Configure the Plugin for Pipeline Projects

To configure the plugin from Pipeline projects, perform the following steps:

  1. Open your application’s pipeline project and click Pipeline Syntax to enter the Snippet Generator.

    Pipeline_syntax

  2. Select qualysWASScan: Scan web applications with Qualys WAS from the drop-down menu.

    Picture 30

Now, you are ready to configure the plugin.

Pre-requisites for Configuration

The following pre-requites must be met to configure the plugin:

  • Must have proper communication from Jenkins to the Qualys Cloud Platform via the WAS API.
  • Must have valid account credentials for an active Qualys WAS subscription.
  • Must have API access enabled and a role assigned with all necessary permissions to the account.
  • Must use a service account restricted to API access only (no UI access) and have the fewest privileges possible.

Configuration

  1. Select the Qualys platform where your Qualys account resides and your account credentials to authenticate to the WAS API server.
  2. Use the Add button to add the new user's account credentials in the Jenkins store.

    Once added, the credentials are listed in the 'Credentials' section. 

     What you select here depends on the Qualys platform your organization is using. Refer to Identify your Qualys Platform to learn more.

  3. If your Jenkins instance does not have direct Internet access and requires a proxy, click the Use Proxy Settings checkbox and enter the required information.

    Picture 5

  4. Click the Test Connection button. Assuming you have selected the correct platform for your subscription and the valid credentials, you are able to see the message  Connection test successful

     If your Qualys account resides on a private cloud platform, select Private Cloud Platform as your Qualys cloud platform, and specify the API server URL and your account credentials to access the API.

    Picture 12

  5. Select the web application in Qualys WAS that you wish to scan.

    Picture 7

    By default, the WAS scan name is :

    [job_name]_jenkins_build_[build_number] + timestamp

    You can edit the scan name, but a timestamp is automatically be appended regardless.

    You can choose to run a Discovery scan or a Vulnerability scan. The default is a Vulnerability scan.

  6. Configure optional scan parameters.

    optional_parameters

    Authentication Record – You can choose to run the scan without authentication (the default) but keep in mind the scanner is not be able to log into the web application and test the authenticated surface area of the application in that case. You may instead want to select 'Use Default', in which case the default authentication record for the web app in WAS (if any) is  used. Optionally, you can also select the Other option and choose a specific authentication record ID if desired.

    Option Profile – The option profile contains the various scan settings such as the vulnerability types that should be tested (detection scope), scan intensity, error thresholds, and so on. Selecting 'Use Default' is the default option profile for the web app in WAS. This is the recommended setting; however, you can also select the Other option and choose a specific profile ID if desired.

    Cancel Options – The default is not to cancel the scan, in which case the scan runs to completion. However, you can cancel the scan after a set number of hours.

     You may not get any results if the scan is canceled before finishing.

  7. Configure the pass/fail criteria for a build, scan status polling frequency, and scan timeout duration.

  8. Configure the scan pass/fail criteria to fail a build job.

    Build Failure Condition

    You can set conditions to fail a build by:

    1. Vulnerability Severity
    2. Qualys WAS Vulnerability Identifiers (QIDs)

    You may also choose to fail the build in case the Plugin initiates the scan but the WAS module cannot complete it due to issues such as scanners not being found. If any of these conditions are satisfied, then the build is failed.

    To fail the build by vulnerability severity, specify the count of vulnerabilities for one or more severity types. A build fails if, in scan results, the number of detection exceeds the number specified for one or more severity types. For example, to fail a build if the severity 5 vulnerabilities count is more than 2, select the 'Fail with more than severity 5' option and specify 2.

     A Qualys severity '5' rating is the most dangerous vulnerability while severity '1' is the least.

    Similarly, to fail a build by QIDs, select 'Fail with any of these QIDs' check box and specify one or more QIDs in Fail with any of these QIDs.

    In the Timeout settings, specify the polling frequency in minutes for collecting the WAS scan status data and the timeout duration for a running scan.

  9. Click Generate Pipeline Script.

    This is your pipeline snippet for launching a WAS scan.

    Picture 29

The pipeline snippet is now ready to be plugged into your pipeline script.

Next Step

Configure the Plugin for Freestyle Projects

 

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.