This update to QualysGuard 8.1 includes improvements to the QualysGuard API, allowing you to integrate your programs and API calls with QualysGuard Vulnerability Management (VM) and QualysGuard Policy Compliance (PC).
These changes are in addition to what was documented in our QualysGuard® API Release Version 8.1 - 30 day notification.
QualysGuard API Server URL. The QualysGuard API documentation and sample code use the API server URL for QualysGuard US Platform 1. If your account is located on another platform, please replace this URL with the appropriate server URL for your account.
|API Server URL for login|
|QualysGuard US Platform||https://qualysapi.qualys.com|
QualysGuard US Platform 2
|QualysGuard EU Platform||https://qualysapi.qualys.eu|
|QualysGuard Private Cloud Platform||https://qualysapi.<customer_base_url>|
QualysGuard API Documentation. API user guides and other documentation are available in your account’s Resources section (Help > Resources > API). Note: The service enforces limits on the API calls users can make within a subscription. See “QualysGuard API Limits” for details.
PC: API Support for SCAP Scans
The QualysGuard SCAP scan list capability is now exposed in the Qualys API. This enables automation to scale and integrate your compliance program with the QualysGuard PC/SCAP application. The following features will be available in the SCAP Scan API v2:
- Listing of SCAP scans: /api/2.0/fo/scan/scap/?action=list
- action=list (required), echo_request
- Scan List Filters
- scan_id (SCAP scan ID), scan_ref, state, type, target, user_login, launched_after_datetime, launched_before_datetime
- Show Information
- show_ags, show_op, show_status, show_last
PC: Compliance Posture Info output to CSV
The “Compliance Posture Info” API v2 (the resource /api/2.0/fo/compliance/posture/info/ with the parameter action=list) is used to view current compliance posture data (info records) for hosts within the user’s account. To increase automation capabilities, a CSV output option has been added to the Posture API. This enables customers to skip post processing of data, which simplifies integrations.
The following options will be added:
- csv_no_metadata: omits header metadata (report title, date, user who launched the report, etc.).
VM & PC: User Defined HTTP Header
Customers may now be able to specify an HTTP Header at scan time. This enables customers to "drop" their defenses (logging, IPS, etc.) when authorized scans are being run.
The following scan calls will accept the header value via the runtime_http_header paramater:
- Scan API v1 (/msp/scan.php)
- Scheduled Scans API v1 (/msp/scheduled_scans.php)
- VM Scan API v2 (/api/2.0/fo/scan/)
- PC Scan API v2 (/api/2.0/fo/scan/compliance/)
The header value will be piped into the following header name: