Skip to main content

Unified command-line interface for the Qualys Cloud Platform REST APIs (VM, PC, PM, ETM, WAS, TotalCloud, Cloud Agent, Container Security, CSAM, Subscription, Asset, and User management).

Project description

Qualys

qualys-cli

PyPI Python License

A unified command-line interface for the Qualys Cloud Platform REST APIs — covering VM, PC, Patch Management, ETM, WAS, TotalCloud (TC), Cloud Agent (CA), Container Security (CS), CSAM, Subscription, Asset, and User management. Rich table output, JSON / YAML / JSONL export, automatic retry with backoff, JWT auto-refresh, OS-keyring credential storage, and a clean machine-readable mode for scripting and AI agents.

  ╭─────────────────────────────────────────────────╮
  │  qualys-cli   ·   273 endpoints, one CLI        │
  │  vm · pc · pm · etm · was · tc · ca · cs        │
  │  csam · sub · asset · user · scanauth           │
  ╰─────────────────────────────────────────────────╯

Installation

# Recommended — isolated install
pipx install qualys-cli

# Or into the current environment
pip install qualys-cli

Python 3.11 or newer. Works on macOS, Linux, and Windows.

Quick start

# 1. Configure credentials (interactive — password stored in OS keyring)
qualys-cli configure

# 2. Run any command
qualys-cli vm host list --limit 10
qualys-cli was webapp list
qualys-cli pm job list --format json

Non-interactive setup

qualys-cli configure \
  --url https://qualysapi.qualys.com \
  --username "$QUALYS_USERNAME" \
  --password "$QUALYS_PASSWORD" \
  --output-mode agentic

Credentials resolve in this priority order:

  1. QUALYS_URL / QUALYS_USERNAME / QUALYS_PASSWORD / QUALYS_TOKEN env vars
  2. OS keyring (per-profile entry)
  3. ~/.config/qualys-cli/config.toml

Multiple profiles via --profile <name> or QUALYS_PROFILE. List with qualys-cli profiles.

Output modes

The CLI has two top-level modes that govern the default output style:

Mode Default output Spinners / colours Use case
interactive Rich table (first 25 rows) Yes Humans in a terminal
agentic JSON, no decoration No Scripts, pipelines, AI agents

Switch the persistent default for a profile:

qualys-cli mode                # show current
qualys-cli mode agentic        # set agentic
qualys-cli mode interactive    # set interactive

Or set per-shell with export QUALYS_OUTPUT_MODE=agentic.

Per-command output flags

These work on every command and override the mode default:

Flag Behaviour
--format json Full JSON to stdout
--format jsonl One flattened JSON object per line (JSON Lines / NDJSON)
--format yaml YAML to stdout
--format table Rich table (forced)
--limit 0 Remove the default 25-row cap
--output-file results.json Dump full data to file (extension picks JSON or YAML)
-v, -vv Log requests (and response sizes); secrets never logged

Examples by module

VM (Vulnerability Management)

qualys-cli vm host list --ips 10.0.0.0/24
qualys-cli vm host detection --ips 10.0.0.0/24
qualys-cli vm scan launch --title "Weekly" --ip 10.0.1.0/24 --option-id 12345
qualys-cli vm scan fetch SCAN-REF-123 --output-file results.json

Patch Management (PM)

qualys-cli pm job list --format json
qualys-cli pm job create --name "Critical patches" \
  --patch-ids "12345,67890" --asset-group-ids "AG-1"
qualys-cli pm patch list --severity Critical

Web Application Scanning (WAS)

qualys-cli was webapp list --name "prod"
qualys-cli was webapp get 12345
qualys-cli was scan launch --webapp-id 12345 --name "Nightly WAS"
qualys-cli was finding list --webapp-id 12345 --severity 5
qualys-cli was report download 99999 --output-file was-report.pdf

TotalCloud (TC) — CSPM

qualys-cli tc connector list --provider AWS
qualys-cli tc evaluation list --provider AWS --account-id 123456789012
qualys-cli tc rule list --cloud-type AWS --rule-type simple_alert
qualys-cli tc exception list

