Skip to main content

Command-line interface for the Qualys REST APIs (VM, PC, PM, ETM, WAS, TC, CA, CS, CSAM, Sub, Asset, User).

Project description

qualys-cli

CI PyPI Python License

A unified command-line interface for the Qualys REST APIs — covering VM, PC, Patch Management, ETM, WAS, TotalCloud (TC), Cloud Agent (CA), Container Security (CS), CSAM, Subscription, Asset, and User management. Rich table output, JSON / YAML / JSONL export, automatic retry with backoff, JWT auto- refresh, OS-keyring credential storage, and a clean machine-readable mode for scripting and AI agents.

  ╭─────────────────────────────────────────────────╮
  │  qualys-cli   ·   273 endpoints, one CLI        │
  │  vm · pc · pm · etm · was · tc · ca · cs        │
  │  csam · sub · asset · user · scanauth           │
  ╰─────────────────────────────────────────────────╯

Install

# End user (recommended)
pipx install qualys-cli

# Or from source
pipx install git+https://github.com/qualys/qualys-cli

# Development
git clone https://github.com/qualys/qualys-cli && cd qualys-cli
uv sync
uv run qualys-cli --help

Python 3.11+ required. Works on macOS, Linux, and Windows.

Quick start

# 1. Configure credentials (interactive — password stored in OS keyring)
qualys-cli configure

# 2. Run any command
qualys-cli vm host list --limit 10
qualys-cli was webapp list
qualys-cli pm job list --format json

Non-interactive setup (CI / Docker)

qualys-cli configure \
  --url https://qualysapi.qualys.com \
  --username "$QUALYS_USERNAME" \
  --password "$QUALYS_PASSWORD" \
  --output-mode agentic

Credentials resolve in this priority order:

  1. QUALYS_URL / QUALYS_USERNAME / QUALYS_PASSWORD / QUALYS_TOKEN env vars
  2. OS keyring (per-profile entry)
  3. ~/.config/qualys-cli/config.toml

Multiple profiles via --profile <name> or QUALYS_PROFILE. List with qualys-cli profiles.

Output modes

The CLI has two top-level modes that govern the default output style:

Mode Default output Spinners / colours Use case
interactive Rich table (first 25 rows) Yes Humans in a terminal
agentic JSON, no decoration No Scripts, pipelines, AI agents

Switch the persistent default for a profile:

qualys-cli mode                # show current
qualys-cli mode agentic        # set agentic
qualys-cli mode interactive    # set interactive

Or set per-shell with export QUALYS_OUTPUT_MODE=agentic.

Per-command output flags

These work on every command and override the mode default:

Flag Behaviour
--format json Full JSON to stdout
--format jsonl One flattened JSON object per line (JSON Lines / NDJSON)
--format yaml YAML to stdout
--format table Rich table (forced)
--limit 0 Remove the default 25-row cap
--output-file results.json Dump full data to file (extension picks JSON or YAML)
-v, -vv Log requests (and response sizes); secrets never logged

Examples by module

VM (Vulnerability Management)

qualys-cli vm host list --ips 10.0.0.0/24
qualys-cli vm host detection --ips 10.0.0.0/24
qualys-cli vm scan launch --title "Weekly" --ip 10.0.1.0/24 --option-id 12345
qualys-cli vm scan fetch SCAN-REF-123 --output-file results.json

Patch Management (PM)

qualys-cli pm job list --format json
qualys-cli pm job create --name "Critical patches" \
  --patch-ids "12345,67890" --asset-group-ids "AG-1"
qualys-cli pm patch list --severity Critical

Web Application Scanning (WAS)

qualys-cli was webapp list --name "prod"
qualys-cli was webapp get 12345
qualys-cli was scan launch --webapp-id 12345 --name "Nightly WAS"
qualys-cli was finding list --webapp-id 12345 --severity 5
qualys-cli was report download 99999 --output-file was-report.pdf

TotalCloud (TC) — CSPM

qualys-cli tc connector list --provider AWS
qualys-cli tc evaluation list --provider AWS --account-id 123456789012
qualys-cli tc rule list --cloud-type AWS --rule-type simple_alert
qualys-cli tc exception list

Cloud Agent (CA), Container Security (CS), CSAM

qualys-cli ca agent list --status Active
qualys-cli ca actkey create --title "Linux Prod" --modules VM,PC

qualys-cli cs image list --filter "vulns.severity5Count:>0"
qualys-cli cs image get <sha>
qualys-cli cs container list --severity Critical

qualys-cli csam asset list --updated-after 2026-01-01T00:00Z
qualys-cli csam vuln list-easm --filter "vulnerability.cvss=GREATER=7"

Subscription, Asset, User

qualys-cli sub info
qualys-cli sub export --output-file sub-backup.xml
qualys-cli asset ip add --ips 10.0.0.0/24 --tracking-method IP
qualys-cli user create --username jdoe --first-name Jane --last-name Doe \
  --email jane@example.com --user-role scanner

Tip: append --help to any command (e.g. qualys-cli was scan launch --help) for the full flag set.

