qualys-cli 0.1.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- qualys_cli-0.1.1/.gitignore +40 -0
- qualys_cli-0.1.1/CHANGELOG.md +107 -0
- qualys_cli-0.1.1/LICENSE +21 -0
- qualys_cli-0.1.1/PKG-INFO +319 -0
- qualys_cli-0.1.1/README.md +252 -0
- qualys_cli-0.1.1/docs/usage.html +1230 -0
- qualys_cli-0.1.1/pyproject.toml +178 -0
- qualys_cli-0.1.1/src/qualys_cli/__init__.py +1 -0
- qualys_cli-0.1.1/src/qualys_cli/__main__.py +8 -0
- qualys_cli-0.1.1/src/qualys_cli/audit.py +616 -0
- qualys_cli-0.1.1/src/qualys_cli/auth.py +187 -0
- qualys_cli-0.1.1/src/qualys_cli/cache.py +123 -0
- qualys_cli-0.1.1/src/qualys_cli/cli.py +1168 -0
- qualys_cli-0.1.1/src/qualys_cli/client.py +1043 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/__init__.py +0 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/asset.py +183 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/ca.py +403 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/cs.py +410 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/csam.py +752 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/etm.py +170 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/pc.py +255 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/pm.py +412 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/scanauth.py +291 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/sub.py +163 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/tc.py +539 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/user.py +104 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/vm.py +562 -0
- qualys_cli-0.1.1/src/qualys_cli/commands/was.py +1278 -0
- qualys_cli-0.1.1/src/qualys_cli/config.py +331 -0
- qualys_cli-0.1.1/src/qualys_cli/extras.py +702 -0
- qualys_cli-0.1.1/src/qualys_cli/flair.py +202 -0
- qualys_cli-0.1.1/src/qualys_cli/formatters.py +896 -0
- qualys_cli-0.1.1/src/qualys_cli/history.py +133 -0
- qualys_cli-0.1.1/src/qualys_cli/http_server.py +126 -0
- qualys_cli-0.1.1/src/qualys_cli/mcp_server.py +341 -0
- qualys_cli-0.1.1/src/qualys_cli/metrics.py +106 -0
- qualys_cli-0.1.1/src/qualys_cli/platforms.py +67 -0
- qualys_cli-0.1.1/src/qualys_cli/queries.py +137 -0
- qualys_cli-0.1.1/tests/__init__.py +0 -0
- qualys_cli-0.1.1/tests/conftest.py +43 -0
- qualys_cli-0.1.1/tests/test_agent_mode.py +199 -0
- qualys_cli-0.1.1/tests/test_all_commands_smoke.py +328 -0
- qualys_cli-0.1.1/tests/test_asset.py +120 -0
- qualys_cli-0.1.1/tests/test_audit.py +276 -0
- qualys_cli-0.1.1/tests/test_ca.py +257 -0
- qualys_cli-0.1.1/tests/test_client.py +77 -0
- qualys_cli-0.1.1/tests/test_csam.py +378 -0
- qualys_cli-0.1.1/tests/test_error_handling.py +131 -0
- qualys_cli-0.1.1/tests/test_etm.py +186 -0
- qualys_cli-0.1.1/tests/test_features.py +590 -0
- qualys_cli-0.1.1/tests/test_flair.py +120 -0
- qualys_cli-0.1.1/tests/test_formatters.py +338 -0
- qualys_cli-0.1.1/tests/test_global_flags.py +342 -0
- qualys_cli-0.1.1/tests/test_help.py +102 -0
- qualys_cli-0.1.1/tests/test_high_fixes.py +393 -0
- qualys_cli-0.1.1/tests/test_main.py +28 -0
- qualys_cli-0.1.1/tests/test_med_fixes.py +272 -0
- qualys_cli-0.1.1/tests/test_pc.py +159 -0
- qualys_cli-0.1.1/tests/test_pm.py +57 -0
- qualys_cli-0.1.1/tests/test_resiliency.py +270 -0
- qualys_cli-0.1.1/tests/test_scanauth.py +184 -0
