Configure the Plugin

Using the following steps, configure the plugin.

  1. Go to your project in TeamCity.
  2. Click the Add Build step.

    Add build Step

  3. Select Scan web applications with Qualys WAS from the drop-down menu.

    Choose Task

    Now, you are ready to configure the plugin.

  4. Provide a name for the build step, then go to the Qualys API Credentials section.

    This step confirms that TeamCity can communicate to the Qualys Cloud Platform via the WAS API.

    You need valid account credentials for an active Qualys WAS subscription. The account must have API access enabled and a role assigned with all necessary permissions. Qualys recommends using a service account restricted to API access only (no UI access) and having the least privileges possible.

  5. Select the Qualys platform or portal where your Qualys account resides. When you select the platform, it shows you the API server URL.

  6. Enter your account credentials: API username and password to authenticate the WAS API server.

     Here, selections depend on the Qualys platform your organization uses. Learn more.

  7. If your TeamCity instance does not have direct Internet access and requires a proxy, click the Use Proxy Settings checkbox and enter the required information.

    Qualys API Credentials

  8. Click the Test Connection button. Assuming you have selected the correct platform for your subscription and the valid credentials, you can see the message Connection test successful!.

     If your Qualys account resides on a private cloud platform, select Private Cloud Platform as your Qualys cloud platform, and specify the API server URL and your account credentials to access the API.

    PCP API Credentials

  9. Select the web application that you wish to scan in Qualys WAS.

    Launch Scan API Parameters

  10. By default, the WAS scan name is:

    [job_name]_teamcity_build_[build_number] + timestamp

    • You can edit the scan name, but a timestamp is automatically be appended regardless.
    • You can choose to run a Discovery scan or a Vulnerability scan. The default is a Vulnerability scan.
  11. Configure optional scan parameters.

    Picture 16

    Authentication Record

    You can run the scan without authentication (the default), but keep in mind the scanner is not be able to log into the web application and test the authenticated surface area of the application. You may instead want to select Use Default, in which case the default authentication record for the web app in WAS (if any) is used. Optionally, you can also select the Other option and choose a specific authentication record ID if desired.

    Option Profile

    The option profile contains the various scan settings, such as the vulnerability types that should be tested (detection scope), scan intensity, error thresholds, and many more. Selecting Use Default uses the default option profile for the web app in WAS. This is the recommended setting; however, you can also select the Other option and choose a specific option profile ID if desired.

    Cancel Options

    The default is not to cancel the scan, in which case the scan runs to completion. However, you can cancel the scan after a set number of hours.

    You may not get any results if the scan is canceled before finishing.

  12. Configure the pass or fail criteria for a build.

    Fail Conditons

    You can set conditions to fail a build by

    You may also choose to fail the build in case the Plugin initiates the scan, but the WAS module could not complete this scan due to some issues, such as scanners not being found and so on.

    • Vulnerability Severity
    • Qualys WAS Vulnerability Identifiers (QIDs)

    To fail the build by vulnerability severity, specify the count of vulnerabilities for one or more severity types. A build can fail if, in scan results, the number of detections exceeds the number specified for one or more severity types. For example, to fail a build if the severity 5 vulnerabilities count is more than 2, select the Fail with more than severity 5 option and specify 2.

    Qualys severity '5' rating is the most dangerous vulnerability while severity '1' is the least.

    Similarly, to fail a build by QIDs, select Fail with any of these QIDs check box and specify one or more QIDs

  13. Configure scan status polling frequency and timeout duration for the scan.

    Time out Settings

    In the Timeout settings, specify the polling frequency in minutes for collecting the WAS scan status data and the timeout duration for a running scan.

  14. Click Save to save the Web application scanning configurations.

Next Step

Qualys WAS Scan Status

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.