Qualys-IaC-Security 1.0.6

Command line interface to scan Infrastructure-as-Code templates using Qualys IaC.

Qualys-IaC-Security

The qiac is a command line interface to scan Infrastructure-as-Code templates using Qualys CloudView (Cloud Security Assessment).

Description

The Qualys IaC app provides a quick yet reliable way to assess your Infrastructure-as-a-Code templates and uncover potential vulnerable situations. The qiac provides you an interface to interact with Qualys IaC module in a simple way.

This command line interface (CLI) provides following commands.

Command Name	Feature	Description	Since Version
scan	Launch an IaC scan	You can scan one or more templates in a single command. This runs a job on Qualys cloud platform.	1.0.0b2
listscans	Get list of all IaC scans	Once you launch a scan, you can view list of all scans or a specific scan.	1.0.0b2
getresult	Get the IaC scan result	Once a scan is completed, you can download the scan result for your review.	1.0.0b2
config	Configure IaC CLI	You can configure user's credentials using this command.	1.0.0b3

Installation

Prerequisite

You need to fulfill the following requirements to use this CLI tool.

• Python 3
• If your environment uses Windows OS and Python version 3.10 or greater, then you must have Microsoft Visual C++ version 14.0 or greater version installed.
• A valid Qualys subscription with access to
  • CloudView (Cloud Security Assessment)
  • The Qualys API

Command to install

You can install the qiac CLI from PyPI. Run the following command to install.

pip install Qualys-IaC-Security

How to use

See the supported options

You can use the --help option to get a list of supported options and their explanation.

Usage: qiac [OPTIONS] COMMAND [ARGS]...

Options:
  -v, --version  Show the version and exit.
  -h, --help     Show this message and exit.

Commands:
  config     Configure IaC CLI credentials.
  getresult  Gets the scan result.
  listscans  List all the scans.
  scan       Triggers/Launches the IaC scan.

Configure IaC CLI (optional command)

Use this command to configure user's credentials. This command is optional and should be used only when a user would like to store Qualys credentials in flat file for subsequent uses. Once this file is correctly configured, the user need not provide the Qualys platform, username, and password details for every CLI command. The authentication details are picked from the configuration file. Below command collects Qualys credentials from user and stores those to user's home directory (.qiac.yaml)

qiac config  -a <Qualys Platform> -u <Qualys username> -p <Qualys password>

• The parameters: platform, username, and password are mandatory for this command.
  config_file (optional): name or path of the config file.
  Name: if the name is provided, then a config file with the specified name is created.
  Path: if the path is provided, then the config file is created at the specified path with the default name. The default name is .qiac.yaml.
• This command saves the config file on the user's home directory with the name .qiac.yaml. If a user doesn't want to save the config file in the home directory, the user can use the config_file option to provide the config file path. The config_file option saves the file at the specified path.

A user can use the config file using below ways:

1. Use Config file from user's home.

qiac <commands|params>

2. User Config file from user's custom directory.

qiac <commands|params> -c <location of config file>

Commands could be scan, getresults, listscans.

Note: If the user does not provide credentials in command options, then CLI checks for the config file in the current directory. If the config file is not present in the current directory, then CLI checks the user's home directory.

Launch a scan

You can scan one or more file(s) using the following command.

qiac scan -a <Qualys Platform> -u <your Qualys username> -n <name of the scan> -d <path1 to a file or directory> -d <path2 to a file or directory> -d <path3 to a file or directory>...

• The CLI prompts for your Qualys password, only if password is not provided in command.
• When you provide a path to a directory for -d option, the CLI will ZIP the contents and then upload the ZIP to the Qualys Cloud Platform.
• On successful launch of the scan, the CLI output provides a Scan Id and show results in a tabular format.

Note: To scan the template(s), this CLI uploads your file(s) to the Qualys Cloud Platform.

Get the list of all scans

You can get list of scans using the following command. If you want to get the scan details for a specific scan, provide the IaC scan Id obtained from the launch scan output.

qiac listscans -a <Qualys Platform> -u <your Qualys username> -i <Scan Id>

• This will fetch list of all IaC scan and its details and print it in tabular format on the terminal.

Get the scan result

Once you see that the scan status is FINISHED or ERROR, you can use the following command to get the IaC scan result.

qiac getresult -a <Qualys Platform> -u <your Qualys username> -i <Scan Id>

• This will download the scan result and print it in tabular format on the terminal.

Documentation

For more information you can refer Secure Infrastructure as Code section in this user guide: https://www.qualys.com/docs/qualys-cloud-view-user-guide.pdf

Support

If you have any questions, please contact Qualys Support team at support@qualys.com