- qualys_cli-0.1.1/tests/test_security_fixes.py +366 -0
- qualys_cli-0.1.1/tests/test_sub.py +137 -0
- qualys_cli-0.1.1/tests/test_tc.py +319 -0
- qualys_cli-0.1.1/tests/test_user.py +107 -0
- qualys_cli-0.1.1/tests/test_vm.py +182 -0
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
.venv/
|
|
2
|
+
.install-check/
|
|
3
|
+
__pycache__/
|
|
4
|
+
*.pyc
|
|
5
|
+
*.pyo
|
|
6
|
+
.cache/
|
|
7
|
+
dist/
|
|
8
|
+
build/
|
|
9
|
+
*.egg-info/
|
|
10
|
+
.mypy_cache/
|
|
11
|
+
.ruff_cache/
|
|
12
|
+
.pytest_cache/
|
|
13
|
+
.coverage
|
|
14
|
+
.coverage.*
|
|
15
|
+
htmlcov/
|
|
16
|
+
coverage.xml
|
|
17
|
+
.tox/
|
|
18
|
+
|
|
19
|
+
# IDE
|
|
20
|
+
.idea/
|
|
21
|
+
.vscode/
|
|
22
|
+
*.swp
|
|
23
|
+
*.swo
|
|
24
|
+
|
|
25
|
+
# OS
|
|
26
|
+
.DS_Store
|
|
27
|
+
Thumbs.db
|
|
28
|
+
|
|
29
|
+
# Env / secrets
|
|
30
|
+
.env
|
|
31
|
+
.env.*
|
|
32
|
+
!.env.example
|
|
33
|
+
|
|
34
|
+
# Development / internal files (not for PyPI)
|
|
35
|
+
CLAUDE.md
|
|
36
|
+
.claude/
|
|
37
|
+
user-prefs-export.xml
|
|
38
|
+
api-model.json
|
|
39
|
+
docs/design.md
|
|
40
|
+
packaging/
|
|
@@ -0,0 +1,107 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to `qualys-cli` are documented here. Format follows
|
|
4
|
+
[Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the project adheres
|
|
5
|
+
to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
6
|
+
|
|
7
|
+
## [Unreleased]
|
|
8
|
+
|
|
9
|
+
## [0.1.1] — 2026-07-08
|
|
10
|
+
|
|
11
|
+
### Security
|
|
12
|
+
- `locked_mode` is now actually enforced (previously documented but a no-op):
|
|
13
|
+
refuses free-form `--output-file` writes, suppresses `-v`/`-vv` request
|
|
14
|
+
logging, and refuses to run against a profile that still has a plaintext
|
|
15
|
+
password in `config.toml`.
|
|
16
|
+
- Fixed a path-traversal vulnerability in command history (`--profile` /
|
|
17
|
+
`qualys-cli replay <correlation_id>`) that could read or write files outside
|
|
18
|
+
the history directory.
|
|
19
|
+
- Removed the wildcard `Access-Control-Allow-Origin: *` CORS header from the
|
|
20
|
+
local `qualys-cli serve` HTTP server — it allowed any website open in the
|
|
21
|
+
operator's browser to drive `POST /run` (arbitrary command execution)
|
|
22
|
+
cross-origin.
|
|
23
|
+
- `qualys-cli configure`: a failed/unavailable OS keyring write no longer
|
|
24
|
+
silently loses the password. It now falls back to plaintext storage in
|
|
25
|
+
`config.toml` with an explicit warning (previously the credential was
|
|
26
|
+
stored nowhere and auth failed on the next command with a confusing error).
|
|
27
|
+
- `--password` on `qualys-cli configure` now warns that passing secrets as a
|
|
28
|
+
CLI flag can leak via shell history / `ps`; prefer the interactive prompt
|
|
29
|
+
or `QUALYS_PASSWORD`.
|
|
30
|
+
- Tightened the POST-retry heuristic so mutating endpoints that happen to
|
|
31
|
+
contain `/search/` or `/count/` in their path (e.g. `.../search/reset`,
|
|
32
|
+
`.../count/purge`) are no longer auto-retried as if they were idempotent.
|
|
33
|
+
|
|
34
|
+
### Fixed
|
|
35
|
+
- `pc scan-schedule list` / `delete`: corrected endpoint from
|
|
36
|
+
`/api/2.0/fo/schedule/compliance/` to `/api/2.0/fo/schedule/scan/compliance/`.
