
{
"isEnabled":true,
"order":0,
"sortOrder":0,
"stopProcessing":false,
"kind":"EXCLUSION",
"action":"FAIL",
"metaData":{
"value":45
},
"name":"Exclude by Qid Age",
"type":"EX_IMAGESCAN_VULN_QID_AGE"
},
{
"isEnabled":true,
"order":0,
"sortOrder":0,
"stopProcessing":false,
"kind":"EXCLUSION",
"action":"FAIL",
"metaData":{
},
"name":"Exclude if patch not available",
"type":"EX_IMAGESCAN_VULN_PATCH_NOT_AVAILABLE"
},
{
"isEnabled":true,
"order":0,
"sortOrder":0,
"stopProcessing":false,
"kind":"EXCLUSION",
"action":"FAIL",
"metaData":{
"values":[
12345
]
},
"name":"Exclude QIDS",
"type":"EX_IMAGESCAN_VULN_QIDS"
}
],
"policyMode":"ACTIVE",
"policyType":"CICD",
"isDefault":false,
"tagIds":[
"147658af-8ea3-487e-8299-b8896df30e8c",
"cdd248ce-dd86-4a1e-83e6-34f64261aef9"
],
"k8sFilters":[
]
}
API Response
The response shown below is the common response for a Centralized Admission Controller Policy and a CI/CD Policy creation.
{
"uuid": "462c9a8e-0114-42d0-8a89-a6edd0d0c52b"
}
Updated API: Update a Centralized Policy
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/centralizedPolicy/{policyId} |
| Method | PUT |
| DTD XSD Changes | No |
The Input Parameters below show the updated/newly introduced parameters for updating a Centralized Admission Controller Policy or CI/CD Policy.
Input ParametersInput Parameters
|
Parameter |
Mandatory/Optional |
Data Type |
Description |
|---|---|---|---|
| centralized PolicyRules | Mandatory | array | Indicates array for the centralized policy rules to be included. |
| type | Mandatory | string
|
Indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New values: - PODSECURITY |
| kind | Mandatory | string | Indicates the kind of centralized policy rules. Valid values for Admission Controller Policy: - IMAGE_SECURITY - POD_SECURITY Valid value for CI/CD Policy: - IMAGE_SECURITY |
| exclusionPolicyRules | Optional | array | Indicates array for the rule values to be excluded. Is available only if the particular rule is set and enabled for the policy. |
| type | Mandatory | string
|
A part of 'exclusionPolicyRules' array. It indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New values: - EX_IMAGESCAN_VULN_QID_AGE |
| kind | Mandatory | string | A part of 'exclusionPolicyRules' array. Indicates the kind of centralized policy rules. Valid value: EXCLUSION |
Samples: Update a Centralized PolicySamples: Update a Centralized Policy
API Request for a Centralized Admission Controller Policy
curl -X 'PUT' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy/462c9a8e-0114-42d0-8a89-a6edd0d0c52b' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \
-d '{
"uuid": "462c9a8e-0114-42d0-8a89-a6edd0d0c52b",
"policyName": "TESTcreate-update",
"policyType": "K8S_ADMISSION_CONTROLLER",
"policyMode": "ACTIVE",
"description": "test",
"createdBy": "john_doe",
"created": "1735541197955",
"updatedBy": "quaysxmd",
"updated": "1735557859421",
"centralizedPolicyRules": [
{
"name": "Block Known Vulnerability using CVEs",
"type": "IMAGESCAN_VULN_RESTRICTED_CVES",
"isEnabled": true,
"metaData": {
"values": [
"CVE-2021-36222"
]
},
"kind": "IMAGE_SECURITY"
},
{
"name": "Pod Security",
"type": "PODSECURITY",
"isEnabled": true,
"metaData": {
"options": [
{
"id": "rw_hostpath",
"enabled": true
},
{
"id": "container_hostport",
"enabled": true
},
{
"id": "hostPid_hostIpc",
"enabled": true
},
{
"id": "host_process",
"enabled": true
},
{
"id": "privileged_containers",
"enabled": true
},
{
"id": "non_default_procMount",
"enabled": false
},
{
"id": "insecure_capabilites",
"enabled": false
},
{
"id": "root_container",
