Model Context Protocol (MCP) server giving any LLM secure, audited access to the Qualys Cloud Platform (VM, PM, WAS, TotalCloud, Container Security, CSAM, and more).
Project description
qualys-cli-mcp
A Model Context Protocol (MCP) server for the Qualys Cloud Platform. It gives any MCP-capable LLM or agent — Claude, GPT, Llama, and others — secure, audited access to Qualys Vulnerability Management, Patch Management, Web Application Scanning, TotalCloud (CSPM), Container Security, CSAM, and more, through a single hardened tool surface.
The server is a thin, security-focused layer over qualys-cli. The CLI handles
authentication, retries, pagination, and JWT refresh; the MCP layer adds command
validation, credential redaction, module allow-listing, read-only enforcement,
response-size guards, and an append-only audit log.
Architecture
LLM (Claude, GPT, Llama, …)
│ MCP protocol (stdio or SSE)
▼
qualys-cli-mcp (this server)
│ subprocess (validated argv — never a shell)
▼
qualys-cli (auth, retry, pagination, 273 API endpoints)
│ HTTPS
▼
Qualys Cloud Platform
Requirements
- Python 3.11 or newer (macOS, Linux, Windows)
- A configured
qualys-cliprofile (credentials are stored in the OS keyring)
Installation
pip install qualys-cli-mcp
qualys-cli is installed automatically as a dependency.
Configure credentials
Credentials are stored securely in the OS keyring (macOS Keychain, Linux Secret Service, Windows Credential Manager) — never in environment variables or plain-text config files.
qualys-cli configure
This prompts for your username and password, auto-detects your Qualys platform, and stores everything securely. This is a one-time setup.
Connect your MCP client
The server runs over stdio and needs no credentials in the client config — they are pulled from the OS keyring at runtime.
Claude Desktop — add to claude_desktop_config.json:
{
"mcpServers": {
"qualys": {
"command": "qualys-mcp"
}
}
}
VS Code / Cursor — add the same entry to your MCP settings. The config is identical across clients.
Tools
The server exposes 18 tools: 2 generic pass-through tools plus 16 curated, typed tools for the most common operations.
Generic tools
qualys_cli(command) — execute any qualys-cli command and receive
structured JSON:
qualys_cli("vm scan list --state Running --format json")
qualys_cli("vm host detection --ips 10.0.0.1 --severities 4,5 --format json")
qualys_cli("csam asset list --filter asset.riskScore=GREATER=900 --format json --limit 10")
qualys_cli("was finding list --severity 5 --format json")
qualys_cli_help() — the full command reference: all modules, resources,
actions, filter syntax, and common patterns.
Curated tools
Typed, parameter-validated wrappers for frequent tasks — the agent should prefer these over free-form commands:
| Tool | Purpose |
|---|---|
qualys_status() |
Connectivity and authentication check |
vm_scan_list() |
List vulnerability scans by state |
vm_host_list() |
List scanned hosts by IP / range |
vm_host_detection() |
Detections for specific hosts |
vm_kb_by_cve() / vm_kb_by_qid() |
KnowledgeBase lookups |
pc_posture_list() |
Policy Compliance posture |
pm_job_list() / pm_patch_list() |
Patch jobs and catalog |
was_finding_list() |
Web application findings |
tc_connector_list() / tc_cdr_findings() |
TotalCloud connectors and CDR |
cs_image_vulns() |
Container image vulnerabilities |
csam_riskiest_assets() / csam_asset_count() |
Asset risk and inventory |
ca_agent_list() |
Cloud Agent inventory |
Supported modules
| Module | Coverage | Auth |
|---|---|---|
| VM (Vulnerability Management) | Scans, hosts, detections, KB, appliances, reports | Basic |
| PC (Policy Compliance) | Scans, policies, posture | Basic |
| PM (Patch Management) | Jobs, patches, mitigations, reports | JWT |
| ETM (Enterprise TruRisk) | Reports, findings | JWT |
| WAS (Web App Scanning) | Webapps, scans, findings, schedules, reports | Basic |
| TC (TotalCloud / CSPM) | Connectors, evaluations, rules, CDR | JWT |
| CA (Cloud Agent) | Agents, activation keys, config profiles | Basic / JWT |
| CS (Container Security) | Images, containers, registries, sensors | JWT |
| CSAM (Asset Management) | Assets, EASM, vulnerabilities, domains | JWT |
| Asset | IPs, networks, groups | Basic |
| ScanAuth | Auth records, vaults | Basic |
| User | User management | Basic |
| Sub | Subscription config | Basic |
Configuration
All settings are optional — the server works with zero configuration after
qualys-cli configure.
