Jenkins Configuration Reference

This page provides a complete reference for all configuration options available in the Qualys Jenkins plugin.

All Parameters

Backend Selection

Parameter	Required	Default	Description
`scannerBackend`	Yes	-	Scanner backend: `'qscanner'` or `'cicd_sensor'`
`scanType`	Yes	-	Scan type: `'container'`, `'code'`, or `'rootfs'`

Authentication - QScanner Backend

Parameter	Required	Default	Description
`credentialsId`	Yes	-	Jenkins credential ID for Qualys API token (Secret text)
`qualysPod`	No	US1	Qualys platform POD

Authentication - CICD Sensor Backend

Parameter	Required	Default	Description
`cicdCredentialsId`	Yes	-	Jenkins credential ID for Qualys username/password
`qualysPod`	No	US1	Qualys platform POD

Available PODs

POD	Region	API URL
US1	United States	qualysapi.qualys.com
US2	United States	qualysapi.qg2.apps.qualys.com
US3	United States	qualysapi.qg3.apps.qualys.com
US4	United States	qualysapi.qg4.apps.qualys.com
EU1	Europe	qualysapi.qualys.eu
EU2	Europe	qualysapi.qg2.apps.qualys.eu
IN1	India	qualysapi.qg1.apps.qualys.in
CA1	Canada	qualysapi.qg1.apps.qualys.ca
AU1	Australia	qualysapi.qg1.apps.qualys.com.au
AE1	UAE	qualysapi.qg1.apps.qualys.ae
JP1	Japan	qualysapi.qg1.apps.qualys.co.jp
KSA1	Saudi Arabia	qualysapi.qg1.apps.qualys.sa

Container Scan Parameters

Parameter	Required	Default	Backend	Description
`imageId`	Yes*	-	Both	Container image to scan (name:tag or digest)
`imageTar`	No	-	QScanner	Path to image tar archive
`platform`	No	linux/amd64	QScanner	Target platform for multi-arch images
`scanSecrets`	No	false	QScanner	Enable secrets detection
`scanMalware`	No	false	QScanner	Enable malware detection

Code Scan Parameters (QScanner Only)

Parameter	Required	Default	Description
`scanPath`	No	.	Path to directory to scan
`excludeDirs`	No	-	Comma-separated directories to exclude
`includeDev`	No	false	Include development dependencies
`scanSecrets`	No	false	Enable secrets detection
`generateSbom`	No	false	Generate Software Bill of Materials
`sbomFormat`	No	spdx	SBOM format: spdx or cyclonedx

Rootfs Scan Parameters (QScanner Only)

Parameter	Required	Default	Description
`rootfsPath`	Yes	-	Path to root filesystem directory
`scanSecrets`	No	false	Enable secrets detection

Threshold Configuration

Parameter	Required	Default	Description
`maxCritical`	No	-1	Maximum critical vulnerabilities allowed (-1 = unlimited)
`maxHigh`	No	-1	Maximum high vulnerabilities allowed (-1 = unlimited)
`maxMedium`	No	-1	Maximum medium vulnerabilities allowed (-1 = unlimited)
`maxLow`	No	-1	Maximum low vulnerabilities allowed (-1 = unlimited)

Policy Configuration

Parameter	Required	Default	Description
`usePolicy`	No	false	Enable Qualys cloud policy evaluation
`failOnAudit`	No	false	Fail build when policy result is AUDIT

CICD Sensor Polling

Parameter	Required	Default	Description
`pollingInterval`	No	10	Seconds between result polling attempts
`vulnsTimeout`	No	600	Maximum seconds to wait for results

Output Configuration

Parameter	Required	Default	Description
`publishSarif`	No	false	Publish SARIF report as build artifact
`offlineMode`	No	false	Scan without uploading to Qualys platform

Jira Integration

Parameter	Required	Default	Description
`createJiraIssues`	No	false	Create Jira issues for vulnerabilities
`jiraCredentialsId`	No*	-	Jenkins credential ID for Jira (required if createJiraIssues=true)
`jiraProject`	No*	-	Jira project key
`jiraIssueType`	No	Bug	Jira issue type to create
`jiraSeverities`	No	4,5	Severity levels to create issues for

Result Object Properties

The qualysScan step returns an object with the following properties:

Property	Type	Description
`totalVulnerabilities`	int	Total number of vulnerabilities found
`criticalCount`	int	Number of critical vulnerabilities
`highCount`	int	Number of high vulnerabilities
`mediumCount`	int	Number of medium vulnerabilities
`lowCount`	int	Number of low vulnerabilities
`secretsCount`	int	Number of secrets detected
`malwareCount`	int	Number of malware detections
`policyResult`	String	Policy result: ALLOW, DENY, AUDIT, or NONE
`thresholdsPassed`	boolean	Whether scan passed configured thresholds
`sarifPath`	String	Path to SARIF report file
`jsonPath`	String	Path to JSON report file
`sbomPath`	String	Path to SBOM file (code scan only)

Feature Comparison by Backend

Feature	QScanner	CICD Sensor
Container Scanning	Yes	Yes
Code Scanning (SCA)	Yes	No
Rootfs Scanning	Yes	No
Secrets Detection	Yes	No
Malware Detection	Yes	No
SBOM Generation	Yes	No
Offline Mode	Yes	No
Jira Integration	Yes	Yes
SARIF Output	Yes	Yes

Example: Full Configuration

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                sh 'docker build -t myapp:${BUILD_NUMBER} .'
            }
        }
        stage('Container Scan') {
            steps {
                script {
                    def result = qualysScan(
                        // Backend Selection
                        scannerBackend: 'qscanner',
                        scanType: 'container',

                        // Authentication
                        credentialsId: 'qualys-api-token',
                        qualysPod: 'US3',

                        // Scan Target
                        imageId: "myapp:${BUILD_NUMBER}",
                        platform: 'linux/amd64',

                        // Scan Options
                        scanSecrets: true,
                        scanMalware: true,

                        // Thresholds
                        maxCritical: 0,
                        maxHigh: 5,
                        maxMedium: 20,

                        // Policy
                        usePolicy: false,
                        failOnAudit: false,

                        // Output
                        publishSarif: true,
                        offlineMode: false,

                        // Jira
                        createJiraIssues: true,
                        jiraCredentialsId: 'jira-creds',
                        jiraProject: 'SEC',
                        jiraIssueType: 'Bug',
                        jiraSeverities: '4,5'
                    )

                    echo "Scan complete: ${result.totalVulnerabilities} vulnerabilities found"

                    if (!result.thresholdsPassed) {
                        error "Security scan failed thresholds"
                    }
                }
            }
        }
        stage('Code Scan') {
            steps {
                qualysScan(
                    scannerBackend: 'qscanner',
                    scanType: 'code',
                    credentialsId: 'qualys-api-token',
                    qualysPod: 'US3',
                    scanPath: '.',
                    excludeDirs: 'node_modules,vendor,dist',
                    includeDev: false,
                    scanSecrets: true,
                    generateSbom: true,
                    sbomFormat: 'spdx',
                    maxCritical: 0,
                    maxHigh: 10,
                    publishSarif: true
                )
            }
        }
    }
}

Global Configuration

Configure default settings in Manage Jenkins > Configure System > Qualys Scanner:

Default POD - Default Qualys platform POD
Default Backend - Default scanner backend
Default Thresholds - Default vulnerability thresholds
Proxy Settings - HTTP proxy configuration

Next Steps

QScanner Backend - On-demand scanning details
CICD Sensor - Pre-installed sensor details
Overview - Return to Jenkins overview