|
|
37
|
+
- `pc option-profile list`: corrected endpoint from
|
|
38
|
+
`/api/2.0/fo/subscription/option_profile/compliance/` to
|
|
39
|
+
`.../option_profile/pc/`.
|
|
40
|
+
- `tc evaluation list`: now requires `--account-id` and targets
|
|
41
|
+
`/cloudview-api/rest/v1/{provider}/evaluations/{accountId}` per the API spec
|
|
42
|
+
(the previous unparameterised path returned 404).
|
|
43
|
+
- `pm job get` / `runs` / `summary` / `create` / `update`: corrected to use the
|
|
44
|
+
documented `/pm/v1/deploymentjob/...` (singular) family. `update` switched
|
|
45
|
+
from PUT to PATCH at `/pm/v1/deploymentjob/update/{id}`. `summary` now hits
|
|
46
|
+
`.../{id}/deploymentjobresult/summary`.
|
|
47
|
+
- `pm job change-status`: rewritten to match
|
|
48
|
+
`POST /pm/v1/deploymentjobs/update/status/{Enabled|Disabled}` with `jobIds`
|
|
49
|
+
body — accepts a comma-separated list of job IDs and an action argument.
|
|
50
|
+
- `csam domain count`: switched from GET to POST and added optional
|
|
51
|
+
`--type` / `--filter-type` per the documented body parameters.
|
|
52
|
+
- `csam org count`: added missing `--format` / `--output-file` flags so
|
|
53
|
+
`--format json` no longer rejects the option.
|
|
54
|
+
- `was scan status`: added missing `--format` / `--output-file` flags.
|
|
55
|
+
- `batch --output-file` to a path with a missing parent directory now creates
|
|
56
|
+
the directory (or fails cleanly) instead of crashing with an unhandled
|
|
57
|
+
`OSError`.
|
|
58
|
+
|
|
59
|
+
### Changed
|
|
60
|
+
- `vm kb list` now requires at least one scoping flag
|
|
61
|
+
(`--ids`, `--id-min`/`--id-max`, `--cve`, `--published-after`, or
|
|
62
|
+
`--last-modified-after`). The unfiltered KnowledgeBase exceeded the request
|
|
63
|
+
read timeout and the in-memory body cap.
|
|
64
|
+
- `pc posture list`: `--policy-id` is now required (the API mandates it; the
|
|
65
|
+
previous behaviour surfaced a backend error).
|
|
66
|
+
|
|
67
|
+
## [0.1.0] — 2026-05-02
|
|
68
|
+
|
|
69
|
+
Initial public release.
|
|
70
|
+
|
|
71
|
+
### Added
|
|
72
|
+
- Coverage of 273 Qualys REST endpoints across modules: VM, PC, PM, ETM, WAS,
|
|
73
|
+
TotalCloud (TC), Cloud Agent (CA), Container Security (CS), CSAM, Asset, User,
|
|
74
|
+
Subscription (Sub), Scan Auth.
|
|
75
|
+
- Dual auth: HTTP Basic and JWT Bearer, selected per-command. JWT tokens are
|
|
76
|
+
fetched via `/auth` and cached in the local config file; refreshed on 401.
|
|
77
|
+
- API gateway routing: PM, ETM, CS, CSAM, TC, and CA config commands target
|
|
78
|
+
the regional gateway URL automatically.
|
|
79
|
+
- Profile system with credentials resolved from env vars → OS keyring →
|
|
80
|
+
`~/.config/qualys-cli/config.toml`. Multiple named profiles supported via
|
|
81
|
+
`--profile` or `QUALYS_PROFILE`.
|
|
82
|
+
- Platform auto-detection from username — sets API and gateway URLs based on
|
|
83
|
+
the user's Qualys POD without manual configuration.
|
|
84
|
+
- Output modes: `interactive` (rich tables + colours) and `agentic` (JSON, no
|
|
85
|
+
decoration) — switchable via `qualys-cli mode <mode>` or
|
|
86
|
+
`QUALYS_OUTPUT_MODE`. Per-command overrides via `--format json|jsonl|yaml|table`.
|
|
87
|
+
- Bulk export to file via `--output-file` (JSON / YAML auto-detected from
|
|
88
|
+
extension); table still rendered to terminal.
