Qualys TotalAppSec Findings Connector

Working & Behaviour

The TotalAppSec extension enables seamless integration between TotalAppSec and Azure DevOps by automatically exporting and updating security findings from TotalAppSec into Azure DevOps as work items. TotalAppSec acts as the single source of truth for vulnerability data, ensuring that any changes to findings in TotalAppSec are always reflected in Azure DevOps.

By keeping findings up to date as work items, development and security teams can manage vulnerabilities within their familiar Azure DevOps workflows, prioritize fixes, and align remediation efforts with sprint and release management.

This extension supports cloud-based Azure DevOps setups and provides a reliable, one-way flow of data from TotalAppSec to Azure DevOps.

Add "Qualys TotalAppSec Findings Connector" task to pipeline

Install the Qualys TotalAppSec Findings Connector extension into your Visual Studio Team Services account and search for the task in the available tasks. The task will also appear in the Utility section of the task list. Add it to your build pipeline.

Task Configuration

Qualys Configuration using Service Connection

Create a new service connection to connect to the Qualys Gateway server. You need to provide the Qualys API Gateway URL, API user, password and Azure DevOps Personal Access Token (PAT). If your Azure DevOps instance does not have direct Internet access and a proxy is required, click the "Use Proxy Settings" check box, and enter the required information.

Configure Filters to get specific Findings-

These filters are used to retrieve specific application Findings.

• WebApp ID: you can configure the Application IDs as a comma-separated list ex. 1234,5678. If no Application ID is configured, work items will be created for all application Findings.
• Severity level: Select the severity level filter for the Findings you want to create work items for.
• Category: Select the Vulnerability Category - Potential Vulnerability, Confirmed Vulnerability and Sensitive Content.
• Finding Type: Select the Finding type you want to create work items for Qualys or other.
• Ignore Detection: If this option is selected, work items are created for all detections. If it is not selected, work items are only created for detections that are not marked as ignored.

View Work Items

To view the work items/ ticket details, select the work item under Board Section.

The Qualys TotalAppSec Findings connector automatically creates, or updates work items in Azure DevOps based on Detection from Qualys. As part of this process, it maps specific fields from Qualys such as Detection ID, QID, QID Title, Category, Source, Severity, Vulnerability details, Application information, and detection details into the Azure DevOps work item.

View Work Item details-

Release Notes

v1.0.0 -First version of the extension.