HomeGuidesChangelog
Guides

Qualys

Suggest Edits

Qualys CLI

This CLI syncs assets from Qualys Cloud Platform (Vulnerability Management, Policy Compliance, Web Application Scanning, Container Security, and Total Cloud) into RegScale as Assets, Issues, and Vulnerabilities.

Commands

  • sync_qualys - Queries the Qualys instance for assets and vulnerability scans and syncs them to a Security Plan or Component in RegScale. Supports VMDR, Container Security, WAS, and Total Cloud.
  • get_asset_groups - Exports all asset groups from Qualys containing their Asset Group ID and Asset Group Name to a .json file.
  • export_scans - Exports a list of scans from the Qualys instance and saves to a .json file.
  • save_results - Saves scan results for a specific scan or all scans.
  • list_scans - Lists available scans and reports across Qualys modules (VMDR, WAS, Container Security, Total Cloud).
  • import_scans - Import flat file scan data (CSV or XLSX) exported from Qualys.
  • import_container_scans - Import Qualys container scans from a CSV file into a RegScale Security Plan as assets and vulnerabilities.
  • import_policy_scans - Import Qualys policy scans from a CSV file into a RegScale Security Plan as assets and vulnerabilities.
  • import_total_cloud - Import Qualys Total Cloud Assets and Vulnerabilities, as well as optional container scan data.
  • import_total_cloud_xml - Import Qualys Total Cloud Assets and Vulnerabilities from an existing XML file.
  • import_was_scans - Import Qualys WAS scans from a CSV file into a RegScale Security Plan as assets and vulnerabilities.
  • validate_csv - Validate a CSV file before importing. Reads the CSV at the provided file path and provides validation output before importing.
  • list_policies - Lists all policies from Qualys Policy Compliance.
  • export_policy - Exports a specific Qualys policy to JSON format.
  • import_policy - Imports a Qualys policy JSON file into a RegScale Security Plan or Component.
  • diagnostics - Runs comprehensive diagnostics on the Qualys API integration, testing authentication and module availability across JWT, Total Cloud, WAS, Container Security, and VMDR.
  • fetch-vm-report - Fetches a VMDR scan report by ID or title and saves the report XML to disk.
  • import-vm-report - Imports a VMDR scan report and creates assets, issues, and vulnerabilities in RegScale.
  • import-cis-report - Imports Qualys CIS Benchmark reports with full POAM metadata and optional NIST 800-53 control assessment mapping.

init.yaml Configuration

The following fields in init.yaml are used by the Qualys integration:

  • qualysUrl - Base URL for the Qualys API. Follow this guide to determine the URL: Identify your Qualys platform.
  • qualysUserName - Qualys user name to log in.
  • qualysPassword - Qualys password to log in.
  • sslVerify - Set to false to disable SSL certificate verification for Qualys API calls (e.g., when using self-signed certificates). Defaults to true.
  • issues: {qualys: {high: 10, low: 365, moderate: 90, status: Draft}} - Number of days to add to today's date when setting due dates on RegScale issues based on Qualys severity, and the default status for new RegScale issues.

Qualys Setup Workflow

  1. Get the Qualys URL and paste it into the qualysUrl field in init.yaml.
  2. Create an account or use an existing account within Qualys and add the user name and password to the corresponding fields in init.yaml.
  3. If connecting to a Qualys instance with self-signed certificates, set sslVerify to false in init.yaml.
  4. Once complete, the Qualys integration is ready to use with the RegScale CLI.

