Introduction

Qualys Web Application Scanning (WAS) is a cloud-based web application security product. WAS continuously monitors, detects, and reports the web applications and APIs against threats like vulnerabilities, misconfigurations, and web malware.

The Qualys GitHub Actions for Web Application Scanning (WAS) allows DevOps teams to build application vulnerability scans into their existing CI/CD processes. By integrating web application scans in this manner, application security testing is accomplished earlier in the Software Development Life Cycle (SDLC) to catch and eliminate security flaws.

GitHub Actions triggers the web application scanning process when you run a workflow in your GitHub repository. The input parameters submitted in the workflow through .yaml/.yml file control the scan and allow you to configure the workflow as per your requirement.

Features of GitHub Actions for WAS

Qualys GitHub Actions for WAS provides you following features:

• Launch feature that allows you to control the scan process with input parameters and launch the scan as per your requirements.
• An option to set build pass/fail criteria based on the severity level of vulnerabilities using input parameters.
• Scan results are generated in JSON file and uploaded as an artifact in your repository.
• An option to wait for the scan result. This allows you to choose whether to wait for the scan result or pass the build immediately.
• The scan result URL is provided in the scan log. This URL redirects you to the Qualys WAS UI to see the scan results.

Workflow

The workflow of Qualys GitHub Actions for WAS involves:

1. Configure Environment Parameter
2. Configure GitHub Actions
3. Generate and Download Scan Result