"enabled": true
},
{
"id": "privilege_escalation",
"enabled": false
}
]
},
"kind": "POD_SECURITY"
},
{
"name": "Block Known Vulnerability using QIDs",
"type": "IMAGESCAN_VULN_RESTRICTED_QIDS",
"isEnabled": false,
"metaData": {
"values": [
234010
]
},
"kind": "IMAGE_SECURITY"
},
{
"name": "Limit Vulnerability using Severity",
"type": "IMAGESCAN_VULN_SEVERITYCOUNT",
"isEnabled": true,
"metaData": {
"operator": "GREATER_THAN",
"severityLevel": 3,
"threshold": 1
},
"kind": "IMAGE_SECURITY"
},
{
"name": "Block Images with Secrets",
"type": "IMAGESCAN_VULN_SECRETS_SEVERITYCOUNT",
"isEnabled": true,
"metaData": {
"value": "CRITICAL",
"operator": "GREATER_THAN",
"threshold": "2"
},
"kind": "IMAGE_SECURITY"
},
{
"name": "Enforce Qualys Detection Score Threshold",
"type": "IMAGESCAN_VULN_QDS_SEVERITY",
"isEnabled": true,
"metaData": {
"value": "CRITICAL"
},
"kind": "IMAGE_SECURITY"
}
],
"exclusionPolicyRules": [
{
"name": "Exclude by Qid Age",
"type": "EX_IMAGESCAN_VULN_QID_AGE",
"isEnabled": true,
"metaData": {
"value": 10
},
"kind": "EXCLUSION"
},
{
"name": "Exclude if patch not available",
"type": "EX_IMAGESCAN_VULN_PATCH_NOT_AVAILABLE",
"isEnabled": true,
"metaData": {},
"kind": "EXCLUSION"
},
{
"name": "Exclude Images",
"type": "EX_IMAGESCAN_VULN_IMAGES",
"isEnabled": true,
"metaData": {
"values": [
".*ubuntu.*",
"img.*"
]
},
"kind": "EXCLUSION"
},
{
"name": "Exclude Namespaces",
"type": "EX_NAMESPACES",
"isEnabled": true,
"metaData": {
"values": [
"kube-system"
]
},
"kind": "EXCLUSION"
}
],
"version": 6,
"isDefault": false,
"tagIds": [],
"k8sFilters": [
{
"cluster": {
"clusterUid": "51250330-b7a3-4958-9858-390c8b6c7cde",
"clusterName": "ekstestqa-vultest"
},
"namespace": null
}
]
}'
API Request for a Centralized CI/CD Policy
curl -X 'PUT' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy/462c9a8e-0114-42d0-8a89-a6edd0d0c52b' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \
-d ' {
"policyName":"Acme_DataCenter",
"description":"",
"centralizedPolicyRules":[
{
"name":"Limit Vulnerability using Severity",
"type":"IMAGESCAN_VULN_SEVERITYCOUNT",
"isEnabled":true,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"operator":"GREATER_THAN",
"severityLevel":3,
"threshold":1
},
"action":"FAIL"
},
{
"name":"Block Known Vulnerability using QIDs",
"type":"IMAGESCAN_VULN_RESTRICTED_QIDS",
"isEnabled":true,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"values":[
123456
]
},
"action":"FAIL"
},
{
"name":"Block Known Vulnerability using CVEs",
"type":"IMAGESCAN_VULN_RESTRICTED_CVES",
"isEnabled":true,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"values":[
"CVE-2014-9999"
]
},
"action":"FAIL"
},
{
"name":"Limit Vulnerability using CVSS",
"type":"IMAGESCAN_VULN_CVSSV3_SEVERITYCOUNT",
"isEnabled":true,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"value":"CRITICAL",
"operator":"GREATER_THAN",
"threshold":1
},
"action":"FAIL"
},
{
"name":"Enforce Qualys Detection Score Threshold",
"type":"IMAGESCAN_VULN_QDS_SEVERITY",
"isEnabled":true,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"value":"CRITICAL"
},
"action":"FAIL"
},
{
"name":"Block Unauthorized Software",
"type":"IMAGESCAN_VULN_RESTRICTED_SOFTWARES",
"isEnabled":false,
"stopProcessing":false,
"order":0,
"kind":"IMAGE_SECURITY",
"metaData":{
"values":[
"python"
]
},
"action":"FAIL"
}
],
"exclusionPolicyRules":[
{
"isEnabled":true,
"order":0,
"sortOrder":0,
"stopProcessing":false,
"kind":"EXCLUSION",
"action":"FAIL",
"metaData":{
"value":45
},
"name":"Exclude by Qid Age",
"type":"EX_IMAGESCAN_VULN_QID_AGE"
},
{
"isEnabled":true,
"order":0,
"sortOrder":0,
