Unified command-line interface for the Qualys Cloud Platform REST APIs (VM, PC, PM, ETM, WAS, TotalCloud, Cloud Agent, Container Security, CSAM, Subscription, Asset, and User management).
Project description
qualys-cli
A unified command-line interface for the Qualys Cloud Platform REST APIs — covering VM, PC, Patch Management, ETM, WAS, TotalCloud (TC), Cloud Agent (CA), Container Security (CS), CSAM, Subscription, Asset, and User management. Rich table output, JSON / YAML / JSONL export, automatic retry with backoff, JWT auto-refresh, OS-keyring credential storage, and a clean machine-readable mode for scripting and AI agents.
╭─────────────────────────────────────────────────╮
│ qualys-cli · 273 endpoints, one CLI │
│ vm · pc · pm · etm · was · tc · ca · cs │
│ csam · sub · asset · user · scanauth │
╰─────────────────────────────────────────────────╯
Installation
# Recommended — isolated install
pipx install qualys-cli
# Or into the current environment
pip install qualys-cli
Python 3.11 or newer. Works on macOS, Linux, and Windows.
Quick start
# 1. Configure credentials (interactive — password stored in OS keyring)
qualys-cli configure
# 2. Run any command
qualys-cli vm host list --limit 10
qualys-cli was webapp list
qualys-cli pm job list --format json
Non-interactive setup
qualys-cli configure \
--url https://qualysapi.qualys.com \
--username "$QUALYS_USERNAME" \
--password "$QUALYS_PASSWORD" \
--output-mode agentic
Credentials resolve in this priority order:
QUALYS_URL/QUALYS_USERNAME/QUALYS_PASSWORD/QUALYS_TOKENenv vars- OS keyring (per-profile entry)
~/.config/qualys-cli/config.toml
Multiple profiles via --profile <name> or QUALYS_PROFILE. List with qualys-cli profiles.
Output modes
The CLI has two top-level modes that govern the default output style:
| Mode | Default output | Spinners / colours | Use case |
|---|---|---|---|
interactive |
Rich table (first 25 rows) | Yes | Humans in a terminal |
agentic |
JSON, no decoration | No | Scripts, pipelines, AI agents |
Switch the persistent default for a profile:
qualys-cli mode # show current
qualys-cli mode agentic # set agentic
qualys-cli mode interactive # set interactive
Or set per-shell with export QUALYS_OUTPUT_MODE=agentic.
Per-command output flags
These work on every command and override the mode default:
| Flag | Behaviour |
|---|---|
--format json |
Full JSON to stdout |
--format jsonl |
One flattened JSON object per line (JSON Lines / NDJSON) |
--format yaml |
YAML to stdout |
--format table |
Rich table (forced) |
--limit 0 |
Remove the default 25-row cap |
--output-file results.json |
Dump full data to file (extension picks JSON or YAML) |
-v, -vv |
Log requests (and response sizes); secrets never logged |
Examples by module
VM (Vulnerability Management)
qualys-cli vm host list --ips 10.0.0.0/24
qualys-cli vm host detection --ips 10.0.0.0/24
qualys-cli vm scan launch --title "Weekly" --ip 10.0.1.0/24 --option-id 12345
qualys-cli vm scan fetch SCAN-REF-123 --output-file results.json
Patch Management (PM)
qualys-cli pm job list --format json
qualys-cli pm job create --name "Critical patches" \
--patch-ids "12345,67890" --asset-group-ids "AG-1"
qualys-cli pm patch list --severity Critical
Web Application Scanning (WAS)
qualys-cli was webapp list --name "prod"
qualys-cli was webapp get 12345
qualys-cli was scan launch --webapp-id 12345 --name "Nightly WAS"
qualys-cli was finding list --webapp-id 12345 --severity 5
qualys-cli was report download 99999 --output-file was-report.pdf
TotalCloud (TC) — CSPM
qualys-cli tc connector list --provider AWS
qualys-cli tc evaluation list --provider AWS --account-id 123456789012
qualys-cli tc rule list --cloud-type AWS --rule-type simple_alert
qualys-cli tc exception list
Cloud Agent (CA), Container Security (CS), CSAM
qualys-cli ca agent list --status Active
qualys-cli ca actkey create --title "Linux Prod" --modules VM,PC
qualys-cli cs image list --filter "vulns.severity5Count:>0"
qualys-cli cs image get <sha>
qualys-cli cs container list --severity Critical
qualys-cli csam asset list --updated-after 2026-01-01T00:00Z
qualys-cli csam vuln list-easm --filter "vulnerability.cvss=GREATER=7"
Subscription, Asset, User
qualys-cli sub info
qualys-cli sub export --output-file sub-backup.xml
qualys-cli asset ip add --ips 10.0.0.0/24 --tracking-method IP
qualys-cli user create --username jdoe --first-name Jane --last-name Doe \
--email jane@example.com --user-role scanner
Tip: append --help to any command (e.g. qualys-cli was scan launch --help)
for the full flag set.
