HomeGuidesAPI ReferenceChangelog
Guides

Qualys

Suggest Edits

Qualys CLI

This CLI is able to sync assets from Qualys along with their vulnerabilities from Qualys Cloud Platform (Vulnerability Manager, Policy Compliance, and Container Security) into RegScale as Issues.

  • sync_qualys - queries the Qualys instance for assets and vulnerability scans and syncs them to a Security Plan in RegScale
  • get_asset_groups - exports all asset groups from Qualys containing their Asset Group ID and Asset Group Name to a .json file
  • show_mapping - displays to the user the mapping file used for custom Qualys csv imports, if any.
  • export_scans - exports a list of scans from the Qualys instance and saves to a .json file
  • save_results - save scan results for a specific scan or all scans
  • import_container_scans - Import Qualys container scans from a CSV file into a RegScale Security Plan as assets and vulnerabilities.
  • import_policy_scans - Import Qualys policy scans from a CSV file into a RegScale Security Plan as assets and vulnerabilities.
  • import_scans- Import flat file scan data
  • import_total_cloud - Import Qualys Total Cloud Assets and Vulnerabilities, as well as optional container scan data.
  • import_total_cloud_xml - Import Qualys Total Cloud Assets and Vulnerabilities from an existing XML file
  • import_was_scans - Import Qualys was scans from a CSV file into a RegScale Security Plan as assets and vulnerabilities
  • validate_csv - Validate a CSV file before importing, this command will read the CSV with the provided file path and provide a validation before importing the file

init.yaml Configuration

There are multiple pieces of information needed to configure the Tenable integration via the CLI:

  • qualysUrl - base URL for the Qualys API. Follow this guide to determine the URL: Identify your Qualys platform
  • qualysUserName - Qualys user name to log in
  • qualysPassword - Qualys password to log in
  • issues: {qualys: {high: 10, low: 365, moderate: 90, status: Draft}} - number of days to add to today's date when setting due dates to RegScale issues based on Qualys severity index and the status to use for a new RegScale issue.

Qualys Setup Workfow

  1. Get the Qualys URL and paste it into the qualysUrl field in init.yaml.
  2. Create an account or use an existing account within Qualys and add the user name and password to the corresponding fields in init.yaml. Once this is complete, the Qualys integrations is ready to use with the RegScale CLI.

Vulnerability Processing Workflow

The CLI currently supports processing Qualys assets and vulnerabilities to RegScale assets and issues. The issue processing workflow is shown below:

  • The user first logs into RegScale via the CLI to set the access token or otherwise creates a service account as described in the CLI Login documentation
  • The user then calls the CLI to fetch Qualys assets and vulnerabilities and if desired, save RegScale issues while setting the following flags:
    • get_asset_groups - export all asset groups from Qualys containing their asset group ID and asset group name
      • --save_output_to - file path to save the results as a .json file
    • sync_qualys - The primary function of this integration, query Qualys assets and vulnerabilities and create/update any related assets to RegScale.
      • --asset_group_name or --asset_group_id Filter assets from Qualys to add to your Security Plan in RegScale with the provided argument. (NOTE: You cannot use both of these filters, if you do not use one it will grab all assets and their vulnerabilities from Qualys)
      • --regscale_ssp_id - the RegScale security plan to be associated with the Qualys assets and vulnerabilities
      • --create_issue - a boolean flag to set if the CLI user would like to map these vulnerabilities into RegScale issues. Newly created issues will be set to the status from init.yaml for Qualys issues in RegScale.
    • save_results - a list of query definitions
      • --save_output_to - file path to save the results as a .json file
      • --scan_id - Qualys scan reference ID, if none provided it will pull all scans
    • export_scans - an export of all Qualys scans available to the user within the last X days
      • --save_output_to - file path to save the results as a .json file
      • --days - number of days to go back for completed Qualys scans, defaults to 30
    • import_scans - import flat file scan data exported from Qualys
      • --folder_path - provide a location to the scans to import

Importing CSV or XLSX files

The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of issues. You can also use the command validate_csv to verify your file before importing it.

