Configure the Plugin

Configure the plugin using the following steps.

  1. Navigate to the Actions menu > Configure plan.
  2. Select Scan web applications with Qualys WAS task type.

    task type screen

  3. From the configuration form, describe the task.
  4. Go to the Qualys API Credentials section.
  5. This step confirms that Bamboo can communicate to the Qualys Enterprise TruRisk™ Platform via the WAS API. You need valid account credentials to access an active Qualys WAS subscription.

     The account must have API access enabled and a role assigned with all necessary permissions. Qualys recommends using a service account restricted to API access only (no UI access) and having the least privileges possible 

    API login information (Select Use Proxy to provide proxy information). 

    Authentication Mechanism

    Qualys application supports the following authentication methods:

    Configure OIDC Authentication

    Use this method if your Qualys environment is configured for OpenID Connect with Client ID and Client Secret.
    login_with_clientid_client_secret.

    Perform the following steps:

    1. From the Authentication Type, select OAuth.
    2. Provide the following required fields:
      1. Qualys client id
        Enter the Client ID received from your Qualys OIDC configuration.
      2. Qualys client secret
        Enter the corresponding Client Secret.

    Configure Basic Authentication

    1. Use this method if your Qualys setup uses a standard username and password.

      Perform the following steps:

    2. From the Authentication Type, select Basic.
    3. Provide the following required fields:
      1. API User
        The Qualys username used for API access.
      2. API Password
        The password for the above username.
  6. Enter the Qualys Portal in the text field, where your Qualys account resides. 

  7. Enter your account credentials: API username and password to authenticate the WAS API server.

  8. If your Bamboo instance does not have direct Internet access and a proxy is required, click Use Proxy Settings checkbox, and enter the required information.

    api login

  9. Click Test Connection. Assuming you have selected the correct platform for your subscription and provided valid credentials, you will see the message 'Connection test successful!

    In the previous version, you will find the Your Qualys Portal field in the dropdown format.

  10. Select the web application in Qualys WAS that you wish to scan.

    Launch Scan API Parameter

  11. By default, the WAS scan name is:

    [plan_name]_bamboo_build_[build_no] + timestamp

    You can edit the scan name, but a timestamp is automatically be appended regardless.

    You can choose to run a Discovery scan or Vulnerability scan. The default is Vulnerability scan.

  12. Configure Optional Scan parameters.

    Optional parametrers

    Authentication Record – You can choose to run the scan without authentication (the default) but keep in mind the scanner is not be able to log into the web application and test the authenticated surface area of the application in that case. You may instead want to select Use Default, in which case the default authentication record for the web app in WAS (if any) is used. Optionally, you can also select the Other option and choose a specific authentication record ID if desired.

    Option Profile – The option profile contains the various scan settings, such as the vulnerability types that should be tested (detection scope), scan intensity, error thresholds, and more. Selecting Use Default is using the default option profile for the web app in WAS. This is the recommended setting; however, you can also select the Other option and choose a specific profile ID if desired.

    Cancel Options – The default is not to cancel the scan, in which case the scan runs to completion. However, you can cancel the scan after a set number of hours.

     You may not get any results if the scan is canceled before finishing.

  13. Configure the pass or fail criteria for a build.

    Build failure

  14. Set conditions to fail a build by
    • Vulnerability Severity.
    • Qualys WAS Vulnerability Identifiers (QIDs).

    To fail the build by vulnerability severity, specify the count of vulnerabilities for one or more severity types. A build can fail if, in scan results, the number of detections exceeds the number specified for one or more severity types. For example, to fail a build if the severity 5 vulnerabilities count is more than 2, select the Fail with more than severity 5 option and specify 2.

    You can fail the build if the plugin initiates the scan , but the WAS module cannot complete it due to issues such as scanners not being found, or if any of these conditions are satisfied, then the build has failed.

     Qualys severity 5 rating is the most dangerous vulnerability while severity 1 is the least.

  15. To fail a build by QIDs, select By Qualys WAS Vulnerability Identifiers (QIDs) option and specify one or more QIDs.
  16. Configure scan status polling frequency and timeout duration for the scan.

    Timeout Setting

    In the Timeout settings, specify the polling frequency in minutes for collecting the WAS scan status data and the timeout duration for a running scan.

  17. Click Save to save the Web application scanning configurations.

Next Step

WAS Scan Status Summary Report

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: April, 2026