Vulnerability Processing Workflow

The CLI currently supports processing Qualys assets and vulnerabilities to RegScale assets and issues. The issue processing workflow is shown below:

  • The user first logs into RegScale via the CLI to set the access token or otherwise creates a service account as described in the CLI Login documentation.
  • The user then calls the CLI to fetch Qualys assets and vulnerabilities and if desired, save RegScale issues while setting the following flags:
    • get_asset_groups - Export all asset groups from Qualys containing their asset group ID and asset group name.
      • --save_output_to - File path to save the results as a .json file.
    • sync_qualys - The primary function of this integration. Queries Qualys assets and vulnerabilities and creates/updates related assets in RegScale.
      • --regscale_ssp_id - The RegScale Security Plan to be associated with the Qualys assets and vulnerabilities.
      • --component_id - Alternatively, sync to a RegScale Component record instead of a Security Plan. Mutually exclusive with --regscale_ssp_id.
      • --create_issue - Boolean flag to map vulnerabilities into RegScale issues. Newly created issues will use the status from init.yaml for Qualys issues.
      • --asset_group_name or --asset_group_id - Filter assets from Qualys by asset group. You cannot use both; if neither is used, all assets and vulnerabilities are fetched. Note: Asset group filters are ignored when using --include-total-cloud.
      • --include-containers - Include Container Security vulnerabilities in the sync (uses the gateway API endpoint).
      • --include-was - Include Web Application Scanning results in the sync.
      • --include-total-cloud - Use the Total Cloud API as the primary data source (includes VMs and containers). Automatically falls back to VMDR if Total Cloud fails or returns no data.
      • --tc-include-tags - Filter Total Cloud data by tag names or IDs (comma-separated). Only used with --include-total-cloud.
      • --tc-exclude-tags - Exclude tags from Total Cloud results (comma-separated). Requires --tc-include-tags. Only used with --include-total-cloud.
    • save_results - Save scan results to a file.
      • --save_output_to - File path to save the results as a .json file.
      • --scan_id - Qualys scan reference ID. If none provided, it will pull all scans.
    • export_scans - Export all Qualys scans available to the user within the last X days.
      • --save_output_to - File path to save the results as a .json file.
      • --days - Number of days to go back for completed Qualys scans, defaults to 30.
    • import_scans - Import flat file scan data exported from Qualys.
      • --folder_path - Provide a location to the scans to import.

Policy Compliance Commands

The CLI supports a full workflow for Qualys Policy Compliance:

  • list_policies - List all available policies from Qualys.
    • --output / -o - Optionally save results to a JSON file.
  • export_policy - Export a specific policy to JSON.
    • --policy-id / -id - (Required) Qualys policy ID to export.
    • --output / -o - (Required) Output JSON file path.
  • import_policy - Import a previously exported policy JSON into RegScale.
    • --policy-file / -f - (Required) Path to the JSON file from export_policy.
    • --plan-id / -p - RegScale Security Plan ID. Mutually exclusive with --component-id.
    • --component-id / -c - RegScale Component ID. Mutually exclusive with --plan-id.
    • --policy-type / -t - Override policy type.
    • --status / -s - Policy status: Active, Draft, or Archived (default: Active).

Examples:

regscale qualys list_policies
regscale qualys list_policies --output policies.json
regscale qualys export_policy --policy-id 12345 --output policy.json
regscale qualys import_policy --policy-file policy.json --plan-id 123
regscale qualys import_policy -f policy.json --component-id 456 --status Draft

VMDR Report Commands

The CLI can fetch and import VMDR scan reports directly from the Qualys API:

  • fetch-vm-report - Download a VMDR scan report by ID or title.
    • --report-id - Specific report ID to fetch.
    • --report-title - Report title to search for (case-insensitive substring match).
    • --days - Days to look back for reports (default: 30).
    • --output-dir - Directory to save report XML (default: ./artifacts).
  • import-vm-report - Import a VMDR scan report into RegScale.
    • --report-file - Path to report XML file.
    • --report-title - Alternatively, fetch and import a report by title.
    • --regscale-ssp-id - (Required) RegScale Security Plan ID.
    • --create-assets / --no-create-assets - Create/update assets (default: True).
    • --create-issues / --no-create-issues - Create issues (default: True).
    • --create-vulnerabilities / --no-create-vulnerabilities - Create vulnerabilities (default: True).