Validating a CSV file before import

You can validate a .csv file before importing it with regscale qualys validate_csvand it expects the following parameters:

  • --file_path or -f - the path to the .csv file to validate
  • --skip_rows - The row number your headers are on

Validation Output

❯ regscale qualys validate_csv -f artifacts/imports/qualys/Qualys_export_20250620-034445PM.csv --skip_rows 12
Reading CSV file: artifacts/imports/qualys/Qualys_export_20250620-034445PM.csv
Skipping first 12 rows
✅ Successfully read CSV file
✅ Found 55 columns and 573 rows
     Columns Found in CSV     
┏━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┓
┃ Index ┃ Column Name        ┃
┡━━━━━━━╇━━━━━━━━━━━━━━━━━━━━┩
│ 0     │ IP                 │
│ 1     │ DNS                │
│ 2     │ NetBIOS            │
│ 3     │ QG Host ID         │
│ 4     │ IP Interfaces      │
│ 5     │ Tracking Method    │
│ 6     │ OS                 │
│ 7     │ IP Status          │
│ 8     │ QID                │
│ 9     │ Title              │
│ 10    │ Vuln Status        │
│ 11    │ Type               │
│ 12    │ Severity           │
│ 13    │ Port               │
│ 14    │ Protocol           │
│ 15    │ FQDN               │
│ 16    │ SSL                │
│ 17    │ First Detected     │
│ 18    │ Last Detected      │
│ 19    │ Times Detected     │
│ 20    │ Date Last Fixed    │
│ 21    │ First Reopened     │
│ 22    │ Last Reopened      │
│ 23    │ Times Reopened     │
│ 24    │ CVE ID             │
│ 25    │ Vendor Reference   │
│ 26    │ Bugtraq ID         │
│ 27    │ CVSS3.1            │
│ 28    │ CVSS3.1 Base       │
│ 29    │ CVSS3.1 Temporal   │
│ 30    │ Threat             │
│ 31    │ Impact             │
│ 32    │ Solution           │
│ 33    │ Exploitability     │
│ 34    │ Associated Malware │
│ 35    │ Results            │
│ 36    │ PCI Vuln           │
│ 37    │ Ticket State       │
│ 38    │ Instance           │
│ 39    │ Category           │
│ 40    │ Associated Tags    │
│ 41    │ EC2 Instance ID    │
│ 42    │ Public Hostname    │
│ 43    │ Image ID           │
│ 44    │ VPC ID             │
│ 45    │ Instance State     │
│ 46    │ Private Hostname   │
│ 47    │ Instance Type      │
│ 48    │ Account ID         │
│ 49    │ Region Code        │
│ 50    │ Subnet ID          │
│ 51    │ QDS                │
│ 52    │ ARS                │
│ 53    │ ACS                │
│ 54    │ TruRisk Score      │
└───────┴────────────────────┘

Checking for required headers:
✅ Severity
✅ Title
✅ Exploitability
✅ CVE ID
✅ Solution
✅ DNS
✅ IP
✅ QG Host ID
✅ OS
✅ NetBIOS
✅ FQDN

🎉 All required headers found! File should import successfully.

Sample data (first 3 rows):
┏━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┓
┃ IP          ┃ DNS                            ┃ NetBIOS ┃ QG Host ID ┃ IP Interfaces ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━━━┩
│ 10.40.45.69 │ ip-10-40-45-69.gov.coalfire.co │ nan     │ %HostID%   │ nan           │
│ 10.40.45.69 │ ip-10-40-45-69.gov.coalfire.co │ nan     │ %HostID%   │ nan           │
│ 10.40.45.69 │ ip-10-40-45-69.gov.coalfire.co │ nan     │ %HostID%   │ nan           │
└─────────────┴────────────────────────────────┴─────────┴────────────┴───────────────┘
... and 50 more columns

Qualys Expected File Format

Below are the expected columns of a Qualys CSV and XLSX file:

Header NameRequired
IPYes
DNSYes
NetBIOSYes
QG Host IDYes
IP Interfaces
Tracking Method
OSYes
IP Status
QID
TitleYes
Vuln Status
Type
SeverityYes
Port
Protocol
FQDNYes
SSL
First Detected
Last Detected
Times Detected
Date Last Fixed
First Reopened
Last Reopened
Times Reopened
CVE_IDYes
Vendor Reference
Bugtraq ID
CVSS3.1
CVSS3.1 Base
CVSS3.1 Temporal
Threat
Impact
SolutionYes
ExploitabilityYes
Associated Malware
Results
PCI Vuln
Ticket State
Instance
Category
Associated Tags
EC2 Instance ID
Public Hostname
Image ID
VPC ID
Instance State
Private Hostname
Instance Type
Account ID
Region Code
Subnet ID
QDS
ARS
ACS
TruRisk Score

