---
title: "Qualys SCA"
slug: "qualys-sca"
updated: 2025-06-03T16:06:16Z
published: 2025-06-03T16:06:16Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.safe.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Qualys SCA

## About this document

This document provides the step-by-step procedure to integrate SAFE with Qualys **Security Configuration Assessment (SCA)** and **Policy Compliance (PC)**.

## Introduction

SAFE integrates with Qualys Security Configuration Assessment (SCA) and Policy Compliance (PC) to fetch the configuration assessment results based on CIS benchmarks into SAFE. Once configured, this integration onboards the Qualys SCA and PC assets in SAFE and automatically adds assets to Default groups based on the Operating System (OS) information from Qualys.

You can configure Qualys SCA and PC in SAFE from the Qualys SCA card available in the Integrations on the left navigation.

## Supported Asset Type

Qualys SCA and PC integration supports the configuration assessment for the following asset types:

1. RHEL 7.x
2. RHEL 8.X
3. CentOS 7.x
4. CentOS 8.x
5. Ubuntu 22.x
6. Ubuntu 20.x
7. Suse Linux 12.x
8. Suse Linux 15.x
9. Windows 8.1
10. Windows 10
11. Windows 11
12. Windows Server 2012 R2
13. Windows Server 2016
14. Windows Server 2019
15. Windows Server 2022

Notes

- If SAFE does not find the mapping for an asset, the asset will be added to the Others Default Group. However, you can move the asset manually to the best-suited Group.
- You can check the mapping using API “GET <SAFE_URL>/api/v3/settings/os-to-safe-asset-type-mapping”.
- To add a custom OS to Safe Asset Type mapping, use API “POST <SAFE_URL>/api/v3/settings”
- By default, the asset-matching criteria used for Qualys SCA is ["fqdn", "assetName", "ipAddress"]

## Prerequisites

To configure Qualys, you need the following details:

1. Qualys API URL - The URL should start with qualysapi, and not qualysguard.
2. Qualys API Credentials
3. Verifying that the SAFE Instance’s IP address is whitelisted in the user’s Qualys Instance.

## Create a user in Qualys with API access

To connect Qualys SCA and PC with SAFE, you can use an existing user’s username and password, which has access to the Qualys API, or create a new user. The minimum access required for the user is Reader level, and the user should have both GUI and API access to set up the integration properly.

Note

You need Admin access to create a new user in Qualys.

If you have configured Qualys to use SSO for all users, you will need to disable SSO for the API user. To do so follow [this](https://docs.qualys.com/en/vm/latest/user_accounts/saml/about_saml.htm) Qualys documentation, Go to Users > Users and edit the user's account. You'll see the SAML SSO option in the Security section.

**Create a new user in Qualys**

1. Log in to your **Qualys** instance.
2. Scroll down and select **Administration** from the top-left dropdown.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Qualysv2%20-%201.png)
3. Click the Create User button on the **Administration** page and select **CreateReaderUser**.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Qualysv2%20-%202.png)
4. Select the user role as **Reader** (or a higher role) on the **NewReaderUser** page.
5. Mark the **API** and **GUI** access checkboxes.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Qualysv2%20-%203.png)
6. Click **Save**. The new user will get an email to verify login and complete the user registration process. We can now use the credentials to connect SAFE with Qualys.

Notes

Following step 6, UI access as configured in step 5 can be removed if required as the API user does not require UI access following setup. UI access may be required to perform certain troubleshooting steps.

## Configure Qualys SCA and PC

To configure Qualys SCA in SAFE:

1. Log in to your SAFE account a[s **Admin**.](http://Admin.Click)
2. Click on the **Integrations,** from the left navigation.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Screenshot 2024-05-21 at 10.41.13 PM.png)
3. Click the **Qualys SCA** card.
4. Enter the **Qualys API URL**, **Username**, and **Password**.
5. Enter the **Policy IDs** Filter. SAFE allows you to filter the assessment data being fetched from Qualys based on Qualys Policy IDs. If this field is blank, the system pulls the assessment data for all policies to which the user has access.
6. Enter the **Auto**-**Sync** Frequency.
7. Select the **AutoOnbaordNewAssets** checkbox to onboard the newly discovered assets in SAFE.
8. Click the **Test Connection** button.
9. Once the connection is verified, click **Save** Configuration.
10. Click the **Sync Now** button to fetch the results in SAFE.

![Qualys(3)](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Qualys(3).png)

## View Result

After a successful sync, the Qualys SCA assets are automatically imported into SAFE.

**View Assets**

1. Go to the integration homepage.
2. Scroll to find the Qualys SCA integration card or search for Qualys SCA in the s[earch bar](http://bar.Click).
3. Click on the Qualys SCA integration card for **Finding View** and **Asset View**.

## FAQ
  - **Finding View:** This tab displays all the findings details pulled from Qualys SCA.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Screenshot 2024-05-21 at 11.36.32 PM.png)
  - **Asset View:**This tab displays all the Asset details pulled from Qualys SCA.

![](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Screenshot 2024-05-22 at 11.02.42 PM.png)

---

#### 1. I am receiving a “ Test Connection failed with Error: Unauthorized : Qualys Server Request failed with status code 401” Error, what should I do?

Normally 401 error means that your user is not authorised to access Qualys.

A helpful sanity check is to access the Qualys UI and log in with the username and password you have configured for the API user to confirm that access is working and that you can see the assets you expect.

If you cannot access the Qualys application, you should review the username/password settings.

API users cannot use SSO. If you have configured Qualys to use SSO for all users, you will need to disable SSO for the API user. To do so follow [this](https://docs.qualys.com/en/vm/latest/user_accounts/saml/about_saml.htm) Qualys documentation, Go to Users > Users and edit the user's account. You'll see the SAML SSO option in the Security section. Once SSO is disabled, check that you can access the Qualys UI.