Tell me about the SCAP ARF Report

You can launch a SCAP scan report in Asset Reporting Format (ARF) using our API. ARF is a requirement in the SCAP 1.2 specifications from the National Institute of Standards and Technology (NIST).

Tell me about user permissionsTell me about user permissions

Users have permission to run this API function when the SCAP module is enabled for their subscription. Sub-accounts (Unit Managers, Scanners, and Readers) must have the Manage compliance permission.

How do I launch this report?

To launch the SCAP ARF Report:

  1. Use the SCAP ARF Report API v2 (the resource /api/2.0/fo/compliance/scap/arf/).
  2. Provide the scan ID for a finished SCAP scan (use the id input parameter).
    You can limit the report to certain IP addresses only (use the optional ips parameter).
  3. Ensure that the Networks feature is turned on.
  4. Specify the IPs, you can limit the report to a specific network (use the optional ips_network_id parameter).

How do I find the SCAP scan ID?How do I find the SCAP scan ID?

You can view the scan ID in the SCAP scan results in the user interface. In the scan results window title bar, you can see the report URL with its ID number in the id parameter.

For example: https://quaysguard.qualys.com/fo/report/fdcc/fdcc_scan_result.php?id=3362251

API Request

The following is a sample API request:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X POST -d
"scan_id=3362251&ips=10.10.10.1-10.10.10.10"
"https://qualysapi.qualys.com/api/2.0/fo/compliance/scap/arf/"

Tell me about the Cloud Platform URLTell me about the Cloud Platform URL

https://qualysapi.qualys.com is the API server URL for US Platform 1. If your account is located on one of our other cloud platforms, then you want to replace this base URL with the one appropriate for your location.

For example, for US Platform 2, use https://qualysapi.qg2.apps.qualys.com.

For the EU Platform, use https://qualysapi.qualys.eu. If you have a Private Cloud Platform, use a custom URL like https://qualysapi.<customer_base_url>.

XML Output

The XML output is compliant with the ARF 1.1 Schema.

Show me this Schema

Where can I learn more about using the API?

Refer to the Qualys API User Guide for a better understanding of API conventions and detailed instructions on using API functions. Get the latest information from our Community.

Qualys API (VM, PA) User Guide

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: February, 2026