Qualys Container Expected File Format

Below are the expected columns of a Qualys Container Scans CSV file:

Header NameRequiredDescription
SEVERITYYesVulnerability severity level
TITLEYesVulnerability title/name
IMAGE LABELYesContainer image label (used for asset notes and name)
THREATYesThreat description
CVE_IDYesCVE identifier(s) - can be comma-separated
SOLUTIONYesMitigation/solution details
CVSS3 BASEYesCVSS v3 base score
CVSS BASEYesCVSS base score
QIDYesQualys ID (external identifier)
CREATED ONYesFirst seen date (format: YYYY-MM-DD HH:MM:SS +TZ TZ)
UPDATEDYesLast seen date (format: YYYY-MM-DD HH:MM:SS +TZ TZ)
IMAGE UUIDYesContainer image UUID (used as asset identifier)

Additional Notes

Date Format Requirements:

  • CREATED ON and UPDATED fields must use format: YYYY-MM-DD HH:MM:SS +TZ TZ
  • Example: 2024-01-15 14:30:45 +0000 UTC

Data Validation:

  • IMAGE UUID cannot be empty, "0", "None", or "Unknown"
  • CVE_ID field supports multiple CVE IDs separated by commas
  • Asset names are truncated to 450 characters maximum
  • SEVERITY values are converted to RegScale severity mapping

Asset Properties:

  • Asset Type: VM (Virtual Machine)
  • Asset Category: Software
  • Asset Status: Active
  • Asset Name: Derived from IMAGE LABEL field
  • Asset Identifier: IMAGE UUID value

Vulnerability Properties:

  • Status: Open (default)
  • Plugin Name: Uses CVE ID value
  • DNS Field: Populated with IMAGE UUID for tracking

Example Commands

Query Qualys using a defined asset group ID from the Qualys platform and relate it to an existing RegScale SSP. If any vulnerabilities are found, issues will be created in RegScale.

  • regscale qualys sync_qualys --asset_group_id 71413 --regscale_ssp_id 2 --create_issue True
  • regscale qualys get_asset_groups --save_output_to ./qualys_data/asset_groups
  • regscale qualys import_scans --regscale_ssp_id 34 --folder_path ./data/qualys
  • regscale qualys import_container_scans --regscale_ssp_id 255 -f /tmp/containers
  • regscale qualys import_total_cloud_xml --regscale_ssp_id 255 -f /tmp/xmlfile.xml
  • regscale qualys validate_csv -f artifacts/imports/qualys/Qualys_export_20250620-034445PM.csv --skip_rows 5
  • regscale qualys import_total_cloud --regscale_ssp_id 255 --containers True

init.yaml Example

For a basic Qualys integration with RegScale, the following init.yaml structure is necessary (example/notional key structure shown below, replace with actual customer keys):

domain: https://mycompany.regscale.com
qualysPassword: My5UP3r_SeCR3t-P@$sw0rD!
qualysUrl: https://qualysapi.qg3.apps.qualys.com/
qualysUserName: regscale1234
issues:
  qualys:
    high: 10
    low: 365
    moderate: 90
    status: Draft

Building a Bash Script to Execute the CLI

You can chain together RegScale CLI commands using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "regscaleScheduler.sh") in Ubuntu for executing the Qualys CLI that pulls all assets and their vulnerabilities after authenticating and assigns them to a specific Security Plan in RegScale:

#!/bin/sh

# Save assets from Qualys Query #37009 and relate to RegScale SSP #2
regscale qualys sync_qualys --regscale_ssp_id 2 --create_issue True

To execute the Bash file, run this command: /path/to/folder/regscaleScheduler.sh. You can chain together any arbitrary set of CLI commands to have them execute sequentially.

📘

NOTE: See All Scanner Integrations for information about how this updates Issues/POAMs

Updated about 16 hours ago