Examples:

regscale qualys fetch-vm-report --report-id 12345678
regscale qualys fetch-vm-report --report-title "FedAUTH SIT"
regscale qualys fetch-vm-report --report-title "Monthly Scan" --days 7
regscale qualys import-vm-report --report-file report.xml --regscale-ssp-id 12345
regscale qualys import-vm-report --report-title "FedAUTH SIT" --regscale-ssp-id 12345
regscale qualys import-vm-report --report-file report.xml --regscale-ssp-id 12345 --no-create-vulnerabilities

CIS Benchmark Report Command

The CLI can import Qualys CIS Benchmark reports with full POAM metadata:

  • import-cis-report - Import CIS Benchmark reports into RegScale.
    • --report-id - Specific report ID to fetch.
    • --report-title - Report title to search for (case-insensitive substring match).
    • --regscale-ssp-id - (Required) RegScale Security Plan ID.
    • --days - Days to look back for reports (default: 90).
    • --create-issues / --no-create-issues - Create Issues in RegScale for failed controls (default: True).
    • --create-vulnerabilities / --no-create-vulnerabilities - Create Vulnerabilities in RegScale (default: True).
    • --create-assets / --no-create-assets - Create Assets from CIS report hosts (default: True).
    • --create-control-assessments / --no-create-control-assessments - Create control assessments mapping CIS to NIST 800-53 (default: False).
    • --update-control-status / --no-update-control-status - Update control implementation statuses based on assessment results (default: False).

POAM metadata fields populated by this command:

  • Original Risk Rating (Critical/High/Medium/Low)
  • Remediation Description (from CIS guidelines)

Scan Discovery Commands

  • list_scans - List available scans and reports across one or more Qualys modules.
    • --days / -d - Number of days to look back (default: 30).
    • --module / -m - Module to list scans from: vmdr, was, container, total_cloud, or all (default: vmdr). Can be specified multiple times.
    • --output / -o - Save results to JSON file.

Examples:

regscale qualys list_scans
regscale qualys list_scans --days 7
regscale qualys list_scans --module was --module total_cloud
regscale qualys list_scans --module all --output scans.json
regscale qualys list_scans --module vmdr --module was --days 14

Diagnostics

  • diagnostics - Run comprehensive diagnostics on the Qualys API integration.
    • --output / -o - Output file path (default: qualys_diagnostics_<timestamp>.json).
    • --fetch-samples - Fetch sample data from APIs (hosts, containers, webapps) to validate data structure.

Examples:

regscale qualys diagnostics
regscale qualys diagnostics --fetch-samples
regscale qualys diagnostics --output /path/to/diagnostics.json

Importing CSV or XLSX files

The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of issues. You can also use the command validate_csv to verify your file before importing it.

Validating a CSV file before import

You can validate a .csv file before importing it with regscale qualys validate_csv and it expects the following parameters:

  • --file_path or -f - the path to the .csv file to validate
  • --skip_rows - The row number your headers are on

Qualys Expected File Format

Below are the expected columns of a Qualys CSV and XLSX file:

Header NameRequired
IPYes
DNSYes
NetBIOSYes
QG Host IDYes
IP Interfaces
Tracking Method
OSYes
IP Status
QID
TitleYes
Vuln Status
Type
SeverityYes
Port
Protocol
FQDNYes
SSL
First Detected
Last Detected
Times Detected
Date Last Fixed
First Reopened
Last Reopened
Times Reopened
CVE_IDYes
Vendor Reference
Bugtraq ID
CVSS3.1
CVSS3.1 Base
CVSS3.1 Temporal
Threat
Impact
SolutionYes
ExploitabilityYes
Associated Malware
Results
PCI Vuln
Ticket State
Instance
Category
Associated Tags
EC2 Instance ID
Public Hostname
Image ID
VPC ID
Instance State
Private Hostname
Instance Type
Account ID
Region Code
Subnet ID
QDS
ARS
ACS
TruRisk Score

Qualys Container Expected File Format

Below are the expected columns of a Qualys Container Scans CSV file:

