Skip to content
| Marketplace
Sign in
Azure DevOps>Azure Pipelines>Qualys IaC Security
Qualys IaC Security

Qualys IaC Security

Qualys

|
145 installs
| (0) | Free
Scan the Infrastructure-as-Code templates from your repository using Qualys CloudView (Cloud Security Assessment)
Get it free

Qualys IaC Security

Working & Behaviour

The Qualys IaC Security empowers DevOps teams to build Infrastructure as Code (IaC) scans into their existing CI/CD processes. By integrating scans in this manner, infrastructure-as-code security is accomplished earlier in the SDLC to catch and eliminate misconfigurations in your cloud. The extension can be configured to fail or pass the builds based on the misconfigurations detected.

Add "Scan IaC templates using Qualys CloudView" task to pipeline

Install the Qualys IaC Security extension into your Azure Devops organization account and search for the task in the available tasks. The task will also appear in the Utility section of the task list. Add it to your build pipeline.

add_task

Task Configuration

Qualys Configuration using Service Connection

Create a new service connection to connect to the Qualys Platform. You need to provide Qualys Platform URL, username and password. If your Azure DevOps instance does not have direct Internet access and a proxy is required, click the "Use Proxy Settings" check box, and enter the required information.

service_connection_form1

service_connection_form

service_connection

Launch Scan Parameters

In the Launch Scan parameters, provide a scan name and the directory from your repository that you want to scan.

scan_params1

The Scan Name is populated automatically. By default, the scan name is $(DefinitionName)azureDevOps$(ID). However, you can update the scan name. Enter the directory path to be scanned. If you do not specify the path, the entire repository is scanned. Note: By default, the .tf, .yaml,.yml, .json, and .template files from the repository are scanned. If you want to scan any compressed file like .zip, .7z, .tar, .tar.gz, and .gz, add the path and name of the file.

Build Failure Conditions

Configure the criteria to fail a build job based on the number of controls that failed for each severity criteria.

build_fail_condition

The build fails if the number of failed controls exceeds the specified number for one or more severity types in scan results.

Timeout Settings

In the settings, specify the polling frequency in seconds for collecting the IaC scan result data. By default, it is set to 30 seconds.

Note: We recommend you to set this value to minimum 10 seconds.

You can also specify the timeout duration for a running scan. By default, it is set to 10 minutes.

time_out

Save the configuration and click Queue to run the pipeline.

Qualys IaC Scan Result

After the scan is complete, the Summary tab displays the details of the scan, such as the git repository that is scanned, errors (failures), scan time, and job details.

summary

To view the detailed IaC scan results, go to Qualys IaC Scan Result tab. The tab shows graphical data of cloud misconfigurations by criticality, number of controls causing build failure, and Pass/Fail Criteria Results Summary.

summary

The IaC Posture section displays the details of cloud misconfigurations, such as control IDs, name, criticality, result, file path, and resource.

summary

The Remediation section displays the control IDs and associated remediation.

summary

You can download the published artifact file which has all the scan details in the JSON file format.

artifact_file

Release Notes

v1.1.0 -Added Qualys IaC Scan Result tab to the Summary that shows the IaC scan results.

v1.0.0 -First version of the extension.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2025 Microsoft