|
|
89
|
+
- Pagination helpers for both Qualys QPS XML cursor responses and JSON
|
|
90
|
+
page-numbered APIs.
|
|
91
|
+
- Automatic retry with exponential backoff on connection errors and 5xx; honours
|
|
92
|
+
`Retry-After` on 429.
|
|
93
|
+
- Structured error extraction from XML (`SIMPLE_RETURN`, `ServiceResponse`) and
|
|
94
|
+
JSON error bodies. Errors emitted as JSON on stderr when stderr is not a TTY.
|
|
95
|
+
- `-v` / `-vv` request logging (secrets never logged).
|
|
96
|
+
- `qualys-cli configure` interactive wizard and `qualys-cli profiles` listing.
|
|
97
|
+
|
|
98
|
+
### Internal
|
|
99
|
+
- 30 unit tests covering client, formatters, agent mode, and PM smoke tests.
|
|
100
|
+
- Strict mypy on core modules (`client`, `config`, `formatters`, `auth`,
|
|
101
|
+
`platforms`); relaxed on auto-generated command modules.
|
|
102
|
+
- Ruff lint clean (E, F, I, UP, B, C4, SIM rule sets).
|
|
103
|
+
- Codegen pipeline (`scripts/`) is opt-in via the `codegen` extra.
|
|
104
|
+
|
|
105
|
+
[Unreleased]: https://github.com/qualys/qualys-cli/compare/v0.1.1...HEAD
|
|
106
|
+
[0.1.1]: https://github.com/qualys/qualys-cli/compare/v0.1.0...v0.1.1
|
|
107
|
+
[0.1.0]: https://github.com/qualys/qualys-cli/releases/tag/v0.1.0
|
qualys_cli-0.1.1/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 qualys-cli contributors
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
|
@@ -0,0 +1,319 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: qualys-cli
|
|
3
|
+
Version: 0.1.1
|
|
4
|
+
Summary: Command-line interface for the Qualys REST APIs (VM, PC, PM, ETM, WAS, TC, CA, CS, CSAM, Sub, Asset, User).
|
|
5
|
+
Project-URL: Homepage, https://github.com/qualys/qualys-cli
|
|
6
|
+
Project-URL: Documentation, https://github.com/qualys/qualys-cli#readme
|
|
7
|
+
Project-URL: Issues, https://github.com/qualys/qualys-cli/issues
|
|
8
|
+
Project-URL: Changelog, https://github.com/qualys/qualys-cli/blob/main/CHANGELOG.md
|
|
9
|
+
Author: qualys-cli contributors
|
|
10
|
+
License: MIT License
|
|
11
|
+
|
|
12
|
+
Copyright (c) 2026 qualys-cli contributors
|
|
13
|
+
|
|
14
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
15
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
16
|
+
in the Software without restriction, including without limitation the rights
|
|
17
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
18
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
19
|
+
furnished to do so, subject to the following conditions:
|
|
20
|
+
|
|
21
|
+
The above copyright notice and this permission notice shall be included in all
|
|
22
|
+
copies or substantial portions of the Software.
|
|
23
|
+
|
|
24
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
25
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
26
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
27
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
28
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
29
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
30
|
+
SOFTWARE.