Header NameRequiredDescription
SEVERITYYesVulnerability severity level
TITLEYesVulnerability title/name
IMAGE LABELYesContainer image label (used for asset notes and name)
THREATYesThreat description
CVE_IDYesCVE identifier(s) - can be comma-separated
SOLUTIONYesMitigation/solution details
CVSS3 BASEYesCVSS v3 base score
CVSS BASEYesCVSS base score
QIDYesQualys ID (external identifier)
CREATED ONYesFirst seen date (format: YYYY-MM-DD HH:MM:SS +TZ TZ)
UPDATEDYesLast seen date (format: YYYY-MM-DD HH:MM:SS +TZ TZ)
IMAGE UUIDYesContainer image UUID (used as asset identifier)

Additional Notes

Date Format Requirements:

  • CREATED ON and UPDATED fields must use format: YYYY-MM-DD HH:MM:SS +TZ TZ
  • Example: 2024-01-15 14:30:45 +0000 UTC

Data Validation:

  • IMAGE UUID cannot be empty, "0", "None", or "Unknown"
  • CVE_ID field supports multiple CVE IDs separated by commas
  • Asset names are truncated to 450 characters maximum
  • SEVERITY values are converted to RegScale severity mapping

Asset Properties:

  • Asset Type: VM (Virtual Machine)
  • Asset Category: Software
  • Asset Status: Active
  • Asset Name: Derived from IMAGE LABEL field
  • Asset Identifier: IMAGE UUID value

Vulnerability Properties:

  • Status: Open (default)
  • Plugin Name: Uses CVE ID value
  • DNS Field: Populated with IMAGE UUID for tracking

Example Commands

Query Qualys using a defined asset group ID from the Qualys platform and relate it to an existing RegScale SSP. If any vulnerabilities are found, issues will be created in RegScale.

regscale qualys sync_qualys --asset_group_id 71413 --regscale_ssp_id 2 --create_issue True
regscale qualys sync_qualys --regscale_ssp_id 2 --create_issue True --include-total-cloud --include-containers --include-was
regscale qualys sync_qualys --component_id 15 --create_issue True --include-total-cloud --tc-include-tags "Production,Critical"
regscale qualys get_asset_groups --save_output_to ./qualys_data/asset_groups
regscale qualys import_scans --regscale_ssp_id 34 --folder_path ./data/qualys
regscale qualys import_container_scans --regscale_ssp_id 255 -f /tmp/containers
regscale qualys import_total_cloud --regscale_ssp_id 255 --containers True
regscale qualys import_total_cloud_xml --regscale_ssp_id 255 -f /tmp/xmlfile.xml
regscale qualys validate_csv -f artifacts/imports/qualys/Qualys_export.csv --skip_rows 5
regscale qualys diagnostics --fetch-samples
regscale qualys list_scans --module all --days 7

init.yaml Example

For a basic Qualys integration with RegScale, the following init.yaml structure is necessary (example/notional key structure shown below, replace with actual customer keys):

domain: https://mycompany.regscale.com
qualysPassword: My5UP3r_SeCR3t-P@$sw0rD!
qualysUrl: https://qualysapi.qg3.apps.qualys.com/
qualysUserName: regscale1234
sslVerify: false  # Set to false for self-signed certificates; defaults to true
issues:
  qualys:
    high: 10
    low: 365
    moderate: 90
    status: Draft

Building a Bash Script to Execute the CLI

You can chain together RegScale CLI commands using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "regscaleScheduler.sh") in Ubuntu for executing the Qualys CLI that pulls all assets and their vulnerabilities after authenticating and assigns them to a specific Security Plan in RegScale:

#!/bin/sh

# Sync assets from Qualys (VMDR + Total Cloud + Containers + WAS) and relate to RegScale SSP #2
regscale qualys sync_qualys --regscale_ssp_id 2 --create_issue True --include-total-cloud --include-containers --include-was

To execute the Bash file, run this command: /path/to/folder/regscaleScheduler.sh. You can chain together any arbitrary set of CLI commands to have them execute sequentially.

NOTE: See All Scanner Integrations for information about how this updates Issues/POAMs.

Updated 20 days ago