| Variable | Default | Description |
|---|---|---|
QUALYS_PROFILE |
default |
qualys-cli profile name |
QUALYS_CLI_PATH |
auto-detected | Path to the qualys-cli binary |
QUALYS_MCP_TIMEOUT |
120 |
Command timeout (seconds) |
QUALYS_MCP_MAX_RESPONSE |
800000 |
Max response bytes before truncation |
QUALYS_MCP_MAX_RETRIES |
2 |
Retries on transient failures (rate limit, timeout, 5xx) |
QUALYS_MCP_ALLOWED_MODULES |
all | Comma-separated module allow-list |
QUALYS_MCP_DENY_WRITE |
false |
1 to block destructive commands |
QUALYS_MCP_AUDIT_LOG |
~/.config/qualys-cli/mcp-audit.jsonl |
Audit log path (off to disable) |
Security & governance
Command-injection prevention. Every command is validated before execution:
shell metacharacters (;, |, `, $, {}, …) are rejected, only known
Qualys modules are accepted, and commands run via an explicit argv list — never
through a shell. Managed flags (--profile, --config) and their abbreviations
cannot be overridden by the caller.
Credential security. Credentials live in the OS keyring only. Error messages and verbose output are scrubbed before returning to the model — passwords, tokens, Bearer values, and JWTs are redacted, and ANSI escape codes stripped.
Module allow-list. Restrict which Qualys modules are reachable:
export QUALYS_MCP_ALLOWED_MODULES="vm,csam,ca"
Read-only mode. Block all write and destructive operations (launch,
create, delete, cancel, update, activate, purge, …):
export QUALYS_MCP_DENY_WRITE=1
Response truncation. Responses exceeding the size cap are truncated to stay under the MCP transport limit. Key fields (QID, TITLE, SEVERITY, CVE_LIST) are preserved; verbose fields (SOLUTION, DIAGNOSIS, CONSEQUENCE) are stripped first.
Resilience. Automatic retry on transient failures (rate limit, timeout, 5xx) with exponential backoff, a configurable command timeout with process kill on expiry, and an append-only audit log of every tool call.
Inherited from qualys-cli. Exponential backoff with jitter on 429/5xx, JWT auto-refresh on 401, HMAC-signed tamper-evident audit log, OS-keyring credential storage, secret redaction in all logs, per-request correlation IDs, body-size guards, and idempotent-only retries (POST/PUT/PATCH never auto-retry).
Multi-tenant & authenticated deployments
For remote or shared deployments, the server supports API-key and OAuth 2.1
(JWT) authentication with per-tenant credential profiles, module allow-lists,
write policies, and OAuth scope enforcement (qualys:read, qualys:write,
qualys:admin). See the bundled configuration reference for details.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file qualys_cli_mcp-0.1.2.tar.gz.
File metadata
- Download URL: qualys_cli_mcp-0.1.2.tar.gz
- Upload date:
- Size: 27.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cf8ce6bd4131949ac887fa8cf3f5e44e66b9cd4c4732ef57b43f86417e1d07db
|
|
| MD5 |
2abcbf555139e061304988b26a8f66a6
|
|
| BLAKE2b-256 |
8ae5b9bc6c466cf3415f7a5dde424171820258ab42cf0e7a8f13180c38b952d2
|
File details
Details for the file qualys_cli_mcp-0.1.2-py3-none-any.whl.
File metadata
- Download URL: qualys_cli_mcp-0.1.2-py3-none-any.whl
- Upload date:
- Size: 25.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2dd42b5ecd06c721d9916b790e2327e75513cd8a5eebf255f9f70bd73d99628c
|
|
| MD5 |
900580b4220ac00d5d55116bd4ec6b05
|
|
| BLAKE2b-256 |
87e341898f7dd0001bc1b26aa44d82dec4f595ca8f650cb28ce5e5a991d7bdbd
|