Qualys IaC Security

Working & Behaviour

The Qualys IaC Security empowers DevOps teams to build Infrastructure as Code (IaC) scans into their existing CI/CD processes. By integrating scans in this manner, infrastructure-as-code security is accomplished earlier in the SDLC to catch and eliminate misconfigurations in your cloud. The extension can be configured to fail or pass the builds based on the misconfigurations detected.

Add "Scan IaC templates using Qualys CloudView" task to pipeline

Install the Qualys IaC Security extension into your Azure Devops organization account and search for the task in the available tasks. The task will also appear in the Utility section of the task list. Add it to your build pipeline.

Task Configuration

Qualys Configuration using Service Connection

Create a new service connection to connect to the Qualys Platform. You need to provide Qualys Platform URL, username and password. If your Azure DevOps instance does not have direct Internet access and a proxy is required, click the "Use Proxy Settings" check box, and enter the required information.

Launch Scan Parameters

In the Launch Scan parameters, provide a scan name and the directory from your repository that you want to scan.

The Scan Name is populated automatically. By default, the scan name is $(DefinitionName)azureDevOps$(ID). However, you can update the scan name. Enter the directory path to be scanned. If you do not specify the path, the entire repository is scanned. Note: By default, the .tf, .yaml,.yml, .json, and .template files from the repository are scanned. If you want to scan any compressed file like .zip, .7z, .tar, .tar.gz, and .gz, add the path and name of the file.

Build Failure Conditions

Configure the criteria to fail a build job based on the number of controls that failed for each severity criteria.

The build fails if the number of failed controls exceeds the specified number for one or more severity types in scan results.

Timeout Settings

In the settings, specify the polling frequency in seconds for collecting the IaC scan result data. By default, it is set to 30 seconds.

Note: We recommend you to set this value to minimum 10 seconds.

You can also specify the timeout duration for a running scan. By default, it is set to 10 minutes.

Save the configuration and click Queue to run the pipeline.

Qualys IaC Scan Result

After the scan is complete, the Summary tab displays the details of the scan, such as the git repository that is scanned, errors (failures), scan time, and job details.

To view the detailed IaC scan results, go to Qualys IaC Scan Result tab. The tab shows graphical data of cloud misconfigurations by criticality, number of controls causing build failure, and Pass/Fail Criteria Results Summary.

The IaC Posture section displays the details of cloud misconfigurations, such as control IDs, name, criticality, result, file path, and resource.

The Remediation section displays the control IDs and associated remediation.

You can download the published artifact file which has all the scan details in the JSON file format.

Release Notes

v1.1.0 -Added Qualys IaC Scan Result tab to the Summary that shows the IaC scan results.

v1.0.0 -First version of the extension.