Set Build Pass/Fail Criteria

Qualys GitHub action for WAS allows you to set the build fail criteria based on the severity level of vulnerabilities and fail on scan error using input parameters. When the parameter values found during the scan match the input values, then the build fails. You can set the input parameter values using GitHub workflows. To view the workflow samples, refer to Trigger Scan.

For more details, refer to Configure Environment Parameter.

Vulnerability Severity Level Failure Condition

The SEVERITY_LEVEL parameter checks for the severity of vulnerabilities. When the vulnerability of severity equal to or greater than the value specified in the input parameter is found during the scan, then the build fails.

For example, if you set the SEVERITY_LEVEL value to '3' and vulnerability of severity level greater than or equal to 3 is found during the scan, then the build fails based on the severity level.

 In Qualys, the vulnerability of severity '1' is considered as least harmful, and the vulnerability of severity '5' is considered as most harmful.

You can exclude a QID from the severity level check using the EXCLUDE parameter. Provide the comma-separated list of QIDs as the parameter values. These QIDs are skipped from the severity check.

Fail on Scan Error

Set the FAIL_ON_SCAN_ERROR parameter value as true to fail the build in case of failure due to scan error where the plugin initiates the scan but the WAS application could not complete this scan due to some issues such as scanners not being found and so on. If you don't want to fail the build based on scan error then set the FAIL_ON_SCAN_ERROR parameter value as false.