Scans
This section provides a detailed summary of the most recent vulnerability scans performed across your assets. The scan results identify potential security risks, categorize vulnerabilities by severity
Kikimora has active integration with the Qualys web scanner. You can also automatically run scans with the Qualys scanner by purchasing Kikimora. The "Scans" section allows you to manage those scans and manually run or schedule automatic regular Qualys scans.
Web Applications Tab
The "Web Applications" tab contains all assets, prepared for Qualys scanning. Here you can associate Qualys-specific configurations to your web application asset, such as crawl scope, option profile, level of usage of robots.txt and sitemap.txt files during the scan, and authentication credentials, as well as add some scan-specific comments.
Similar to all the Kikimora grids, you can edit your asset by clicking the edit icon at the end of the scan's row (in the "Actions" column). By clicking on the three-dots menu in the "Actions" column, you will find two other buttons - "Preview" and "Delete" where you can see more asset details or delete them respectively. You can add a new asset by clicking on the "Create" button above the grid or refresh it by clicking the "Refresh" button icon next to it.
Adding a New Web Application Asset
To add a new scan asset:
Click the plus button (+) at the top right corner above the grid.
A page leading you through the steps will appear.
First, choose an asset on which to perform the scan. By clicking on the "Asset" box, a dropdown menu with all your global assets will appear.
You can start typing the asset you would like to scan.
Once you click it, the rest of the form will be auto-filled. You can change any details, such as the name, risk or remediation owner, or the URL if you want to.
The following window will allow you to select the crawl scope (i.e., how deeply the scan should crawl). There are two options: Limited at or below URL hostname and Limit to content located at or below URL subdirectory; refer to the official Qualys crawl scope documentation for further information.
Next, select the option profile.
Then, you can include your preferences regarding your robots.txt and sitemap.xml files. This includes:
robots.txt
Do not use robots.txt;
Crawl all links and directories found in robots.txt, if present;
Do not crawl links or directories excluded by robots.txt, if present.
sitemap.xml :
Crawl all links and directories found in sitemap.xml, if present;
Do not use sitemap.xml;
You can create credentials for the Qualys scanner profile in your web application and provide them on the next tab. This will allow it to assess your application more deeply.
You can load from previously saved Authentication records by clicking on the "Authentication records" field. You can select multiple and the scanner will try them on different locations in your application.
Alternatively, you can create a New authentication record (standard with a username and password, or custom, for example, tokens). To do that, click the "Create" button at the bottom of the screen. Then, a new pop-up window will appear. Select the "Standard" or "Custom" from the "Form Record Type" field, you can learn more about them in the official Qualys documentation. Fill in all the details, and click the "Save" button at the bottom of the window.
Standard Authentication - username and password
Custom Authentication: You can add as many fields as you need. Write the tag of the web application's field in the "Name" text box. To add a new entry, click the "Add field" button just before the "Comments" text field. To remove a field, click the "Remove field" button below each pair.
In the last step, you can add some scan-specific comments on that asset.
Click the "Finish" button on the bottom to run the scan.
Scans
The Scans section contains a grid of all previously run scans.
You can re-run a previous scan by clicking on the "Re-scan" icon in the "Actions" column. There, via the three-dots menu, you can also preview or delete a scan.
Creating a New Scan
To run a new scan:
Click on the Plus button at the top right corner above the grid.
Fill in the necessary details in the window that appears.
Click the "Finish" button on the bottom.
A pop-up will appear displaying that the creation of the scan was successful.
Then, the item will appear in the grid.
You can click on the "Refresh" icon to refresh the grid. After a while, the status of the scan will be updated to "Running".
Scheduled Scans Tab
Through the "Scheduled Scans" tab, you can schedule a scan at a specified time or set up regular scans that start automatically at a given period.
To create a new scheduled scan:
Click on the "Create" button icon at the top right corner of the screen, above the scan grid.
Fill in all the necessary details in the new window, including which project you would like to associate the given scan with (via the "Output project" field). Then, click on the "Next Step" button.
Select the recurrence you would like (once, daily, weekly). Depending on the choice, you will see different fields.
Select the time zone for which you will later set the start hour.
Click on the "Start date" field. Then, a pop-up window allowing you to select the date will appear. Once you click the "Save changes" button, you can select the time you want the scan to run. Then, click again on the "Save changes" button.
If you select to schedule a repeating scan (daily or weekly), you will see the following additional fields:
"Schedule ends after occurrences". Write the number of occurrences you would like;
"Schedule ends after occurrences". Write the number of occurrences you would like;
"On days" (only when a weekly schedule is selected). Choose whatever days between Monday and Sunday you prefer.
Click "Finish" to save the changes and schedule the scan. Click "Previous step" to review or adjust the previous configurations. Click "Cancel" to cancel the scan.
Last updated