Parag Baxi

QualysGuard® API Release Version 8.1 - 15 day notification

Blog Post created by Parag Baxi on Jun 25, 2014

This update to QualysGuard 8.1 includes improvements to the QualysGuard API, allowing you to integrate your programs and API calls with QualysGuard Vulnerability Management (VM) and QualysGuard Policy Compliance (PC).


These changes are in addition to what was documented in our QualysGuard® API Release Version 8.1 - 30 day notification.


What’s New

QualysGuard API Server URL. The QualysGuard API documentation and sample code use the API server URL for QualysGuard US Platform 1. If your account is located on another platform, please replace this URL with the appropriate server URL for your account.


Account  Location

API  Server URL for login
QualysGuard  US Platform

QualysGuard  US Platform 2

QualysGuard  EU Platform
QualysGuard  Private Cloud Platformhttps://qualysapi.<customer_base_url>

QualysGuard API Documentation. API user guides and other documentation are available in your account’s Resources section (Help > Resources > API). Note: The service enforces limits on the API calls users can make within a subscription. See “QualysGuard API Limits” for details.


PC: API Support for SCAP Scans

The QualysGuard SCAP scan list capability is now exposed in the Qualys API. This enables automation to scale and integrate your compliance program with the QualysGuard PC/SCAP application. The following features will be available in the SCAP Scan API v2:

  • Listing of SCAP scans: /api/2.0/fo/scan/scap/?action=list
  • Parameters
    • Request
      • action=list (required), echo_request
    • Scan List Filters
      • scan_id (SCAP scan ID), scan_ref, state, type, target, user_login, launched_after_datetime, launched_before_datetime
    • Show Information
      • show_ags, show_op, show_status, show_last


PC: Compliance Posture Info output to CSV

The “Compliance Posture Info” API v2 (the resource /api/2.0/fo/compliance/posture/info/ with the parameter action=list) is used to view current compliance posture data (info records) for hosts within the user’s account. To increase automation capabilities, a CSV output option has been added to the Posture API. This enables customers to skip post processing of data, which simplifies integrations.


The following options will be added:

  • csv
  • csv_no_metadata: omits header metadata (report title, date, user who launched the report, etc.).


VM & PC: User Defined HTTP Header

Customers may now be able to specify an HTTP Header at scan time. This enables customers to "drop" their defenses (logging, IPS, etc.) when authorized scans are being run.

The following scan calls will accept the header value via the runtime_http_header paramater:

  • Scan API v1 (/msp/scan.php)
  • Scheduled Scans API v1 (/msp/scheduled_scans.php)
  • VM Scan API v2 (/api/2.0/fo/scan/)
  • PC Scan API v2 (/api/2.0/fo/scan/compliance/)

The header value will be piped into the following header name:

     Qualys-Scan: <runtime_http_header_value>