Use scanUuid returned by Trigger scan API to fetch scan results. The scan results can be fetched only when the IaC scan is completed. If you try to fetch the scan results before it is completed, you will see respective message in response. For example, Scan is in a processing state.
|
Parameter |
Mandatory/Optional | Data Type |
Description |
|
scanUuid |
Mandatory | String |
Unique identifier assigned to the IaC scan. The scan Uuid is returned in the response of Trigger IaC scan. |
|
responseFormat |
Optional | String |
Select the format in which the response should be displayed. You can choose from JSON, SARIF, and JUNITXML format types. By default. response is displayed in JSON format. Note: If you specify SARIF format and the scan is not completed, then the response is in JSON format. SARIF format is returned only for completed scans. |
API request
curl -X GET
"https://<QualysBaseURL>/cloudview-api/rest/v1/iac/scanResult?scanUuid=337a21ef-3c53-43bf-aed6-46f04e1c542d" -H 'authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXX'
Response (JSON)
{
{
"scanUuid": "337a21ef-3c53-43bf-aed6-46f04e1c542d",
"scanDate": "2021-06-22T11:13:37.275+00:00",
"name": "Sample_Scan",
"status": "FINISHED",
"tags": [],
"result": [
{
"checkType": "terraform",
"results": {
"passedChecks": [
{
"checkId": "CKV_AWS_60",
"checkName": "Ensure IAM role allows only specific services or principals to assume it",
"criticality": "HIGH",
"cvControl": null,
"checkResult": {
"result": "PASSED",
"evaluatedKeys": []
},
"codeBlock": [
[
23,
"resource \"aws_iam_role\" \"dynamodb-dax-cluster-iam-role-fail\" {\n"
],
[
24,
" name = \"dax-cluster-iam-role-fail\"\n"
],
...
"filePath": "/dynamodb.tfplan.json",
"repoFilePath": "/dynamodb.tfplan.json",
"resource": "aws_dynamodb_table.dynamodb-table-fail",
"callerFilePath": null,
"callerFileLineRange": null,
"remediation": "Ensure aws_dynamodb_table resource has enabled argument set to True for point_in_time_recovery object."
}
],
"skippedChecks": [],
"parsingErrors": []
},
"summary": {
"passed": 5,
"failed": 3,
"failedStats": {
"high": 2,
"low": 1,
"medium": 0
},
"skipped": 0,
"parsingErrors": 0
}
}
]
}
}
We have now added error codes to the response when you fetch IaC scan results for troubleshooting purposes. You can provide the error codes to Qualys support that helps us troubleshoot the issue.
API request
curl -X GET
"https://<QualysBaseURL>/cloudview-api/rest/v1/iac/getScanList?filter=scanUuid:3010f375-084f-408f-9590-8a4692a5538c&pageNo=0&pageSize=80" -H 'authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXX'
Response
{
"scanUuid": "3010f375-084f-408f-9590-8a4692a5538c",
"scanDate": "2021-09-23T12:09:35.283+00:00",
"name": "text file",
"status": "ERROR",
"tags": [],
"message": "INTERNAL ERROR",
"errorCode": 70503
}
API request
curl -X GET
"https://<QualysBaseURL>/cloudview-api/rest/v1/iac/scanResult?scanUuid=337a21ef-3c53-43bf-aed6-46f04e1c542d" -H 'responseFormat: sarif' -H 'authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXX'
Response (SARIF)
{
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "QualysIaCSecurity",
"organization": "Qualys",
"rules": [
{
"id": "52140",
"name": "Ensure that Bucket should not log to itself",
"messageStrings": {
"remediation": {
"text": "Ensure google_storage_bucket resource does not have argument log_bucket_name equal to bucket_name"
},
"criticality": {
"text": "HIGH"
}
}
},
{
"id": "52036",
"name": "Ensure that Cloud Storage buckets have uniform bucket-level access enabled",
