Skip to content
| Marketplace
Sign in
Azure DevOps>Azure Pipelines>Qualys TotalAppSec Scanning Connector
Qualys TotalAppSec Scanning Connector

Qualys TotalAppSec Scanning Connector

Qualys

|
1 install
| (0) | Free
Detect Web and API application vulnerabilities using the Qualys TotalAppSec (TAS) Scanning service
Get it free

Qualys TotalAppSec Scanning Connector

Working & Behaviour

The Qualys TotalAppSec Scanning Connector integrates Azure Pipelines CI/CD with the Qualys TotalAppSec (TAS) module. This extension enables vulnerability scanning for both Web Applications and API Type Applications.

It empowers DevOps teams to incorporate application vulnerability scans into their existing Azure Pipeline workflows. By integrating security scans into the CI/CD process, application security testing can be performed earlier in the Software Development Life Cycle (SDLC) to catch and eliminate security flaws.

The extension can be configured to pass or fail builds based on the vulnerabilities detected during the scan. Additionally, it generates scan reports in both JSON and PDF formats for the scan in the build.

Add 'Qualys TotalAppSec Scanning Connector' task to pipeline

Install the Qualys TotalAppSec Scanning Connector extension into your Visual Studio Team Services account and search for the task in the available tasks. The task will also appear in the Utility section of the task list. Add it to your build/release pipeline.

add_task Note: Qualys TotalAppSec Scanning Connector for Azure DevOps supports only one Qualys TAS task in the Build pipeline and the Release pipeline with one or more stages.

Task Configuration

Qualys Configuration using Service Connection

Create a new service connection to connect to the Qualys API server. You need to provide the API Server URL, API user, and password. If your Azure DevOps instance does not have direct Internet access and a proxy is required, click the "Use Proxy Settings" check box, and enter the required information.

We support both Basic and OIDC authentication.

  • For Basic Authentication, configure the Qualys Username and Password.
  • For OIDC Authentication, select the Use OIDC checkbox and provide the User-Level Client ID and Client Secret.

API authentication is supported via Qualys-managed tokens using a user-level client. For more details, refer to Qualys Token-based Authentication Technical Brief.

add_service_connection

service_connection

Launch Scan API Parameters

These are the parameters that the Launch Scan API requires to launch the scan:

  • Scan Name: Input text field for scan name to Launch scan.
  • WebApp ID: User need to enter the Web or API application ID
  • Scan Type: Dropdown box with values – "VULNERABILITY", "DISCOVERY", "COMPLIANCE". The default value would be "VULNERABILITY".
  • Option profile ID: User need to enter the Option Profile ID

mandatory_parameters

Optional Parameters

  • Authentication Record (Optional)
  • Cancel Options (Optional)

optional_parameters

Build Failure Conditions

The build will fail when ANY of the selected conditions are met

  • Count of Vulnerability for a Severity level - Count of vulnerability for a Severity level above which the build will fail. For eg: Fail if the count of Severity 1 vulnerbailities is more than 1.
  • QIDs - A comma-separated list of QIDs to be checked in the vulnerabilities scan result. It can be a simple comma-separated list of QIDs or a range of QIDs. For example, 179203,2331497,170560-170590
  • TAS could not scan the Web App - If this option is checked and the TAS module is not able the scan the web application then the build will fail.

build_failure_conditions

Timeout Settings

This involves the polling interval and the timeout period

  • Polling interval - How often to check for the scan result in minutes. It is the time to wait between subsequent API calls. This can be set as a number (in minutes) or an expression like these: 2*60 = 2 hours. The default value is 5 minutes.
  • Timeout period - How long to wait for the scan result in minutes. The Qualys task will end after the timeout period. This can be set as a number (in minutes) or an expression like these: 260 = 2 hours. The default value is 6024 minutes.

timeout_settings

Report Configuration

Do not wait for scan results

This checkbox parameter allow you to control how the integration behaves after triggering a Qualys TAS scan.

  • If enabled
    • The plugin will submit the TAS scan and immediately exit, without waiting or polling for the scan status.
    • Note that, in this case, 'Qualy TAS Scan Status' in Azure DevOps pipeline will remain blank.
    • To View/Access Scan result:
      • Qualys TAS scan URL will be available in logs to check the Qualys TAS scan results which can be accessed directly using valid Qualys credentials to review the scan result.
      • This URL will also be published in the Artifact 'scan-results-notice.txt
    • Note that, this option should be used when scans are expected to take a long time and teams do not want the pipeline execution delayed.
  • If disabled
    • The plugin will wait for the scan to complete and continue polling scan status until the scan is completed post which it will generate the scan result in pipeline.

report

Generate Report as PDF

  • If enabled

    • The scan report will be available in both JSON and PDF formats.
  • If disabled

    • The report will be available only in JSON format. PDF file will not be generated.

report

Report

The Report that we render on the "Qualys TAS Scan Result" tab is produced using some artifacts that we generate during the extension execution. The artifacts involve the complete API output result for the web application, results summary, and pass/fail criteria summary along with the Vulnerabilities Doughnut chart. We show the criteria evaluation table as a summary of all the build failure criteria which were configured or not configured and their respective result as pass/fail.

The report will only be generated once the scan is finished regardless of the build failure conditions.

report report

For release workflow, the report will be generated in the old view section of Release.

report

Download PDF Artifacts

To Download the Scan report in PDF and json format in Build pipeline-

-In the Build Summary page, look for the "Published" artifact section.

pdfReport

-Click on 'Published' to view the scan report in PDF and JSON format, where you can also download the files.

pdfReport

To Download the scan report in PDF and JSON format in Release pipeline-

Unlike Build pipeline, release pipeline, these is not direct way to store Qualys artifacts generated after web app scan i.e PDF and JSON files. Therefore, to retrieve the scan report in PDF and JSON formats, you need to download all the logs, as these files are included with them.

pdfReport

Release Notes

v1.0.0 -First version of the extension.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft