Azure DevOps Integration
The Qualys Azure DevOps extension provides pipeline tasks for container and code scanning. Scan results can be published as SARIF reports and automatically create Azure Boards work items for vulnerability tracking.
Available Tasks
| Task | Purpose |
|---|---|
QualysContainerScan@1 |
Scan Docker/OCI container images |
QualysCodeScan@1 |
Scan source code for vulnerable dependencies (SCA) |
Capabilities
- Container Scanning – Scan images for OS and package vulnerabilities
- Code Scanning (SCA) – Scan repositories for vulnerable dependencies
- Secrets Detection – Identify hardcoded secrets
- SBOM Generation – Generate SPDX or CycloneDX SBOM
- Policy Evaluation – Use Qualys cloud policies or thresholds
- SARIF Publishing – Publish results to Azure DevOps Advanced Security
- Work Item Creation – Create Azure Boards bugs for vulnerabilities
- Offline Scanning – Scan without uploading to Qualys platform
Prerequisites
- Azure DevOps organization
- Azure Pipelines (cloud or self-hosted)
- A Qualys subscription with Container Security permissions
- Docker (for container scanning)
Installation
- Navigate to your Azure DevOps organization
- Go to Organization Settings > Extensions
- Click Browse Marketplace
- Search for "Qualys Security Scanner"
- Click Get it free and install
Create Service Connection
- Go to Project Settings > Service connections
- Click New service connection
- Select Qualys API Connection
- Enter your Qualys POD and API access token
- Save as "QualysConnection" (or custom name)
Quick Start
Container Scan
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: Docker@2
displayName: 'Build Image'
inputs:
command: build
tags: $(Build.BuildId)
- task: QualysContainerScan@1
displayName: 'Qualys Container Scan'
inputs:
qualysConnection: 'QualysConnection'
imageId: 'myapp:$(Build.BuildId)'
usePolicyEvaluation: true
scanSecrets: true
publishResults: trueCode Scan
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: QualysCodeScan@1
displayName: 'Qualys Code Scan'
inputs:
qualysConnection: 'QualysConnection'
scanPath: '$(Build.SourcesDirectory)'
usePolicyEvaluation: true
scanSecrets: true
generateSbom: true
sbomFormat: 'spdx'
publishResults: trueOutput Variables
Access scan results in subsequent tasks:
- task: QualysContainerScan@1
name: qualysScan
inputs:
qualysConnection: 'QualysConnection'
imageId: 'myapp:latest'
- script: |
echo "Vulnerabilities: $(qualysScan.vulnerabilityCount)"
echo "Critical: $(qualysScan.criticalCount)"
echo "Policy: $(qualysScan.policyResult)"
displayName: 'Show Results'Work Item Creation
Automatically create Azure Boards bugs for vulnerabilities:
- task: QualysContainerScan@1
displayName: 'Scan and Create Work Items'
inputs:
qualysConnection: 'QualysConnection'
imageId: 'myapp:$(Build.BuildId)'
createWorkItems: true
workItemSeverities: '4' # High and Critical
workItemAreaPath: 'MyProject\Security'
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)Important
To create work items, either enable "Allow scripts to access OAuth token" in pipeline settings, or pass the token via environment variable as shown above.