"messageStrings": {
"remediation": {
"text": "Ensure google_storage_bucket resource has argument uniform_bucket_level_access set to True"
},
"criticality": {
"text": "MEDIUM"
}
}
},
{
"id": "52030",
"name": "Ensure that Cloud Storage bucket is not anonymously or publicly accessible",
"messageStrings": {
"remediation": {
"text": "Ensure google_storage_bucket_iam_member, google_storage_bucket_iam_binding resource does not have argument members set to allAuthenticatedUsers, allUsers"
},
"criticality": {
"text": "HIGH"
}
}
}
]
}
},
"results": [
{
"ruleId": "52140",
"level": "error",
"message": {
"text": "Ensure that Bucket should not log to itself"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "/GCPTF.tf"
},
"region": {
"startLine": 1,
"endLine": 11
}
}
}
]
},
{
"ruleId": "52036",
"level": "error",
"message": {
"text": "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "/GCPTF.tf"
},
"region": {
"startLine": 1,
"endLine": 11
}
}
}
]
},
{
"ruleId": "52030",
"level": "error",
"message": {
"text": "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "/GCPTF.tf"
},
"region": {
"startLine": 13,
"endLine": 19
}
}
}
]
}
]
}
]
}
API request
curl -X GET
"htts://<QualysBaseURL>/cloudview-api/rest/v1/iac/scanResult?scanUuid=a15485a6-813e-44df-bed6-71ee1280ca59" -H "responseFormat: JUNITXML" -H 'Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXX'
Response (JUNITXML)
<?xml version="1.0" encoding="UTF-8"?>
<testsuites failures="3" tests="5" source="GitHub" gitrepo="customRepo" gitbranch="master" scanName="test" scanDate="2022-01-04T06:42:03.391Z" scanUuid="a15485a6-813e-44df-bed6-71ee1280ca59">
<testsuite failures="1" name="CID 52036/MEDIUM/Ensure that Cloud Storage buckets have uniform bucket-level access enabled" tests="1">
<testcase file="/GCPTF.tf" name="terraform/google_storage_bucket.clvqa-storage-bucket">
<failure message="File:/GCPTF.tf has a misconfiguration for CID 52036 on resource google_storage_bucket.clvqa-storage-bucket. Remediation:Ensure google_storage_bucket resource has argument uniform_bucket_level_access set to True" type="failure"/>
</testcase>
</testsuite>
<testsuite failures="0" name="CID 52031/HIGH/Ensure that logging is enabled for Cloud storage buckets" tests="1">
<testcase file="/GCPTF.tf" name="terraform/google_storage_bucket.clvqa-storage-bucket"/>
</testsuite>
<testsuite failures="1" name="CID 52140/HIGH/Ensure that Bucket should not log to itself" tests="1">
<testcase file="/GCPTF.tf" name="terraform/google_storage_bucket.clvqa-storage-bucket">
<failure message="File:/GCPTF.tf has a misconfiguration for CID 52140 on resource google_storage_bucket.clvqa-storage-bucket. Remediation:Ensure google_storage_bucket resource does not have argument log_bucket_name equal to bucket_name" type="failure"/>
</testcase>
</testsuite>
<testsuite failures="1" name="CID 52030/HIGH/Ensure that Cloud Storage bucket is not anonymously or publicly accessible" tests="2">
<testcase file="/GCPTF.tf" name="terraform/google_storage_bucket_iam_member.member"/>
<testcase file="/GCPTF.tf" name="terraform/google_storage_bucket_iam_binding.binding">
<failure message="File:/GCPTF.tf has a misconfiguration for CID 52030 on resource google_storage_bucket_iam_binding.binding. Remediation:Ensure google_storage_bucket_iam_member, google_storage_bucket_iam_binding resource does not have argument members set to allAuthenticatedUsers, allUsers" type="failure"/>
</testcase>
</testsuite>
</testsuites>