|
|
31
|
+
License-File: LICENSE
|
|
32
|
+
Keywords: cli,cspm,patch-management,qualys,security,vm,vulnerability-management
|
|
33
|
+
Classifier: Development Status :: 4 - Beta
|
|
34
|
+
Classifier: Environment :: Console
|
|
35
|
+
Classifier: Intended Audience :: Information Technology
|
|
36
|
+
Classifier: Intended Audience :: System Administrators
|
|
37
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
38
|
+
Classifier: Operating System :: MacOS
|
|
39
|
+
Classifier: Operating System :: Microsoft :: Windows
|
|
40
|
+
Classifier: Operating System :: POSIX
|
|
41
|
+
Classifier: Programming Language :: Python :: 3
|
|
42
|
+
Classifier: Programming Language :: Python :: 3 :: Only
|
|
43
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
44
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
45
|
+
Classifier: Programming Language :: Python :: 3.13
|
|
46
|
+
Classifier: Topic :: Security
|
|
47
|
+
Classifier: Topic :: System :: Systems Administration
|
|
48
|
+
Classifier: Topic :: Utilities
|
|
49
|
+
Requires-Python: >=3.11
|
|
50
|
+
Requires-Dist: brotli>=1.1
|
|
51
|
+
Requires-Dist: click>=8.1
|
|
52
|
+
Requires-Dist: httpx>=0.27
|
|
53
|
+
Requires-Dist: keyring>=24
|
|
54
|
+
Requires-Dist: pyyaml>=6
|
|
55
|
+
Requires-Dist: rich>=13
|
|
56
|
+
Requires-Dist: typer<0.26,>=0.12
|
|
57
|
+
Requires-Dist: xmltodict>=0.13
|
|
58
|
+
Requires-Dist: zstandard>=0.22
|
|
59
|
+
Provides-Extra: codegen
|
|
60
|
+
Requires-Dist: anthropic>=0.30; extra == 'codegen'
|
|
61
|
+
Requires-Dist: defusedxml>=0.7; extra == 'codegen'
|
|
62
|
+
Requires-Dist: pydantic>=2; extra == 'codegen'
|
|
63
|
+
Requires-Dist: pypdf>=4; extra == 'codegen'
|
|
64
|
+
Requires-Dist: selectolax>=0.3; extra == 'codegen'
|
|
65
|
+
Requires-Dist: trafilatura>=1.9; extra == 'codegen'
|
|
66
|
+
Description-Content-Type: text/markdown
|
|
67
|
+
|
|
68
|
+
# qualys-cli
|
|
69
|
+
|
|
70
|
+
[](https://github.com/qualys/qualys-cli/actions/workflows/ci.yml)
|
|
71
|
+
[](https://pypi.org/project/qualys-cli/)
|
|
72
|
+
[](https://pypi.org/project/qualys-cli/)
|
|
73
|
+
[](LICENSE)
|
|
74
|
+
|
|
75
|
+
A unified command-line interface for the Qualys REST APIs — covering VM, PC,
|
|
76
|
+
Patch Management, ETM, WAS, TotalCloud (TC), Cloud Agent (CA), Container
|
|
77
|
+
Security (CS), CSAM, Subscription, Asset, and User management. Rich table
|
|
78
|
+
output, JSON / YAML / JSONL export, automatic retry with backoff, JWT auto-
|
|
79
|
+
refresh, OS-keyring credential storage, and a clean machine-readable mode for
|
|
80
|
+
scripting and AI agents.
|
|
81
|
+
|
|
82
|
+
```text
|
|
83
|
+
╭─────────────────────────────────────────────────╮
|
|
84
|
+
│ qualys-cli · 273 endpoints, one CLI │
|
|
85
|
+
│ vm · pc · pm · etm · was · tc · ca · cs │
|
|
86
|
+
│ csam · sub · asset · user · scanauth │
|
|
87
|
+
╰─────────────────────────────────────────────────╯
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
## Install
|
|
91
|
+
|
|
92
|
+
```bash
|
|
93
|
+
# End user (recommended)
|
|
94
|
+
pipx install qualys-cli
|
|
95
|
+
|
|
96
|
+
# Or from source
|
|
97
|
+
pipx install git+https://github.com/qualys/qualys-cli
|
|
98
|
+
|
|
99
|
+
# Development
|
|
100
|
+
git clone https://github.com/qualys/qualys-cli && cd qualys-cli
|
|
101
|
+
uv sync
|
|
102
|
+
uv run qualys-cli --help
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
Python 3.11+ required. Works on macOS, Linux, and Windows.