"stopProcessing":false,
"kind":"EXCLUSION",
"action":"FAIL",
"metaData":{
},
"name":"Exclude if patch not available",
"type":"EX_IMAGESCAN_VULN_PATCH_NOT_AVAILABLE"
},
{
"isEnabled":true,
"order":0,
"sortOrder":0,
"stopProcessing":false,
"kind":"EXCLUSION",
"action":"FAIL",
"metaData":{
"values":[
12345
]
},
"name":"Exclude QIDS",
"type":"EX_IMAGESCAN_VULN_QIDS"
}
],
"policyMode":"ACTIVE",
"policyType":"CICD",
"isDefault":false,
"tagIds":[
"147658af-8ea3-487e-8299-b8896df30e8c",
"cdd248ce-dd86-4a1e-83e6-34f64261aef9"
],
"k8sFilters":[
]
}
API Response
The response shown below is the common response for a Centralized Admission Controller Policy and a CI/CD Policy creation.
{
"uuid": "462c9a8e-0114-42d0-8a89-a6edd0d0c52b"
}
Updated API: Activate or Deactivate a Centralized Policy
| New or Updated APIs | Updated |
|---|---|
| API Endpoint (New version) | /csapi/v1.3/centralizedPolicy/{policyId}/mode |
| Method | PUT |
| DTD XSD Changes | No |
Input parameters of this API are not updated. See the updated Sample below.
Sample: Activate or Deactivate a Centralized PolicySample: Activate or Deactivate a Centralized Policy
API Request - Common for Admission Controller and CI/CD Policies
curl -X 'PUT' \ '<qualys_base_url>/csapi/v1.3/centralizedPolicy/4fe313d5-ad9e-493c-8c6d-2ab292b61efa/mode' \ -H 'accept: application/json' \ -H 'Authorization: Bearer <token>' \ -H 'Content-Type: application/json' \ -d '{ "policyMode": "INACTIVE" }'
API Response - Common for Admission Controller and CI/CD Policies
This response is specific to a scenario where you have old Admission Controller policy with 'Allow' rule action and which is in the 'Inactive' state.
{ "errorCode": "CMS-3653",
"message": "Policy contains unsupported rule action 'ALLOW' try editing this policy first.",
"timestamp": 1736916929582 }
Support for OAuth 2.0 and OpenID Connect Authentication Standards
With this release, we have upgraded our API security by incorporating OAuth 2.0 and OpenID Connect for authentication and authorization processes.
A standardized authentication and authorization procedure accessing the APIs is now available. Our system now ensures a smooth integration with previously established authentication infrastructures.
Key Updates
- Support for OAuth 2.0 and OpenID Connect is integrated to enhance authentication and authorization measures.
- Our implementation is in strict adherence to prevailing industry security standards and best practices.
- The platform now accommodates a variety of OAuth 2.0 grant types, including authorization code and client credentials, among others.
- Compatibility with current identity providers and authentication systems has been ensured, facilitating a seamless integration experience.
Benefits
- Enhanced API security - OpenID Connect (OIDC) uses tokens to establish a user's identity and grant access.
- Standardized access control - OpenID Connect (OIDC) provides a standardized way to manage user identities and access control
- Centralized Authentication - By enabling IDP-initiated SSO, users can authenticate once through your organization’s Identity Provider (IDP) and gain access to all the necessary APIs without needing to log in again. This simplifies the user experience and reduces password fatigue, making access faster and more secure.
- Compliance and Security - Helps to meet compliance requirements by ensuring that user authentication processes adhere to established security protocols like SAML and OIDC.
Action Required
To activate this feature, contact your Technical Account Manager (TAM) or Qualys Technical Support.
