Qualys
Qualys CLI
This CLI is able to sync assets from Qualys along with their vulnerabilities from Qualys Cloud Platform (Vulnerability Manager, Policy Compliance, and Container Security) into RegScale as Issues.
sync_qualys
- queries the Qualys instance for assets and vulnerability scans and syncs them to a Security Plan in RegScaleget_asset_groups
- exports all asset groups from Qualys containing their Asset Group ID and Asset Group Name to a .json fileshow_mapping
- displays to the user the mapping file used for custom Qualys csv imports, if any.export_scans
- exports a list of scans from the Qualys instance and saves to a .json filesave_results
- save scan results for a specific scan or all scansimport_container_scans
- Import Qualys container scans from a CSV file into a RegScale Security Plan as assets and vulnerabilities.import_policy_scans
- Import Qualys policy scans from a CSV file into a RegScale Security Plan as assets and vulnerabilities.import_scans
- Import flat file scan dataimport_total_cloud
- Import Qualys Total Cloud Assets and Vulnerabilities, as well as optional container scan data.import_total_cloud_xml
- Import Qualys Total Cloud Assets and Vulnerabilities from an existing XML fileimport_was_scans
- Import Qualys was scans from a CSV file into a RegScale Security Plan as assets and vulnerabilitiesvalidate_csv
- Validate a CSV file before importing, this command will read the CSV with the provided file path and provide a validation before importing the file
init.yaml Configuration
There are multiple pieces of information needed to configure the Tenable integration via the CLI:
qualysUrl
- base URL for the Qualys API. Follow this guide to determine the URL: Identify your Qualys platformqualysUserName
- Qualys user name to log inqualysPassword
- Qualys password to log inissues: {qualys: {high: 10, low: 365, moderate: 90, status: Draft}}
- number of days to add to today's date when setting due dates to RegScale issues based on Qualys severity index and the status to use for a new RegScale issue.
Qualys Setup Workfow
- Get the Qualys URL and paste it into the
qualysUrl
field ininit.yaml
. - Create an account or use an existing account within Qualys and add the user name and password to the corresponding fields in
init.yaml
. Once this is complete, the Qualys integrations is ready to use with the RegScale CLI.
Vulnerability Processing Workflow
The CLI currently supports processing Qualys assets and vulnerabilities to RegScale assets and issues. The issue processing workflow is shown below:
- The user first logs into RegScale via the CLI to set the access token or otherwise creates a service account as described in the CLI Login documentation
- The user then calls the CLI to fetch Qualys assets and vulnerabilities and if desired, save RegScale issues while setting the following flags:
get_asset_groups
- export all asset groups from Qualys containing their asset group ID and asset group name--save_output_to
- file path to save the results as a .json file
sync_qualys
- The primary function of this integration, query Qualys assets and vulnerabilities and create/update any related assets to RegScale.--asset_group_name
or--asset_group_id
Filter assets from Qualys to add to your Security Plan in RegScale with the provided argument. (NOTE: You cannot use both of these filters, if you do not use one it will grab all assets and their vulnerabilities from Qualys)--regscale_ssp_id
- the RegScale security plan to be associated with the Qualys assets and vulnerabilities--create_issue
- a boolean flag to set if the CLI user would like to map these vulnerabilities into RegScale issues. Newly created issues will be set to the status frominit.yaml
for Qualys issues in RegScale.
save_results
- a list of query definitions--save_output_to
- file path to save the results as a .json file--scan_id
- Qualys scan reference ID, if none provided it will pull all scans
export_scans
- an export of all Qualys scans available to the user within the last X days--save_output_to
- file path to save the results as a .json file--days
- number of days to go back for completed Qualys scans, defaults to 30
import_scans
- import flat file scan data exported from Qualys--folder_path
- provide a location to the scans to import
Importing CSV or XLSX files
The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of issues. You can also use the command validate_csv
to verify your file before importing it.
