![nopsec-full-logo-white.png]](https://support.nopsec.com/hs-fs/hubfs/Images/Logos/NopSec%20Logos/nopsec-full-logo-white.png?height=40&name=nopsec-full-logo-white.png){kind=logo}
How do I configure a Qualys WAS Integration?
In the Qualys Cloud Platform API access is granted by creating a Service User account and enabling specific permissions and scopes for it. The username and password for this account function as your API credentials. Here is the step-by-step guide to creating a dedicated API user.
Step 1: Create a Dedicated Service Account
- Log in to the Qualys platform using an account with Manager privileges.
- Use the application picker (the drop-down menu in the top left corner) to select the Administration utility.
- In the left-hand navigation menu, click on Users, then select User Management.
- Click the Create User button.
- Fill out the required General Information fields. We recommend using a descriptive naming convention, such as "Nopsec", for the user details.
Step 2: Enable API Access
- Within the user creation window, navigate to the Security (or Locale/Security) tab.
- Locate the User Access section.
- Check the box next to API to allow this account to make programmatic requests to the Qualys servers.
- Manually specify a strong password. This username and password combination will act as your API credentials.
Step 3: Assign the WAS Reader Role and Scope
To ensure the account is read-only and restricted to Web Application Scanning (WAS) data, you must apply the correct Role-Based Access Control (RBAC) settings.
- Navigate to the Roles and Scopes tab in the user creation window.
- Under the Roles section, select the WAS Reader role from the list of available roles. This is a built-in Qualys role that strictly limits the user to viewing web application assets, scan findings, and reports, without granting the ability to launch scans or modify configurations.
- Under the Scope section, assign the specific Tags or Asset Groups this API account is permitted to query.
Note: If the API needs visibility into all web applications across your subscription, assign your organization's root tag or a global tag (e.g., "Cloud Agent" or "All Assets"). If left scoped to specific tags, the API will silently omit any assets outside that scope from its responses. - Click Save to finalize and create the API user.
Step 4: Enable the integration in the Nopsec Platform
- Navigate to Integrations in the NopSec UI and select the option to add the Qualys integration
- NOTE: You are able to use the existing "Qualys" integration for both infrastructure and WAS findings and asset data. Follow the instructions above to add WAS visibility to your existing Qualys/Nopsec integration account
- Enter Integration Access Info: When prompted enter the following information and click the "Save and Connect" button:
- Connection Name: Unique name for this integration (QualysWAS)
- Username: The username created in the previous steps
- Password: The password created in previous steps
- Platform: Your Qualys url's region i.e. "US Platform 1"
- SAVE and CLOSE