|
|
106
|
+
|
|
107
|
+
## Quick start
|
|
108
|
+
|
|
109
|
+
```bash
|
|
110
|
+
# 1. Configure credentials (interactive — password stored in OS keyring)
|
|
111
|
+
qualys-cli configure
|
|
112
|
+
|
|
113
|
+
# 2. Run any command
|
|
114
|
+
qualys-cli vm host list --limit 10
|
|
115
|
+
qualys-cli was webapp list
|
|
116
|
+
qualys-cli pm job list --format json
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
### Non-interactive setup (CI / Docker)
|
|
120
|
+
|
|
121
|
+
```bash
|
|
122
|
+
qualys-cli configure \
|
|
123
|
+
--url https://qualysapi.qualys.com \
|
|
124
|
+
--username "$QUALYS_USERNAME" \
|
|
125
|
+
--password "$QUALYS_PASSWORD" \
|
|
126
|
+
--output-mode agentic
|
|
127
|
+
```
|
|
128
|
+
|
|
129
|
+
Credentials resolve in this priority order:
|
|
130
|
+
1. `QUALYS_URL` / `QUALYS_USERNAME` / `QUALYS_PASSWORD` / `QUALYS_TOKEN` env vars
|
|
131
|
+
2. OS keyring (per-profile entry)
|
|
132
|
+
3. `~/.config/qualys-cli/config.toml`
|
|
133
|
+
|
|
134
|
+
Multiple profiles via `--profile <name>` or `QUALYS_PROFILE`. List with `qualys-cli profiles`.
|
|
135
|
+
|
|
136
|
+
## Output modes
|
|
137
|
+
|
|
138
|
+
The CLI has two top-level modes that govern the *default* output style:
|
|
139
|
+
|
|
140
|
+
| Mode | Default output | Spinners / colours | Use case |
|
|
141
|
+
|---------------|---------------------------------|--------------------|------------------------------|
|
|
142
|
+
| `interactive` | Rich table (first 25 rows) | Yes | Humans in a terminal |
|
|
143
|
+
| `agentic` | JSON, no decoration | No | Scripts, pipelines, AI agents |
|
|
144
|
+
|
|
145
|
+
Switch the persistent default for a profile:
|
|
146
|
+
|
|
147
|
+
```bash
|
|
148
|
+
qualys-cli mode # show current
|
|
149
|
+
qualys-cli mode agentic # set agentic
|
|
150
|
+
qualys-cli mode interactive # set interactive
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
Or set per-shell with `export QUALYS_OUTPUT_MODE=agentic`.
|
|
154
|
+
|
|
155
|
+
### Per-command output flags
|
|
156
|
+
|
|
157
|
+
These work on every command and override the mode default:
|
|
158
|
+
|
|
159
|
+
| Flag | Behaviour |
|
|
160
|
+
|-------------------------------|----------------------------------------------------------------|
|
|
161
|
+
| `--format json` | Full JSON to stdout |
|
|
162
|
+
| `--format jsonl` | One flattened JSON object per line (JSON Lines / NDJSON) |
|
|
163
|
+
| `--format yaml` | YAML to stdout |
|
|
164
|
+
| `--format table` | Rich table (forced) |
|
|
165
|
+
| `--limit 0` | Remove the default 25-row cap |
|
|
166
|
+
| `--output-file results.json` | Dump full data to file (extension picks JSON or YAML) |
|
|
167
|
+
| `-v`, `-vv` | Log requests (and response sizes); secrets never logged |
|
|
168
|
+
|
|
169
|
+
## Examples by module
|
|
170
|
+
|
|
171
|
+
### VM (Vulnerability Management)
|
|
172
|
+
```bash
|
|
173
|
+
qualys-cli vm host list --ips 10.0.0.0/24
|
|
174
|
+
qualys-cli vm host detection --ips 10.0.0.0/24
|
|
175
|
+
qualys-cli vm scan launch --title "Weekly" --ip 10.0.1.0/24 --option-id 12345
|
|
176
|
+
qualys-cli vm scan fetch SCAN-REF-123 --output-file results.json
|
|
177
|
+
```
|
|
178
|
+
|
|
179
|
+
### Patch Management (PM)
|
|
180
|
+
```bash
|
|
181
|
+
qualys-cli pm job list --format json
|
|
182
|
+
qualys-cli pm job create --name "Critical patches" \
|
|
183
|
+
