Home Azure DevOps Configuration

Azure DevOps Configuration Reference

This page provides a complete reference for all configuration options available in the Qualys Azure DevOps extension.

Service Connection Setup

Before using the Qualys tasks, create a service connection:

  1. Go to Project Settings > Service connections
  2. Click New service connection
  3. Select Qualys API Connection
  4. Configure the connection:
    • POD: Select your Qualys platform POD
    • Access Token: Enter your Qualys API access token
    • Service connection name: Enter a name (e.g., "QualysConnection")
  5. Click Save

Available PODs

POD Region API URL
US1 United States qualysapi.qualys.com
US2 United States qualysapi.qg2.apps.qualys.com
US3 United States qualysapi.qg3.apps.qualys.com
US4 United States qualysapi.qg4.apps.qualys.com
EU1 Europe qualysapi.qualys.eu
EU2 Europe qualysapi.qg2.apps.qualys.eu
IN1 India qualysapi.qg1.apps.qualys.in
CA1 Canada qualysapi.qg1.apps.qualys.ca
AU1 Australia qualysapi.qg1.apps.qualys.com.au
AE1 UAE qualysapi.qg1.apps.qualys.ae
JP1 Japan qualysapi.qg1.apps.qualys.co.jp
KSA1 Saudi Arabia qualysapi.qg1.apps.qualys.sa

QualysContainerScan@1 Inputs

Required Inputs

Input Description
qualysConnection Qualys API service connection name
imageId Container image to scan (name:tag or digest)

Scan Target

Input Required Default Description
imageId Yes* - Container image to scan. Required if imageTar not specified.
imageTar No - Path to image tar archive.
platform No linux/amd64 Target platform for multi-arch images.

Scan Options

Input Required Default Description
scanSecrets No false Enable secrets detection.
scanMalware No false Enable malware detection.
offlineMode No false Scan without uploading to Qualys platform.

QualysCodeScan@1 Inputs

Required Inputs

Input Description
qualysConnection Qualys API service connection name

Scan Target

Input Required Default Description
scanPath No $(Build.SourcesDirectory) Path to directory to scan.
excludeDirs No - Comma-separated directories to exclude.
includeDev No false Include development dependencies.

SBOM Options

Input Required Default Description
generateSbom No false Generate Software Bill of Materials.
sbomFormat No spdx SBOM format: spdx or cyclonedx.
sbomOutput No sbom.json Output filename for SBOM.

Scan Options

Input Required Default Description
scanSecrets No false Enable secrets detection.
offlineMode No false Scan without uploading to Qualys platform.

Common Inputs (Both Tasks)

Threshold Configuration

Input Required Default Description
maxCritical No -1 Maximum critical vulnerabilities (-1 = unlimited).
maxHigh No -1 Maximum high vulnerabilities (-1 = unlimited).
maxMedium No -1 Maximum medium vulnerabilities (-1 = unlimited).
maxLow No -1 Maximum low vulnerabilities (-1 = unlimited).

Policy Configuration

Input Required Default Description
usePolicyEvaluation No false Enable Qualys cloud policy evaluation.
failOnAudit No false Fail pipeline on AUDIT policy result.

Output Options

Input Required Default Description
publishResults No false Publish SARIF to Azure DevOps Advanced Security.

Work Item Creation

Input Required Default Description
createWorkItems No false Create Azure Boards work items.
workItemSeverities No 4,5 Severity levels for work items (comma-separated).
workItemType No Bug Work item type to create.
workItemAreaPath No - Area path for work items.
workItemIterationPath No - Iteration path for work items.

Output Variables

Common Outputs (Both Tasks)

Variable Description
vulnerabilityCount Total number of vulnerabilities found.
criticalCount Number of critical vulnerabilities.
highCount Number of high vulnerabilities.
mediumCount Number of medium vulnerabilities.
lowCount Number of low vulnerabilities.
secretsCount Number of secrets detected.
policyResult Policy result: ALLOW, DENY, AUDIT, or NONE.
scanPassed Boolean - scan passed thresholds/policy.
sarifPath Path to SARIF report file.
jsonPath Path to JSON report file.
workItemsCreated Number of work items created.

Container Scan Specific Outputs

Variable Description
malwareCount Number of malware detections.
imageDigest Digest of the scanned image.

