Authentication
This section covers authentication methods for the Qualys platform and container registries.
Qualys Platform Authentication
API Access Token
All CI/CD integrations authenticate with the Qualys platform using bearer tokens:
Authorization: Bearer <access_token>Generating an Access Token
- Log in to the Qualys platform
- Navigate to Administration > User Management
- Select your user or create a service account
- Under API, generate a new token
- Ensure Container Security scope is enabled
Important
Store tokens securely using secrets management. Never commit tokens to version control.
CICD Sensor Authentication (Jenkins)
The Jenkins CICD Sensor backend uses username/password authentication instead of API tokens:
| Credential Type | Use Case |
|---|---|
| API Token | QScanner backend (all platforms) |
| Username/Password | CICD Sensor backend (Jenkins only) |
Platform Endpoints
Use the correct gateway URL for your Qualys platform region:
| POD | API Gateway |
|---|---|
| US1 | https://qg1.apps.qualys.com |
| US2 | https://qg2.apps.qualys.com |
| US3 | https://qg3.apps.qualys.com |
| US4 | https://qg4.apps.qualys.com |
| EU1 | https://qg1.apps.qualys.eu |
| EU2 | https://qg2.apps.qualys.eu |
| CA1 | https://qg1.apps.qualys.ca |
| IN1 | https://qg1.apps.qualys.in |
| AU1 | https://qg1.apps.qualys.com.au |
| UK1 | https://qg1.apps.qualys.co.uk |
| AE1 | https://qg1.apps.qualys.ae |
| KSA1 | https://qg1.apps.qualys.sa |
Container Registry Authentication
Public Registries
Public images from Docker Hub and other public registries require no authentication.
Private Registries
For private registries, provide credentials via environment variables or platform-specific methods:
GitHub Actions
- name: Login to Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}GitLab CI
before_script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRYAzure DevOps
- task: Docker@2
inputs:
containerRegistry: 'MyACRConnection'
command: 'login'Jenkins
withCredentials([usernamePassword(
credentialsId: 'docker-registry',
usernameVariable: 'DOCKER_USER',
passwordVariable: 'DOCKER_PASS')]) {
sh 'docker login -u $DOCKER_USER -p $DOCKER_PASS registry.example.com'
}Secrets Storage by Platform
| Platform | Secret Storage | Configuration |
|---|---|---|
| GitHub Actions | Repository/Organization Secrets | ${{ secrets.QUALYS_ACCESS_TOKEN }} |
| GitLab CI | CI/CD Variables | $QUALYS_ACCESS_TOKEN |
| Jenkins | Jenkins Credentials | credentialsId reference |
| Azure DevOps | Service Connections / Variable Groups | $(qualysToken) |
Token Best Practices
- Regular Rotation – Rotate API tokens every 90 days
- Least Privilege – Use tokens with minimal required scopes
- Audit Logging – Monitor token usage through Qualys audit logs
- Revocation – Immediately revoke compromised tokens
- Separate Tokens – Use different tokens for different environments (dev, staging, prod)