Qualys Container Scanning Connector

Working & Behaviour

The Azure Devops extension helps integrate the Azure Pipelines CI/CD tool with the Qualys Container Security(CS) Module. Currently, this extension along with the CS Sensor helps to get the security posture for the OCI compliant container images built via the tool. The extension can be configured to fail or pass the container image builds based on the vulnerabilities detected. The extension will also generate a report for the container image in the build.

Add "Scan container images with Qualys CS" task to pipeline

Install the Qualys Container Scanning Connector extension into your Visual Studio Team Services account and search for the task in the available tasks. The task will also appear in the Utility section of the task list. Add it to your build/release pipeline.

Task Configuration

Qualys Configuration:

A Qualys subscription is required to use this connector. Visit www.qualys.com to learn more. Qualys configuration includes providing information of the API Server URL, API user and password required to connect to the Qualys API server. If proxy is required, then the proxy settings can also be set.

Image Id/ Image name:

A single image Id to fetch the vulnerability results for. User can provide either image Id or image name.

Data collection:

This involves the polling interval and the timeout period. Polling interval - How frequently to check for vulnerability data in seconds. It is the time to wait between subsequent API calls. This can be set as a number (in seconds) or an expression like these: 26060 for 2 hrs or 260 = 2 minutes. Default value is 30 secs.Timeout period - How long to wait for fetching vulnerability data in seconds. The Qualys task will end after the timeout period. This can be set as a number (in seconds) or an expression like these: 26060 for 2 hrs or 260 = 2 minutes. Default value is 10 minutes.

Build Failure Conditions:

The build will fail when ANY of the selected conditions are met

• Severity level - Severity level and above which the build will fail even if a single vulnerability with that level is found. eg fail build if vulnerabilities with severity 3 or above found.
• QIDs - A comma separated list of QIDs to be checked in the vulnerabilities scan result. It can be simple comma separated list of QIDs or range of QIDs. eg. 179203,2331497,170560-170590
• CVE Ids - A comma separated list of CVEs to be checked in the vulnerabilities scan result; eg. CVE-2017-8831,CVE-2018-7757 etc.
• Software list - If any of these is found in results, fail the build
• CVSS Base score - either cvss base score 2 or 3 and the score above which to fail the build.

Above fail condition by default are applied to only 'Confirmed vulnerabilities'. Check the 'Apply to potential vulnerabilities as well' checkbox to evaluate potential vulnerabilities against the failure conditions.

Exclude Conditions:

Allows to configure either QIDs or CVEs which should be ignored while evaluating above failure conditions.

Advanced Settings:

• Docker URL - As we have seen , we need to tag the container image Id for the sensor to scan it, and also find image Id in case of image name as input, in both cases we need to communicate with the docker daemon. This input is the Docker daemon URL e.g. unix://[docker_socket_path] or tcp://[host]:[port] . Either a unix socket path or tcp enabled address of docker daemon. By default its the unix path - unix:///var/run/docker.sock
• Docker Cert Path - Sometimes the docker daemon might have been configured over ssl and requires valid certificates. That cert path can be provided here.

Output Variable

• imageScanSummary - This variable contains result of evaluation of the image vulnerabilities data against the build failure conditions.

Report

The extension will generate report for the container image in the build. In the build summary page, click the 'Qualys Image Scan Result' tab, to see vulnerability details for the container image.