Validating a CSV file before import
You can validate a .csv file before importing it with regscale qualys validate_csv
and it expects the following parameters:
--file_path
or-f
- the path to the .csv file to validate--skip_rows
- The row number your headers are on
Validation Output
❯ regscale qualys validate_csv -f artifacts/imports/qualys/Qualys_export_20250620-034445PM.csv --skip_rows 12
Reading CSV file: artifacts/imports/qualys/Qualys_export_20250620-034445PM.csv
Skipping first 12 rows
✅ Successfully read CSV file
✅ Found 55 columns and 573 rows
Columns Found in CSV
┏━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┓
┃ Index ┃ Column Name ┃
┡━━━━━━━╇━━━━━━━━━━━━━━━━━━━━┩
│ 0 │ IP │
│ 1 │ DNS │
│ 2 │ NetBIOS │
│ 3 │ QG Host ID │
│ 4 │ IP Interfaces │
│ 5 │ Tracking Method │
│ 6 │ OS │
│ 7 │ IP Status │
│ 8 │ QID │
│ 9 │ Title │
│ 10 │ Vuln Status │
│ 11 │ Type │
│ 12 │ Severity │
│ 13 │ Port │
│ 14 │ Protocol │
│ 15 │ FQDN │
│ 16 │ SSL │
│ 17 │ First Detected │
│ 18 │ Last Detected │
│ 19 │ Times Detected │
│ 20 │ Date Last Fixed │
│ 21 │ First Reopened │
│ 22 │ Last Reopened │
│ 23 │ Times Reopened │
│ 24 │ CVE ID │
│ 25 │ Vendor Reference │
│ 26 │ Bugtraq ID │
│ 27 │ CVSS3.1 │
│ 28 │ CVSS3.1 Base │
│ 29 │ CVSS3.1 Temporal │
│ 30 │ Threat │
│ 31 │ Impact │
│ 32 │ Solution │
│ 33 │ Exploitability │
│ 34 │ Associated Malware │
│ 35 │ Results │
│ 36 │ PCI Vuln │
│ 37 │ Ticket State │
│ 38 │ Instance │
│ 39 │ Category │
│ 40 │ Associated Tags │
│ 41 │ EC2 Instance ID │
│ 42 │ Public Hostname │
│ 43 │ Image ID │
│ 44 │ VPC ID │
│ 45 │ Instance State │
│ 46 │ Private Hostname │
│ 47 │ Instance Type │
│ 48 │ Account ID │
│ 49 │ Region Code │
│ 50 │ Subnet ID │
│ 51 │ QDS │
│ 52 │ ARS │
│ 53 │ ACS │
│ 54 │ TruRisk Score │
└───────┴────────────────────┘
Checking for required headers:
✅ Severity
✅ Title
✅ Exploitability
✅ CVE ID
✅ Solution
✅ DNS
✅ IP
✅ QG Host ID
✅ OS
✅ NetBIOS
✅ FQDN
🎉 All required headers found! File should import successfully.
Sample data (first 3 rows):
┏━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┓
┃ IP ┃ DNS ┃ NetBIOS ┃ QG Host ID ┃ IP Interfaces ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━━━┩
│ 10.40.45.69 │ ip-10-40-45-69.gov.coalfire.co │ nan │ %HostID% │ nan │
│ 10.40.45.69 │ ip-10-40-45-69.gov.coalfire.co │ nan │ %HostID% │ nan │
│ 10.40.45.69 │ ip-10-40-45-69.gov.coalfire.co │ nan │ %HostID% │ nan │
└─────────────┴────────────────────────────────┴─────────┴────────────┴───────────────┘
... and 50 more columns
Qualys Expected File Format
Below are the expected columns of a Qualys CSV and XLSX file:
Header Name | Required |
---|---|
IP | Yes |
DNS | Yes |
NetBIOS | Yes |
QG Host ID | Yes |
IP Interfaces | |
Tracking Method | |
OS | Yes |
IP Status | |
QID | |
Title | Yes |
Vuln Status | |
Type | |
Severity | Yes |
Port | |
Protocol | |
FQDN | Yes |
SSL | |
First Detected | |
Last Detected | |
Times Detected | |
Date Last Fixed | |
First Reopened | |
Last Reopened | |
Times Reopened | |
CVE_ID | Yes |
Vendor Reference | |
Bugtraq ID | |
CVSS3.1 | |
CVSS3.1 Base | |
CVSS3.1 Temporal | |
Threat | |
Impact | |
Solution | Yes |
Exploitability | Yes |
Associated Malware | |
Results | |
PCI Vuln | |
Ticket State | |
Instance | |
Category | |
Associated Tags | |
EC2 Instance ID | |
Public Hostname | |
Image ID | |
VPC ID | |
Instance State | |
Private Hostname | |
Instance Type | |
Account ID | |
Region Code | |
Subnet ID | |
QDS | |
ARS | |
ACS | |
TruRisk Score |
