Working & Behaviour
The Azure DevOps extension helps integrate the Azure Pipelines CI/CD tool with the Qualys Web Application Scanning (WAS) Module. This extension will empower DevOps teams to build application vulnerability scans into their existing Azure pipeline tasks. By integrating scans in this manner, application security testing is accomplished earlier in the SDLC to catch and eliminate security flaws. The extension can be configured to fail or pass the builds based on the vulnerabilities detected. The extension will also generate a report for the scan in the build. The current version of the extension will only support the cloud-based Azure DevOps Setup.
Add "Scan Web Applications with Qualys WAS" task to pipeline
Install the Qualys Web App Scanning Connector extension into your Visual Studio Team Services account and search for the task in the available tasks. The task will also appear in the Utility section of the task list. Add it to your build/release pipeline.
Qualys Configuration using Service Connection
Create a new service connection to connect to the Qualys API server. You need to provide the API Server URL, API user, and password. If your Azure DevOps instance does not have direct Internet access and a proxy is required, click the "Use Proxy Settings" check box, and enter the required information.
Launch Scan API Parameters
These are the parameters that the Launch Scan API requires to launch the scan:
Build Failure Conditions
The build will fail when ANY of the selected conditions are met
This involves the polling interval and the timeout period
The Report that we render on the "Qualys WAS Scan Result" tab is produced using some artifacts that we generate during the extension execution. The artifacts involve the complete API output result for the web application, results summary*,* and pass/fail criteria summary along with the Vulnerabilities Doughnut chart. We show the criteria evaluation table as a summary of all the build failure criteria which were configured or not configured and their respective result as pass/fail.
The report will only be generated once the scan is finished regardless of the build failure conditions.