Bundled documentation
A comprehensive usage reference covering all 273 endpoints ships inside the
package as usage.html. Locate it after installation with:
python -c "import sys; print(sys.prefix + '/share/qualys-cli/docs/usage.html')"
LLM / agent usage
The CLI is built to be safe to drive from a script or an AI agent:
# JSON output (set agentic mode persistently, or use --format json per call)
qualys-cli mode agentic
qualys-cli vm host list | jq '.HOST_LIST_OUTPUT.RESPONSE.HOST_LIST'
# JSON Lines — one record per line, ideal for streaming
qualys-cli pm job list --format jsonl | jq -r '.id'
# Errors emitted as JSON on stderr when stderr is not a TTY
qualys-cli --profile nonexistent vm host list 2>/tmp/err.json
# {"error": "No username for profile 'nonexistent'...", "type": "configuration_error"}
Behaviour contract for agents:
stdoutcontains only data (JSON / JSONL / YAML / table text).stderrcarries status, spinners, and human-readable errors. All decoration is suppressed when stderr is not a TTY.- Exit code
0= success,1= any error. - When stderr is not a TTY, errors are emitted as
{"error": "...", "type": "..."}JSON.
Authentication
| Module group | Auth | Endpoint family |
|---|---|---|
| VM, PC, Asset, User, ScanAuth, Sub, WAS | HTTP Basic | /api/2.0/fo/, /qps/rest/ |
| TC, PM, ETM, CS, CSAM | JWT Bearer | API gateway (/csapi/, /etm/) |
| CA agent ops | HTTP Basic | /qps/rest/ |
| CA activation-key / config | JWT Bearer | /caui/v1/ |
JWT tokens are fetched via POST /auth, cached in config.toml, and
auto-refreshed on 401.
License
MIT
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file qualys_cli-0.1.2.tar.gz.
File metadata
- Download URL: qualys_cli-0.1.2.tar.gz
- Upload date:
- Size: 208.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7165e37e37ec676cf6feebe5a5fbf6a967063f5dccd18b6a9a7966dc0ed536c8
|
|
| MD5 |
d78d6d059d8de59ce1189750927b1505
|
|
| BLAKE2b-256 |
679bedb31108fc13e8c697f7cfb77972149df00b68f807277b834059635737e0
|
File details
Details for the file qualys_cli-0.1.2-py3-none-any.whl.
File metadata
- Download URL: qualys_cli-0.1.2-py3-none-any.whl
- Upload date:
- Size: 176.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
18f64428ae7608eb0e817f37ea4607c6aa8a2adfb30f6f2596dd31597408f6a1
|
|
| MD5 |
521c7cb1c4c0869162f9477a52d18daa
|
|
| BLAKE2b-256 |
058ccf52603fd5985917087c670336e53dac58c2cd5ebd23424c8b2252252046
|