Vulnerability scanners

Puppet Remediate integrates with Tenable, Qualys and Rapid7.

Note: Ask your security team for the permissions to import vulnerability scan data.

Qualys

Add the details for your Qualys Vulnerability Manager account.

Parameter Description
Name A unique and descriptive name to identify this vulnerability scanner.
API server URL The HTTPS URL and port number to the platform where your Qualys account is located.
Note: Qualys CE is not API compatible and therefore is not supported by Remediate. For more information, see the Qualys CE user guide.
Username Your Qualys username to authenticate with.
Password Your Qualys password to authenticate with.
Update interval The time interval before Remediate polls the vulnerability scanner for new data. This parameter is optional. If not specified, the update interval defaults to 30 minutes.
Severity threshold The severity level on or above which vulnerability data is passed to Remediate. This parameter is optional. If not specified, severity level 1 is used by default.
Date range Use the options in this drop-down menu to limit the time period for which results are returned.
Import tags Use this option to import tags from Qualys. By default this option is OFF.

Rapid7

Add the details for your Rapid7 Nexpose (on-prem) or InsightVM (cloud) account.

Parameter Description
Name A unique and descriptive name to identify this vulnerability scanner.
InsightVM URL The HTTPS URL and port number to your InsightVM or Nexpose instance.
Username Your Rapid7 username to authenticate with.
Password Your Rapid7 password to authenticate with.
Enable SSL certification verification To verify the signature on the SSL certificate returned by Rapid7 using your CA cert, select this option. Remember that you must add your own CA certificate. For more information, see SSL certificate verification for scanners.
Update interval The time interval before Remediate polls the vulnerability scanner for new data. This parameter is optional. If not specified, the update interval defaults to 30 minutes.
Severity threshold The severity level on or above which vulnerability data is passed to Remediate. This parameter is optional. If not specified, severity level 1 is used by default.

Tenable.io

Add the details for your Tenable.io (cloud) account.

Parameter Description
Name A unique and descriptive name to identify this vulnerability scanner.
Access key Your Tenable.io access key to authenticate with the Tenable.io API. For more information about generating an access key, see the Tenable.io documentation.
Secret key Your Tenable.io secret key to authenticate with the Tenable.io API. For more information about generating a secret key, see the Tenable.io documentation.
Update interval The time interval before Remediate polls the vulnerability scanner for new data. This parameter is optional. If not specified, the update interval defaults to 30 minutes.
Severity threshold The severity level on or above which vulnerability data is passed to Remediate. This parameter is optional. If not specified, severity level 1 is used by default.
Import tags Use this option to import tags from Tenable.io. By default this option is OFF.
Note: You must use the Administrator role in Tenable.io to export data using the Tenable.io API.

Tenable.sc

Add the details for your Tenable.sc account.

Parameter Description
Name A unique and descriptive name to identify this vulnerability scanner.
URL The URL of your Tenable.sc instance.
Username Your Tenable.sc account username. For more information, see the Tenable.sc documentation.
Password Your Tenable.sc account password. For more information, see the Tenable.sc documentation.
Enable SSL certificate verification Select this checkbox if you want to verify the SSL certificate returned by Tenable.sc. Remember that you must add your own CA certificate. For more information, see SSL certificate verification for scanners.
Refresh interval The time interval before Remediate polls the vulnerability scanner for new data. This parameter is optional. If not specified, the update interval defaults to 30 minutes.
Severity threshold The severity level on or above which vulnerability data is passed to Remediate. This parameter is optional. If not specified, severity level 1 is used by default.
Tip: The Tenable.sc Auditor role is the role with the least permissions that you can use to connect from Remediate.

SSL certificate verification for scanners

You can verify SSL certificates signed by an internal certificate authority for Rapid7 and Tenable.sc.

If you decide to enable verification for certificates signed by an internal certificate authority when configuring Rapid7 or Tenable.sc to work with Remediate, use the following procedure to add a self-signed certificate:

  1. Copy your certificate to a sub-folder of your current working directory.
  2. Issue the following command to tell Remediate to use the new certificate:
    docker-compose run remediate vr-cert add <CA cert path>