To onboard with OAuth/OIDC for authorization and authentication, users need to provide the following specific information and configurations to ensure smooth integration.
| Field | Description | Example |
| IdP Name |
The name of the Identity Provider (IdP) being configured. This can either be a custom name chosen by you or a name provided by the customer. | TestNameforIDP Qualys Internal |
| Entity ID | The unique identifier for the customer’s IdP. Typically, this is a URN or URL that serves as the IdP’s primary identifier during SAML or OAuth/OIDC communications. | https://example.com/idp |
| Single Sign-On (SSO) URL | The URL where authentication requests will be sent. This is the endpoint where users are redirected to authenticate with the customer's identity provider (IdP). |
https://example.com/login |
| Single Logout (SLO) URL (if applicable) | The URL for handling logout requests. If the customer supports Single Logout, this endpoint will handle session termination at both the IdP and Qualys. |
https://example.com/logout |
| SSO Exit URL (optional) | The URL where users are redirected after successful authentication. This is optional and can be customized based on the customer’s needs. |
|
| Certificates |
Customers are required to provide their public signing certificates to verify the authenticity of SAML responses or to support OAuth/OIDC flows. |
Use OpenID Connect API Authentication
Once the onboarding process is complete and the OpenID Connect API authentication is enabled, you can begin using it. To start using it, you must first generate the JWT token and then use that token to execute the Qualys APIs. The following subsections provide API request and response samples for generating a JWT token and executing APIs using this token.
Sample API Request to Generate JWT Token for API Authentication and its sample response
The token generation URL may vary based on the IdP application you are using. The sample below illustrates the request and response for Okta.
Sample API Request to Generate JWT Token for API Authentication and its sample responseSample API Request to Generate JWT Token for API Authentication and its sample response
API Request
curl --location '
https://qualys.oktapreview.com/oauth2/aus27sviwo8jbrP4T0h8/v1/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=password'
--data-urlencode 'username=jdoe@qualysit.com'
--data-urlencode 'password= '
--data-urlencode 'client_id=0oa27l586h672nMy90h8'
--data-urlencode 'scope=openid profile'
API Response
{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": " ",
"scope": "openid profile",
"id_token": " "
}
Sample API Request using the JWT Token for API Authentication and its sample responseSample API Request using the JWT Token for API Authentication and its sample response
API Request
curl -X GET'<qualys_base_url>/csapi/v1.3/containers?pageNumber=1&pageSize=50&sort=created%3Adesc' \
--header 'Authorization: Bearer <access_token from above response>' \
--header 'Content-Type: application/json'
API Response
{
"data": [
"imageId": "b798104c002a",
"created": "1721713977000",
"updated": "1721714109665",
"sha":
"d838bcb622a003b767ace31039475f37a5d34f093f8de82a71536f3fcfcb839e",
"uuid": "051a684a-9bad-3cb1-bf28-91084ee6e024",
"name": "test-vul-propogation",
"host": null,
"state": "DELETED",
"imageUuid": "fbdc0a10-7186-3439-8712-2db20df179e6",
"containerId": "d838bcb622a0",
"stateChanged": "1721714102790",
"lastVmScanDate": null,
"isRoot": null,
"vulnerabilities": {
"severity5Count": null,
"severity3Count": null,
"severity4Count": null,
"severity1Count": null,
"severity2Count": null
},
"exceptions": null,
{
"riskScore": 258,
"riskScoreCalculatedDate": "1723567125904",
"formulaUsed": "MIN (1000 , 2 * ( 1.0 * 64.70 * Pow(10,0.01) + 0.6 * 60.04 * Pow(26,0.01) + 0.4 * 44.35 * Pow(147,0.01) + 0.2 * 36.20 *Pow(5,0.01) ))",
"maxQdsScore": 95,
"qdsSeverity": "CRITICAL",
}
"scanTypes": null,
"cluster":
{
"name": "kubernetes-admin",
"uid": "bdc0d232-38af-46f9-b188-06cb61c928af"
},
"criticality": 3,
"criticalityUpdated": "1717098843553",
"compliance": {
"failCount": 0,
"passCount": 0,
"errorCount": 0
},
"lastComplianceScanDate": null
},
],
"count": 1
}