The Qualys Web App Scanning Connector empowers DevOps teams to build application vulnerability scans into their existing CI/CD processes. By integrating scans in this manner, application security testing is accomplished earlier in the SDLC to catch and eliminate security flaws.
When the connector/plugin step starts, it launches a scan on the selected web application with the configured options. Qualys WAS module scans it and responds with findings and Grade score. If you have configured any pass/fail criteria, the plugin evaluates the response against that. If it finds something is not matching your criteria, it will cause exception to fail your build. Otherwise, your build job proceeds to next step(if any).
- A valid Qualys subscription with access to WAS(Web Application Security) module and Qualys APIs.
We recommend using this plugin step during "Post-build" phase of your job, right after you deploy your web application.
If you are using pipeline, you should go to "Pipeline Syntax", and select
qualysWASScan step. If you are using freestyle, you should add
Scan web applications with Qualys WAS build step.
A form appears with several input fields. Now you are ready to configure the plugin.
- Select your Qualys Portal from given dropdown.
- Select/Add your Qualys API Credentials.
- If you need proxy to communicate to the Internet, set correct proxy settings.
- To confirm that Jenkins can communicate to Qualys Cloud Platform and APIs, use
- The "Select Web Application from WAS" field lists all the Web apps entries you have made to Qualys WAS module. Select the one for which you are want to scan the web application. Please note that, the Web Applications are automatically populated in this dropdown if you have created web application on Qualys UI before.
- In "Scan Name" field, provide scan name for the Scan. By default, the WAS scan name will be: [job_name]jenkins_build[build_number] + timestamp. You can edit the scan name, but a timestamp will automatically be appended regardless.
- You can choose to run a Discovery scan or Vulnerability scan. The default is Vulnerability scan.
You can set conditions to fail a build by vulnerability severity and Qualys WAS Vulnerability Identifiers (QIDs).
- Configure to fail a build if the number of detections exceeds the limit specified for one or more severity types and/or if specified QIDs are found in scan results. For example, to fail a build if severity 5 vulnerabilities count is more than 2, select the “Fail with more than severity 5” option and specify 2.
- Configure to fail a build if the configured QIDs found in the scan result.
In the Timeout settings, specify the polling frequency in minutes for collecting the WAS scan status data and the timeout duration for a running scan.
If you are configuring pipeline project, click the
Generate Pipeline Script button/link. It will give you a command which you can copy and paste in your project's pipeline script.
- Solution and Diagnosis for each QID is added in scan reports.
- Fixed known issue from v2.0.12 wherein some fields did not work properly on latest Jenkins versions.