Skip to main content

Unified command-line interface for the Qualys Cloud Platform REST APIs (VM, PC, PM, ETM, WAS, TotalCloud, Cloud Agent, Container Security, CSAM, Subscription, Asset, and User management).

Project description

qualys-cli

PyPI Python License

A unified command-line interface for the Qualys Cloud Platform REST APIs — covering VM, PC, Patch Management, ETM, WAS, TotalCloud (TC), Cloud Agent (CA), Container Security (CS), CSAM, Subscription, Asset, and User management. Rich table output, JSON / YAML / JSONL export, automatic retry with backoff, JWT auto-refresh, OS-keyring credential storage, and a clean machine-readable mode for scripting and AI agents.

  ╭─────────────────────────────────────────────────╮
  │  qualys-cli   ·   273 endpoints, one CLI        │
  │  vm · pc · pm · etm · was · tc · ca · cs        │
  │  csam · sub · asset · user · scanauth           │
  ╰─────────────────────────────────────────────────╯

Installation

# Recommended — isolated install
pipx install qualys-cli

# Or into the current environment
pip install qualys-cli

Python 3.11 or newer. Works on macOS, Linux, and Windows.

Quick start

# 1. Configure credentials (interactive — password stored in OS keyring)
qualys-cli configure

# 2. Run any command
qualys-cli vm host list --limit 10
qualys-cli was webapp list
qualys-cli pm job list --format json

Non-interactive setup

qualys-cli configure \
  --url https://qualysapi.qualys.com \
  --username "$QUALYS_USERNAME" \
  --password "$QUALYS_PASSWORD" \
  --output-mode agentic

Credentials resolve in this priority order:

  1. QUALYS_URL / QUALYS_USERNAME / QUALYS_PASSWORD / QUALYS_TOKEN env vars
  2. OS keyring (per-profile entry)
  3. ~/.config/qualys-cli/config.toml

Multiple profiles via --profile <name> or QUALYS_PROFILE. List with qualys-cli profiles.

Output modes

The CLI has two top-level modes that govern the default output style:

Mode Default output Spinners / colours Use case
interactive Rich table (first 25 rows) Yes Humans in a terminal
agentic JSON, no decoration No Scripts, pipelines, AI agents

Switch the persistent default for a profile:

qualys-cli mode                # show current
qualys-cli mode agentic        # set agentic
qualys-cli mode interactive    # set interactive

Or set per-shell with export QUALYS_OUTPUT_MODE=agentic.

Per-command output flags

These work on every command and override the mode default:

Flag Behaviour
--format json Full JSON to stdout
--format jsonl One flattened JSON object per line (JSON Lines / NDJSON)
--format yaml YAML to stdout
--format table Rich table (forced)
--limit 0 Remove the default 25-row cap
--output-file results.json Dump full data to file (extension picks JSON or YAML)
-v, -vv Log requests (and response sizes); secrets never logged

Examples by module

VM (Vulnerability Management)

qualys-cli vm host list --ips 10.0.0.0/24
qualys-cli vm host detection --ips 10.0.0.0/24
qualys-cli vm scan launch --title "Weekly" --ip 10.0.1.0/24 --option-id 12345
qualys-cli vm scan fetch SCAN-REF-123 --output-file results.json

Patch Management (PM)

qualys-cli pm job list --format json
qualys-cli pm job create --name "Critical patches" \
  --patch-ids "12345,67890" --asset-group-ids "AG-1"
qualys-cli pm patch list --severity Critical

Web Application Scanning (WAS)

qualys-cli was webapp list --name "prod"
qualys-cli was webapp get 12345
qualys-cli was scan launch --webapp-id 12345 --name "Nightly WAS"
qualys-cli was finding list --webapp-id 12345 --severity 5
qualys-cli was report download 99999 --output-file was-report.pdf

TotalCloud (TC) — CSPM

qualys-cli tc connector list --provider AWS
qualys-cli tc evaluation list --provider AWS --account-id 123456789012
qualys-cli tc rule list --cloud-type AWS --rule-type simple_alert
qualys-cli tc exception list