Documentation

A comprehensive usage reference with all 273 endpoints is included in the package:

  • Source install: docs/usage.html in the repository
  • Pip install: Located in your Python environment's share/qualys-cli/docs/usage.html

To find it after installation:

python -c "import sys; print(sys.prefix + '/share/qualys-cli/docs/usage.html')"

LLM / agent usage

The CLI is built to be safe to drive from a script or an AI agent:

# JSON output (set agentic mode persistently, or use --format json per call)
qualys-cli mode agentic
qualys-cli vm host list | jq '.HOST_LIST_OUTPUT.RESPONSE.HOST_LIST'

# JSON Lines — one record per line, ideal for streaming
qualys-cli pm job list --format jsonl | jq -r '.id'

# Errors emitted as JSON on stderr when stderr is not a TTY
qualys-cli --profile nonexistent vm host list 2>/tmp/err.json
# {"error": "No username for profile 'nonexistent'...", "type": "configuration_error"}

Behaviour contract for agents:

  • stdout contains only data (JSON / JSONL / YAML / table text).
  • stderr carries status, spinners, and human-readable errors. All decoration is suppressed when stderr is not a TTY.
  • Exit code 0 = success, 1 = any error.
  • When stderr is not a TTY, errors are emitted as {"error": "...", "type": "..."} JSON.

Authentication

Module group Auth Endpoint family
VM, PC, Asset, User, ScanAuth, Sub, WAS HTTP Basic /api/2.0/fo/, /qps/rest/
TC, PM, ETM, CS, CSAM JWT Bearer API gateway (/csapi/, /etm/)
CA agent ops HTTP Basic /qps/rest/
CA activation-key / config JWT Bearer /caui/v1/

JWT tokens are fetched via POST /auth, cached in config.toml, and auto-refreshed on 401.

Development

uv sync
uv run pytest                # tests
uv run ruff check src/       # lint
uv run mypy src/             # type check
uv run qualys-cli --help     # smoke
uv build                     # build sdist + wheel into dist/

Regenerating commands from Qualys docs

The codegen pipeline is opt-in via the codegen extra (it pulls in anthropic, trafilatura, selectolax, pypdf):

uv sync --extra codegen
export ANTHROPIC_API_KEY=sk-ant-...
uv run scripts/ingest_docs.py        # cache HTML pages
uv run scripts/extract_endpoints.py  # LLM extraction → api-model.json
uv run scripts/generate_commands.py  # regenerate commands/*.py

Generated files are marked with # Auto-generated from api-model.json and are safe to overwrite. Files without that header are treated as hand-edited and left alone.

Releasing

Releases are published to PyPI by GitHub Actions on a tag push:

# Bump version in pyproject.toml, update CHANGELOG.md, commit
git tag v0.1.1 && git push --tags

PyPI publishing uses Trusted Publishing (OIDC) — no API token is stored. Configure once at https://pypi.org/manage/project/qualys-cli/settings/publishing/.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qualys_cli-0.1.1.tar.gz (208.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

qualys_cli-0.1.1-py3-none-any.whl (176.9 kB view details)

Uploaded Python 3

File details

Details for the file qualys_cli-0.1.1.tar.gz.

File metadata

  • Download URL: qualys_cli-0.1.1.tar.gz
  • Upload date:
  • Size: 208.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for qualys_cli-0.1.1.tar.gz
Algorithm Hash digest
SHA256 831f1593cdc395c86d58b095271b8a2b83756c5699b9d34833bcd1be6c86df3f
MD5 dde921ed7c84021b80c94c85fd28757e
BLAKE2b-256 837dcec82a1e4d93db2417b9fa0b89e7bfe006f3f49571abed653f35a3d2f626

See more details on using hashes here.

File details

Details for the file qualys_cli-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: qualys_cli-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 176.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for qualys_cli-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 6bbc7f5891148492894e6be49dd4db3a7c1c3e10c66b6eeca633dbf16d221579
MD5 f9da8c045a9ef075c834a91e94c3487a
BLAKE2b-256 4b0d0b48792ce554e8ccbede9797ddf4f67ca5bc930f0c5c19e98a4be490fc6a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page