Code Scan Specific Outputs

Variable Description
packagesCount Total packages/dependencies found.
sbomPath Path to generated SBOM file.

Work Item OAuth Token

To create work items, the task needs access to the Azure DevOps API. Configure OAuth token access using one of these methods:

Method 1: Pipeline Setting

Enable "Allow scripts to access OAuth token" in the pipeline's Agent job settings.

Method 2: Environment Variable

- task: QualysContainerScan@1
  inputs:
    qualysConnection: 'QualysConnection'
    imageId: 'myapp:latest'
    createWorkItems: true
  env:
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)

Example: Full Configuration

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  # Build and push container image
  - task: Docker@2
    displayName: 'Build and Push Image'
    inputs:
      containerRegistry: 'myAcrConnection'
      repository: 'myapp'
      command: 'buildAndPush'
      tags: '$(Build.BuildId)'

  # Container security scan
  - task: QualysContainerScan@1
    name: containerScan
    displayName: 'Qualys Container Scan'
    inputs:
      # Service connection
      qualysConnection: 'QualysConnection'

      # Scan target
      imageId: 'myacr.azurecr.io/myapp:$(Build.BuildId)'
      platform: 'linux/amd64'

      # Scan options
      scanSecrets: true
      scanMalware: true
      offlineMode: false

      # Thresholds
      maxCritical: 0
      maxHigh: 5
      maxMedium: 20
      maxLow: -1

      # Policy
      usePolicyEvaluation: false
      failOnAudit: false

      # Output
      publishResults: true

      # Work items
      createWorkItems: true
      workItemSeverities: '4,5'
      workItemType: 'Bug'
      workItemAreaPath: 'MyProject\Security'
      workItemIterationPath: 'MyProject\Sprint 1'
    env:
      SYSTEM_ACCESSTOKEN: $(System.AccessToken)

  # Code security scan
  - task: QualysCodeScan@1
    name: codeScan
    displayName: 'Qualys Code Scan'
    inputs:
      # Service connection
      qualysConnection: 'QualysConnection'

      # Scan target
      scanPath: '$(Build.SourcesDirectory)'
      excludeDirs: 'node_modules,vendor,dist,build,test'
      includeDev: false

      # Scan options
      scanSecrets: true
      offlineMode: false

      # SBOM
      generateSbom: true
      sbomFormat: 'spdx'
      sbomOutput: '$(Build.ArtifactStagingDirectory)/sbom.json'

      # Thresholds
      maxCritical: 0
      maxHigh: 10
      maxMedium: -1
      maxLow: -1

      # Policy
      usePolicyEvaluation: false
      failOnAudit: false

      # Output
      publishResults: true

      # Work items
      createWorkItems: true
      workItemSeverities: '4,5'
    env:
      SYSTEM_ACCESSTOKEN: $(System.AccessToken)

  # Display results
  - script: |
      echo "=== Container Scan Results ==="
      echo "Vulnerabilities: $(containerScan.vulnerabilityCount)"
      echo "Critical: $(containerScan.criticalCount)"
      echo "High: $(containerScan.highCount)"
      echo "Malware: $(containerScan.malwareCount)"
      echo "Scan passed: $(containerScan.scanPassed)"
      echo ""
      echo "=== Code Scan Results ==="
      echo "Vulnerabilities: $(codeScan.vulnerabilityCount)"
      echo "Critical: $(codeScan.criticalCount)"
      echo "Packages: $(codeScan.packagesCount)"
      echo "Scan passed: $(codeScan.scanPassed)"
    displayName: 'Show Scan Results'

  # Publish artifacts
  - task: PublishBuildArtifacts@1
    inputs:
      pathToPublish: '$(codeScan.sbomPath)'
      artifactName: 'sbom'
    displayName: 'Publish SBOM'

  - task: PublishBuildArtifacts@1
    inputs:
      pathToPublish: '$(containerScan.sarifPath)'
      artifactName: 'container-security-report'
    displayName: 'Publish Container SARIF'

  - task: PublishBuildArtifacts@1
    inputs:
      pathToPublish: '$(codeScan.sarifPath)'
      artifactName: 'code-security-report'
    displayName: 'Publish Code SARIF'

Requirements

Next Steps

© 2026 Qualys, Inc. All rights reserved.