Cloud Agent (CA), Container Security (CS), CSAM

qualys-cli ca agent list --status Active
qualys-cli ca actkey create --title "Linux Prod" --modules VM,PC

qualys-cli cs image list --filter "vulns.severity5Count:>0"
qualys-cli cs image get <sha>
qualys-cli cs container list --severity Critical

qualys-cli csam asset list --updated-after 2026-01-01T00:00Z
qualys-cli csam vuln list-easm --filter "vulnerability.cvss=GREATER=7"

Subscription, Asset, User

qualys-cli sub info
qualys-cli sub export --output-file sub-backup.xml
qualys-cli asset ip add --ips 10.0.0.0/24 --tracking-method IP
qualys-cli user create --username jdoe --first-name Jane --last-name Doe \
  --email jane@example.com --user-role scanner

Tip: append --help to any command (e.g. qualys-cli was scan launch --help) for the full flag set.

Bundled documentation

A comprehensive usage reference covering all 273 endpoints ships inside the package as usage.html. Locate it after installation with:

python -c "import sys; print(sys.prefix + '/share/qualys-cli/docs/usage.html')"

LLM / agent usage

The CLI is built to be safe to drive from a script or an AI agent:

# JSON output (set agentic mode persistently, or use --format json per call)
qualys-cli mode agentic
qualys-cli vm host list | jq '.HOST_LIST_OUTPUT.RESPONSE.HOST_LIST'

# JSON Lines — one record per line, ideal for streaming
qualys-cli pm job list --format jsonl | jq -r '.id'

# Errors emitted as JSON on stderr when stderr is not a TTY
qualys-cli --profile nonexistent vm host list 2>/tmp/err.json
# {"error": "No username for profile 'nonexistent'...", "type": "configuration_error"}

Behaviour contract for agents:

  • stdout contains only data (JSON / JSONL / YAML / table text).
  • stderr carries status, spinners, and human-readable errors. All decoration is suppressed when stderr is not a TTY.
  • Exit code 0 = success, 1 = any error.
  • When stderr is not a TTY, errors are emitted as {"error": "...", "type": "..."} JSON.

Authentication

Module group Auth Endpoint family
VM, PC, Asset, User, ScanAuth, Sub, WAS HTTP Basic /api/2.0/fo/, /qps/rest/
TC, PM, ETM, CS, CSAM JWT Bearer API gateway (/csapi/, /etm/)
CA agent ops HTTP Basic /qps/rest/
CA activation-key / config JWT Bearer /caui/v1/

JWT tokens are fetched via POST /auth, cached in config.toml, and auto-refreshed on 401.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qualys_cli-0.1.2.tar.gz (208.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

qualys_cli-0.1.2-py3-none-any.whl (176.2 kB view details)

Uploaded Python 3

File details

Details for the file qualys_cli-0.1.2.tar.gz.

File metadata

  • Download URL: qualys_cli-0.1.2.tar.gz
  • Upload date:
  • Size: 208.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for qualys_cli-0.1.2.tar.gz
Algorithm Hash digest
SHA256 7165e37e37ec676cf6feebe5a5fbf6a967063f5dccd18b6a9a7966dc0ed536c8
MD5 d78d6d059d8de59ce1189750927b1505
BLAKE2b-256 679bedb31108fc13e8c697f7cfb77972149df00b68f807277b834059635737e0

See more details on using hashes here.

File details

Details for the file qualys_cli-0.1.2-py3-none-any.whl.

File metadata

  • Download URL: qualys_cli-0.1.2-py3-none-any.whl
  • Upload date:
  • Size: 176.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for qualys_cli-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 18f64428ae7608eb0e817f37ea4607c6aa8a2adfb30f6f2596dd31597408f6a1
MD5 521c7cb1c4c0869162f9477a52d18daa
BLAKE2b-256 058ccf52603fd5985917087c670336e53dac58c2cd5ebd23424c8b2252252046

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page