Qualys Integrates AI‑Powered Code Security Findings into Enterprise TruRisk Management (ETM) Platform
What Happened — Qualys announced that its Enterprise TruRisk Management (ETM) platform now ingests AI‑driven code‑security findings from Anthropic’s Claude Code Security and OpenAI’s Codex Security. The service treats each repository as a typed asset, maps findings to CWE IDs, and applies unified TruRisk scoring.
Why It Matters for TPRM —
- Extends third‑party risk visibility to the software‑development layer, surfacing logic flaws and secret leaks that traditional SAST miss.
- Provides a single risk‑scoring model across code, host, and cloud assets, simplifying risk aggregation for supply‑chain assessments.
- Enables organizations to enforce remediation workflows on AI‑generated findings, reducing exposure from insecure third‑party code.
Who Is Affected — Enterprises with software development pipelines, SaaS providers, fintech firms, and any organization that outsources or consumes third‑party code libraries.
Recommended Actions — Review your vendor risk program for coverage of code‑level security, map AI‑generated findings to existing risk registers, and validate that your security vendors (e.g., Qualys, CrowdStrike, Wiz) are integrated with ETM or an equivalent risk‑management platform.
Technical Notes — AI code‑security tools produce structured CSV outputs containing severity, location, weakness type, description, and CWE mappings. Qualys ETM treats these as a distinct “Application SAST” asset type, preserving repository‑level semantics and feeding them into its TruRisk scoring engine and MITRE ATT&CK workbench. No new CVEs are introduced; the value lies in deeper detection of logic and injection flaws. Source: Qualys Blog – Bringing AI Code Security into Qualys ETM