Configure Plugin for Build Pipelines Projects

You can use this Qualys Web App Scanning Connector extension as a predeployment task in your project pipeline.

After installing the Qualys Web App Scanning Connector, you can see this plugin as a task in your pipeline.

Add Plugin

Perform the following steps to add plugin:

  1. Click  Add under your agent job in the Tasks tab, and search for Scan Web Application with Qualys WAS.
  2. Click Add to add the plugin as a task in the build pipeline.

    Add the plugin as a task in the build pipeline.
    You can see the task under the agent job.

  3. Click the task to configure the plugin.

    Click the task to configure the plugin.

  4. Entering the Display name. Then, configure the WAS service endpoint.

Connect WAS APIs

Perform the following steps to connect with WAS APIs:

You need to configure the service endpoint with a Qualys account and proxy (if required) on your Azure DevOps instance for Organization in which Qualys Web App Scanning Connector is installed.

Perform the following steps to configure service endpoints:

  1. Go to WAS service/server endpoint field and click New.
    Go to the WAS service/server endpoint field and click New.
  2. In the New service connection screen, enter the Qualys API server URL where your Qualys WAS account resides.
  3. Enter your account credentials for authenticating to the WAS API server.
  4. Provide a Service connection name to the new connection.
  5. Click Save.

Once added, the WAS service endpoint is listed in the 'WAS service/server endpoint' drop-down field.

What you select here depends on the Qualys platform your organization is using. We expect the user to provide 'qualysapi' specific URL for their respective platform as input for the 'API Server URL.'

If your Azure DevOps instance does not have direct Internet access and requires a proxy, click 'Use Proxy Settings' check box, and enter the proxy server information.

Note: If your Qualys account resides on a private cloud platform, specify the API server URL of your Private Cloud Platform as your 'API Server URL' and your account credentials to access the API.

Launch Scan API Parameters

Next, assuming you have selected the correct platform for your subscription and valid credentials, it fetches all the web applications from your Qualys account. Select the web application that you want to scan.

Select the web application.

By default, the WAS scan name is:

$(DefinitionName)_azureDevOps_$(ID)+ timestamp

You can edit the existing scan name, but a timestamp automatically append regardless.

If you are using plugin version 1.0.0, then the default WAS scan name is:

[Build.DefinitionName]_azureDevOps_build_[ Build.BuildID] + timestamp

After upgrading your plugin version, you can continue using this format for your existing build pipeline projects or choose the new format.

You can choose to run a Discovery scan or a Vulnerability scan. The default is the Vulnerability scan.

Optional Parameters

Next, configure optional scan parameters.

Configure optional scan parameters.

  • Authentication Record – You can choose to run the scan without authentication (the default) but keep in mind the scanner is not able to log into the web application and test the authenticated surface area of the application in that case. You may instead want to select 'Use Default,' in which case we use the default authentication record for the web app in WAS (if any). Optionally, you can also select the Other option and choose a specific authentication record ID if desired.
  • Option Profile – The option profile contains the various scan settings, such as the vulnerability types that should be tested (detection scope), scan intensity, error thresholds, etc. Selecting 'Use Default' uses the default option profile for the web app in WAS. This is the recommended setting; however, you can also select the Other option and choose a specific option profile ID if desired.
  • Cancel Options -The default is not to cancel the scan, in which case it runs to completion. However, you can cancel it after a set number of hours.

You may not get any results if you cancel a running scan.

Next, configure the pass/fail criteria for a build, scan status polling frequency, and scan timeout duration.

Build Failure Conditions

Configure the scan pass/fail criteria to fail a build job.

Configure the scan pass/fail criteria to fail a build job.

You can set conditions to fail a build by:

  1. Vulnerability Severity - To fail the build by vulnerability severity, specify the count of vulnerabilities for one or more severity types. A build fails if the number of detections exceeds the number specified for one or more severity types in scan results. For example, to fail a build if the severity 5 vulnerabilities count is more than 2, select the 'Fail with more than severity 5' option and specify 2.

    A Qualys severity '5' rating is the most dangerous vulnerability while severity '1' is the least.

  2. Qualys WAS Vulnerability Identifiers (QIDs) – To fail a build by QIDs, select the 'Fail with any of these QIDs' check box and specify a comma-separated list of QIDs or range of QIDs.
  3. You may also choose to fail the build if the plugin initiates the scan, but the WAS module could not complete this scan due to some issues, such as scanners not found and so on. If any of these three conditions are satisfied, the build fails.

Timeout Settings

In the Timeout settings, specify the polling frequency in minutes for collecting the WAS scan status data and the timeout duration for a running scan.

Next, save the configuration and click Queue to run the pipeline.

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.