Tell me about the SCAP ARF Report

You can launch a SCAP scan report in Asset Reporting Format (ARF) using our API, a requirement in the SCAP 1.2 specifications from NIST.

Tell me about user permissionsTell me about user permissions

Users have permission to run this API function when the SCAP module is enabled for the user's subscription. Sub-accounts (Unit Managers, Scanners and Readers) must have the "Manage compliance" permission.

How do I launch this report?

Use the SCAP ARF Report API v2 (the resource /api/2.0/fo/compliance/scap/arf/). You'll need to provide the scan ID for a finished SCAP scan (use the "id" input parameter). You can limit the report to certain IP addresses only (use the optional "ips" parameter). Do you have the Networks feature turned on? If yes and you specify "ips" you can limit the report to a specific network (use the optional "ips_network_id" parameter).

How do I find the SCAP scan ID?How do I find the SCAP scan ID?

You'll see the scan ID when viewing SCAP scan results in the user interface. In the scan results window's title bar you'll see the report URL with its ID number in the "id" parameter, like this:

API Request

Here's a sample API request:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X POST -d

Tell me about the Cloud Platform URLTell me about the Cloud Platform URL is the API server URL for US Platform 1. If your account is located on one of our other cloud platforms then you'll want to replace this base URL with the one that is appropriate for your location.

For example, for US Platform 2, use

For the EU Platform, use If you have a Private Cloud Platform, use a custom URL like https://qualysapi.<customer_base_url>.

XML Output

The XML output is compliant with the ARF 1.1 Schema.

Show me this Schema

Where can I learn more about using the API?

Refer to the Qualys API User Guide for a better understanding of API conventions and detailed instructions on using API functions. Get the latest information from our Community.

Qualys API (VM, PC) User Guide