HomeGuidesAPI ReferenceChangelog
Log In
Guides

All Scanner Integrations

How Scanner Integrations Work in RegScale

For Commercial Integrations with RegScale, all vulnerability scanners now use a common library and behave identically. This outlines how each of these work to create records in RegScale.

Background

Vulnerability Scanners are integrated into RegScale for three outcomes:

  • Import assets into a Security Plan
  • Import vulnerabilities into a Security Plan
  • Create Issues and/or POA&Ms in a Security Plan

For each of the dozen-odd vulnerability scan integrations, asset inventories are updated, a scan history is created, Vulnerabilities are created, and, if configured to do so, Issues are created and optionally marked as "Cyber Reportable Plan of Actions and Milestones (POA&M)".

Scanner Configurations

All vulnerability scanner integrations leverage three configuration items from the init.yaml file:

(see CLI Configuration for full details on init.yaml)

KeyNotesValue Type
dueDatesdefault days for due date (in days) dict:
{'high': 60, 'moderate': 120, ' 'low': 364}
incrementPoamIdentifierIf the issues use "otherIdentifier" for POA&M id, this will increment the pattern by +1bool: true | false
default: false
ingestClosedIssuesWhether or not to import closed issuesbool: true | false
default: false
issueCreationFor Commercial Scan integrations, this determines whether an issue is created for each unique vulnerability / asset pair: PerAsset or only for each unique vulnerability: Consolidatedstring:
options: "Consolidated" | "PerAsset"
poamTitleTypeWhat to use for the title of poams created from scansstring:
options: "Cve" (default) - CVE Number |
"pluginId" - Scanner Plugin Id
stigMapperFilePath to the STIG mapper rules file for compliance scanningstr: stig_mapper_rules.json
tenableGroupByPluginFor Tenable scans, can group by Plugin Id (vice CVE)bool: true | false
default: false
threadMaxWorkersMaximum number of worker threadsint: 1-8 default: 4
vulnerabilityCreationFor Commercial Scan integrations, this determines whether an issue is created for vulnerabilities. Options are: "NoIssue" -don't create issues from vulnerabilities. "IssueCreation" - create issues from vulnerabilities. "PoamCreation" - create issues/POA&Ms from vulnerabilitiesstring:
options: "NoIssue" | "IssueCreation" | "PoamCreation"

Data Flow and Record Creation

For each vulnerability scan integration the following records are created:

  • Scan History:
    • All scanner integrations first create a scanner history entry as a child of the Security Plan identified in the scanner integration argument (--regscale_ssp_id)
    • Scan History is visible in Security Plans under the "Vulnerabilities" tab in Data Entry
  • Assets:
    • All assets are created as children of the Security Plan
    • As assets appear in the scan they are created in RegScale, regardless of the existence off a vulnerability or not.
    • Asset status is set by the scan. If an asset is shown as active in a scan, it is marked active; If a scan shows an asset as inactive, it is marked inactive
    • Assets are visible in Security Plans under the "Assets" tab in Data Entry
  • Vulnerabilities:
    • All scan results are created as vulnerability records as children of the Security Plan
    • Vulnerabilities are visible in Security Plans under "Vulnerabilities" tab in Data Entry and then "CVE List"
    • For each asset affected by the vulnerability, a vulnerability mapping record is created which is visible when clicking in the "CVE List" on "View" and "Impacted Assets"
  • Issues:
    • If the vulnerabilityCreation configuration item is set to IssueCreation or PoamCreation, vulnerabilities will create Issue records as children of the Security Plan
    • If the vulnerabilityCreation configuration item is set to PoamCreation, vulnerabilities will create Issue records as children of the Security Plan and will mark the issues as "Cyber Reportable Plan of Actions and Milestones (POA&M)"
    • Issues are visible in Security Plans under the "Issues/POAMS" tab in Data Entry
    • If the issueCreation configuration item is set to Consolidated, one issue will be created per vulnerability and all impacted assets will be listed in the same record
    • If the issueCreation configuration item is set to PerAsset, an issue will be created for each vulnerability/asset pair
    • If the poamTitleType configuration item is set to Cve, the issues will be consolidated according to unique CVEs, when set to Consolidated or will simply use the CVE as the label of the Issue when set to PerAsset
    • If the poamTitleType configuration item is set to pluginId, the issues will be consolidated according to unique Plugin Ids, when set to Consolidated or will simply use the Plugin Id as the label of the Issue when set to PerAsset
    • Each Issue created will be marked by the source of the scan in the Source Report field of the issue record (e.g. "Aqua")
  • Subsequent scan imports:
    • If an asset was created in a previous scan, but does not appear in subsequent scans from the same source (e.g. Aqua), it is updated to inactive
    • If a vulnerability was created in a previous scan, but does not appear in subsequent scans from the same source, it's status is changed to "Closed"
    • If an issue was created in a previous scan, but does not appear in subsequent scans from the same source, it's status is changed to "Closed"
    • If an issue was created in a previous scan and includes multiple assets, the impacted assets listed in the issue will be updated according to what assets still have the same vulnerability in the subsequent scan
    • If an issue was created in a previous scan and appears in subsequent scans, the "Last Seen Date" will be updated and the issue status remain "Open"