Package: Invicti AppSec Enterprise (on-premise, on-demand)
Qualys CS
Qualys Container Security scans container images for vulnerabilities and misconfigurations using the Qualys Cloud Platform. In Invicti AppSec, the integration connects to your Qualys instance to import container image vulnerability findings.
Prerequisites
| Field | Description |
|---|---|
| Username | Qualys platform username |
| Password | Qualys platform password |
| URL | The base URL of your Qualys platform instance (e.g., https://qualysapi.qualys.com) |
Get Credentials (on Qualys Side)
- Use your existing Qualys platform credentials (username and password).
- Ensure the account has access to the Container Security module in the Qualys Cloud Platform.
- Confirm the correct API URL for your Qualys subscription region (e.g.,
https://qualysapi.qualys.comfor US,https://qualysapi.qg2.apps.qualys.comfor US2,https://qualysapi.qg1.apps.qualys.eufor EU).
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the CS Tab
On the Integrations > Scanners page, click on the CS tab.
Step 3: Find and Activate Qualys CS
Scroll through the list of CS scanners to find Qualys CS.
- If Qualys CS is not activated, click the Activate button to enable the integration.
Step 4: Configure Connection Settings
Click the gear icon on the Qualys CS card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Username | Qualys platform username | Yes |
| Password | Qualys platform password | Yes |
| URL | Base URL of your Qualys platform API endpoint | Yes |
| Insecure | Skip TLS certificate verification (use only for self-signed certificates) | No |
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with the Qualys API.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the CS tab |
| 3 | Activate Qualys CS |
| 4 | Enter Username, Password, and URL |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Qualys CS Scanner
- Select CS as the scanner type.
- Choose Qualys CS from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | The deployment environment (e.g., feature, production) | No |
| Bind to | Select the container image from Qualys to associate with this scan | Yes |
| Branch | Source code branch for this scan | Yes |
| Meta Data | Additional metadata to tag the scan | No |
| Scan Tag | Free-text tag to identify or group scans | No |
| Fork Default Branch / Fork Source Branch | Enable to fork scan results from the default or source branch | No |
Bind to links the Invicti AppSec project to a specific container image tracked in Qualys Container Security. Vulnerability findings from that image will be imported into the project.
Scheduler
Enable the Scheduler toggle to automatically run Qualys CS scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t qualyscs -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid username or password | Verify the credentials against your Qualys platform account. Reset the password in Qualys if needed. |
| Wrong URL | Confirm the Qualys API URL matches your subscription region. Check the Qualys documentation for the correct endpoint for your region. |
| URL unreachable | Confirm the Qualys API URL is reachable from the Invicti AppSec server. Check firewall and proxy settings. |
| TLS certificate error | If using a self-signed certificate, enable the Insecure option in the connection settings. |
| No Container Security access | Ensure the Qualys account has the Container Security module enabled and the user has sufficient permissions. |
Scan Issues
| Issue | Resolution |
|---|---|
| No images available in Bind to dropdown | Ensure at least one container image has been scanned in Qualys Container Security and is accessible via the API credentials provided. |
| Scan shows no findings | The image may have no known vulnerabilities, or the Qualys scan may not have completed yet. Check the Qualys console. |
| Scan not starting | Verify the scanner is activated and the connection test passes in the integration settings. |
Best Practices
- Use a dedicated Qualys user account for Invicti AppSec with the minimum required permissions (read-only access to Container Security data).
- Do not share Qualys credentials across multiple integrations to simplify credential rotation and audit trails.
- Associate each Invicti AppSec project with the specific container image that represents its production artifact for accurate vulnerability tracking.
- Use the Scheduler to align scans with your container image rebuild cadence so findings always reflect the latest image state.
- Confirm the Qualys API URL for your subscription region before configuring the integration to avoid connection failures.
Limitations
- Qualys CS in Invicti AppSec imports vulnerability data from existing Qualys Container Security scans — it does not trigger new Qualys scans.
- Only images already tracked within Qualys Container Security are available for binding; images not yet scanned by Qualys will not appear.
- Policy compliance and configuration assessment data from Qualys are not surfaced in Invicti AppSec findings; only vulnerability data is imported.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center