Qualys Container Expected File Format
Below are the expected columns of a Qualys Container Scans CSV file:
Header Name | Required | Description |
---|---|---|
SEVERITY | Yes | Vulnerability severity level |
TITLE | Yes | Vulnerability title/name |
IMAGE LABEL | Yes | Container image label (used for asset notes and name) |
THREAT | Yes | Threat description |
CVE_ID | Yes | CVE identifier(s) - can be comma-separated |
SOLUTION | Yes | Mitigation/solution details |
CVSS3 BASE | Yes | CVSS v3 base score |
CVSS BASE | Yes | CVSS base score |
QID | Yes | Qualys ID (external identifier) |
CREATED ON | Yes | First seen date (format: YYYY-MM-DD HH:MM:SS +TZ TZ) |
UPDATED | Yes | Last seen date (format: YYYY-MM-DD HH:MM:SS +TZ TZ) |
IMAGE UUID | Yes | Container image UUID (used as asset identifier) |
Additional Notes
Date Format Requirements:
- CREATED ON and UPDATED fields must use format:
YYYY-MM-DD HH:MM:SS +TZ TZ
- Example:
2024-01-15 14:30:45 +0000 UTC
Data Validation:
- IMAGE UUID cannot be empty, "0", "None", or "Unknown"
- CVE_ID field supports multiple CVE IDs separated by commas
- Asset names are truncated to 450 characters maximum
- SEVERITY values are converted to RegScale severity mapping
Asset Properties:
- Asset Type: VM (Virtual Machine)
- Asset Category: Software
- Asset Status: Active
- Asset Name: Derived from IMAGE LABEL field
- Asset Identifier: IMAGE UUID value
Vulnerability Properties:
- Status: Open (default)
- Plugin Name: Uses CVE ID value
- DNS Field: Populated with IMAGE UUID for tracking
Example Commands
Query Qualys using a defined asset group ID from the Qualys platform and relate it to an existing RegScale SSP. If any vulnerabilities are found, issues will be created in RegScale.
regscale qualys sync_qualys --asset_group_id 71413 --regscale_ssp_id 2 --create_issue True
regscale qualys get_asset_groups --save_output_to ./qualys_data/asset_groups
regscale qualys import_scans --regscale_ssp_id 34 --folder_path ./data/qualys
regscale qualys import_container_scans --regscale_ssp_id 255 -f /tmp/containers
regscale qualys import_total_cloud_xml --regscale_ssp_id 255 -f /tmp/xmlfile.xml
regscale qualys validate_csv -f artifacts/imports/qualys/Qualys_export_20250620-034445PM.csv --skip_rows 5
regscale qualys import_total_cloud --regscale_ssp_id 255 --containers True
init.yaml Example
For a basic Qualys integration with RegScale, the following init.yaml
structure is necessary (example/notional key structure shown below, replace with actual customer keys):
domain: https://mycompany.regscale.com
qualysPassword: My5UP3r_SeCR3t-P@$sw0rD!
qualysUrl: https://qualysapi.qg3.apps.qualys.com/
qualysUserName: regscale1234
issues:
qualys:
high: 10
low: 365
moderate: 90
status: Draft
Building a Bash Script to Execute the CLI
You can chain together RegScale CLI commands using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "regscaleScheduler.sh") in Ubuntu for executing the Qualys CLI that pulls all assets and their vulnerabilities after authenticating and assigns them to a specific Security Plan in RegScale:
#!/bin/sh
# Save assets from Qualys Query #37009 and relate to RegScale SSP #2
regscale qualys sync_qualys --regscale_ssp_id 2 --create_issue True
To execute the Bash file, run this command: /path/to/folder/regscaleScheduler.sh
. You can chain together any arbitrary set of CLI commands to have them execute sequentially.
NOTE: See All Scanner Integrations for information about how this updates Issues/POAMs
Updated about 16 hours ago