Configure the Plugin
Configure the plugin using the following steps.
- Navigate to the Actions menu > Configure plan.
- Select Scan web applications with Qualys WAS task type.
- From the configuration form, describe the task.
- Go to the Qualys API Credentials section.
- This step confirms that Bamboo can communicate to the Qualys Cloud Platform via the WAS API. You need valid account credentials to access an active Qualys WAS subscription.
The account must have API access enabled and a role assigned with all necessary permissions. Qualys recommends using a service account restricted to API access only (no UI access) and having the least privileges possible
- Select the Qualys platform or portal where your Qualys account resides. When you select the platform, it shows you the API server URL.
-
Enter your account credentials: API username and password to authenticate the WAS API server.
Your selection depends on the Qualys platform your organization is using. Learn more.
- If your Bamboo instance does not have direct Internet access and a proxy is required, click the Use Proxy Settings checkbox and enter the required information.
- Click the Test Connection button. Assuming you have selected the correct platform for your subscription and the valid credentials, you can see the message Connection test successful!.
If your Qualys account resides on a private cloud platform, select Private Cloud Platform as your Qualys cloud platform and specify the API server URL and your account credentials to access the API.
- Select the web application in Qualys WAS that you wish to scan.
- By default, the WAS scan name is:
[plan_name]_bamboo_build_[build_no] + timestamp
You can edit the scan name, but a timestamp is automatically be appended regardless.
You can choose to run a Discovery scan or Vulnerability scan. The default is Vulnerability scan.
- Configure Optional Scan parameters.
Authentication Record – You can choose to run the scan without authentication (the default) but keep in mind the scanner is not be able to log into the web application and test the authenticated surface area of the application in that case. You may instead want to select Use Default, in which case the default authentication record for the web app in WAS (if any) is used. Optionally, you can also select the Other option and choose a specific authentication record ID if desired.
Option Profile – The option profile contains the various scan settings, such as the vulnerability types that should be tested (detection scope), scan intensity, error thresholds, and more. Selecting Use Default is using the default option profile for the web app in WAS. This is the recommended setting; however, you can also select the Other option and choose a specific profile ID if desired.
Cancel Options – The default is not to cancel the scan, in which case the scan runs to completion. However, you can cancel the scan after a set number of hours.
You may not get any results if the scan is canceled before finishing.
- Configure the pass or fail criteria for a build.
- Set conditions to fail a build by
- Vulnerability Severity.
- Qualys WAS Vulnerability Identifiers (QIDs).
To fail the build by vulnerability severity, specify the count of vulnerabilities for one or more severity types. A build can fail if, in scan results, the number of detections exceeds the number specified for one or more severity types. For example, to fail a build if the severity 5 vulnerabilities count is more than 2, select the Fail with more than severity 5 option and specify 2.
You can the fail build if the plugin initiates the scan but the WAS module cannot complete it due to issues such as scanners not being found, or if any of these conditions are satisfied, then the build has failed.
Qualys severity 5 rating is the most dangerous vulnerability while severity 1 is the least.
- To fail a build by QIDs, select By Qualys WAS Vulnerability Identifiers (QIDs) option and specify one or more QIDs.
- Configure scan status polling frequency and timeout duration for the scan.
In the Timeout settings, specify the polling frequency in minutes for collecting the WAS scan status data and the timeout duration for a running scan.
- Click Save to save the Web application scanning configurations.