Cloud Agent (CA), Container Security (CS), CSAM

qualys-cli ca agent list --status Active
qualys-cli ca actkey create --title "Linux Prod" --modules VM,PC

qualys-cli cs image list --filter "vulns.severity5Count:>0"
qualys-cli cs image get <sha>
qualys-cli cs container list --severity Critical

qualys-cli csam asset list --updated-after 2026-01-01T00:00Z
qualys-cli csam vuln list-easm --filter "vulnerability.cvss=GREATER=7"

Subscription, Asset, User

qualys-cli sub info
qualys-cli sub export --output-file sub-backup.xml
qualys-cli asset ip add --ips 10.0.0.0/24 --tracking-method IP
qualys-cli user create --username jdoe --first-name Jane --last-name Doe \
  --email jane@example.com --user-role scanner

Tip: append --help to any command (e.g. qualys-cli was scan launch --help) for the full flag set.

Bundled documentation

A comprehensive HTML usage reference covering every command ships inside the package. The docs command finds and opens it — no path guessing required, and it works identically for pip and pipx installs:

qualys-cli docs              # open the reference in your default browser
qualys-cli docs --no-open    # just print the file path (and size)
qualys-cli docs --stdout     # write the raw HTML to stdout (pipe it anywhere)

LLM / agent usage

The CLI is built to be safe to drive from a script or an AI agent:

# JSON output (set agentic mode persistently, or use --format json per call)
qualys-cli mode agentic
qualys-cli vm host list | jq '.HOST_LIST_OUTPUT.RESPONSE.HOST_LIST'

# JSON Lines — one record per line, ideal for streaming
qualys-cli pm job list --format jsonl | jq -r '.id'

# Errors emitted as JSON on stderr when stderr is not a TTY
qualys-cli --profile nonexistent vm host list 2>/tmp/err.json
# {"error": "No username for profile 'nonexistent'...", "type": "configuration_error"}

Behaviour contract for agents:

  • stdout contains only data (JSON / JSONL / YAML / table text).
  • stderr carries status, spinners, and human-readable errors. All decoration is suppressed when stderr is not a TTY.
  • Exit code 0 = success, 1 = any error.
  • When stderr is not a TTY, errors are emitted as {"error": "...", "type": "..."} JSON.

Authentication

Module group Auth Endpoint family
VM, PC, Asset, User, ScanAuth, Sub, WAS HTTP Basic /api/2.0/fo/, /qps/rest/
TC, PM, ETM, CS, CSAM JWT Bearer API gateway (/csapi/, /etm/)
CA agent ops HTTP Basic /qps/rest/
CA activation-key / config JWT Bearer /caui/v1/

JWT tokens are fetched via POST /auth, cached in config.toml, and auto-refreshed on 401.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qualys_cli-0.1.5.tar.gz (218.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

qualys_cli-0.1.5-py3-none-any.whl (182.2 kB view details)

Uploaded Python 3

File details

Details for the file qualys_cli-0.1.5.tar.gz.

File metadata

  • Download URL: qualys_cli-0.1.5.tar.gz
  • Upload date:
  • Size: 218.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for qualys_cli-0.1.5.tar.gz
Algorithm Hash digest
SHA256 b68bbf38315584cc559c0825b988babbd0e1300445e4c823ce3227e4304cb2f3
MD5 a5824ee555ef268bba2c793139d2d176
BLAKE2b-256 66cbf10b5d25310fc6dc6b82c218ddbd1f53b55b377651fda864e74a009f7e09

See more details on using hashes here.

File details

Details for the file qualys_cli-0.1.5-py3-none-any.whl.

File metadata

  • Download URL: qualys_cli-0.1.5-py3-none-any.whl
  • Upload date:
  • Size: 182.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for qualys_cli-0.1.5-py3-none-any.whl
Algorithm Hash digest
SHA256 fa5e6c7a2ffa9f8b3effd0e79dc76c672d684fe1f91d8fdaf8aed4c1ffc7e427
MD5 53b239eabedabe4848f36673fdea017a
BLAKE2b-256 4af5e91af6dc83e5f8668aba3ce1346baf158fc453de0f1144291c24bae06acb

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page