--patch-ids "12345,67890" --asset-group-ids "AG-1"
|
|
184
|
+
qualys-cli pm patch list --severity Critical
|
|
185
|
+
```
|
|
186
|
+
|
|
187
|
+
### Web Application Scanning (WAS)
|
|
188
|
+
```bash
|
|
189
|
+
qualys-cli was webapp list --name "prod"
|
|
190
|
+
qualys-cli was webapp get 12345
|
|
191
|
+
qualys-cli was scan launch --webapp-id 12345 --name "Nightly WAS"
|
|
192
|
+
qualys-cli was finding list --webapp-id 12345 --severity 5
|
|
193
|
+
qualys-cli was report download 99999 --output-file was-report.pdf
|
|
194
|
+
```
|
|
195
|
+
|
|
196
|
+
### TotalCloud (TC) — CSPM
|
|
197
|
+
```bash
|
|
198
|
+
qualys-cli tc connector list --provider AWS
|
|
199
|
+
qualys-cli tc evaluation list --provider AWS --account-id 123456789012
|
|
200
|
+
qualys-cli tc rule list --cloud-type AWS --rule-type simple_alert
|
|
201
|
+
qualys-cli tc exception list
|
|
202
|
+
```
|
|
203
|
+
|
|
204
|
+
### Cloud Agent (CA), Container Security (CS), CSAM
|
|
205
|
+
```bash
|
|
206
|
+
qualys-cli ca agent list --status Active
|
|
207
|
+
qualys-cli ca actkey create --title "Linux Prod" --modules VM,PC
|
|
208
|
+
|
|
209
|
+
qualys-cli cs image list --filter "vulns.severity5Count:>0"
|
|
210
|
+
qualys-cli cs image get <sha>
|
|
211
|
+
qualys-cli cs container list --severity Critical
|
|
212
|
+
|
|
213
|
+
qualys-cli csam asset list --updated-after 2026-01-01T00:00Z
|
|
214
|
+
qualys-cli csam vuln list-easm --filter "vulnerability.cvss=GREATER=7"
|
|
215
|
+
```
|
|
216
|
+
|
|
217
|
+
### Subscription, Asset, User
|
|
218
|
+
```bash
|
|
219
|
+
qualys-cli sub info
|
|
220
|
+
qualys-cli sub export --output-file sub-backup.xml
|
|
221
|
+
qualys-cli asset ip add --ips 10.0.0.0/24 --tracking-method IP
|
|
222
|
+
qualys-cli user create --username jdoe --first-name Jane --last-name Doe \
|
|
223
|
+
--email jane@example.com --user-role scanner
|
|
224
|
+
```
|
|
225
|
+
|
|
226
|
+
Tip: append `--help` to any command (e.g. `qualys-cli was scan launch --help`)
|
|
227
|
+
for the full flag set.
|
|
228
|
+
|
|
229
|
+
## Documentation
|
|
230
|
+
|
|
231
|
+
A comprehensive usage reference with all 273 endpoints is included in the package:
|
|
232
|
+
- **Source install**: `docs/usage.html` in the repository
|
|
233
|
+
- **Pip install**: Located in your Python environment's `share/qualys-cli/docs/usage.html`
|
|
234
|
+
|
|
235
|
+
To find it after installation:
|
|
236
|
+
```bash
|
|
237
|
+
python -c "import sys; print(sys.prefix + '/share/qualys-cli/docs/usage.html')"
|
|
238
|
+
```
|
|
239
|
+
|
|
240
|
+
## LLM / agent usage
|
|
241
|
+
|
|
242
|
+
The CLI is built to be safe to drive from a script or an AI agent:
|
|
243
|
+
|
|
244
|
+
```bash
|
|
245
|
+
# JSON output (set agentic mode persistently, or use --format json per call)
|
|
246
|
+
qualys-cli mode agentic
|
|
247
|
+
qualys-cli vm host list | jq '.HOST_LIST_OUTPUT.RESPONSE.HOST_LIST'
|
|
248
|
+
|
|
249
|
+
# JSON Lines — one record per line, ideal for streaming
|
|
250
|
+
qualys-cli pm job list --format jsonl | jq -r '.id'
|
|
251
|
+
|
|
252
|
+
# Errors emitted as JSON on stderr when stderr is not a TTY
|
|
253
|
+
qualys-cli --profile nonexistent vm host list 2>/tmp/err.json
|
|
254
|
+
# {"error": "No username for profile 'nonexistent'...", "type": "configuration_error"}
|
|
255
|
+
```
|
|
256
|
+
|
|
257
|
+
**Behaviour contract for agents:**
|
|
258
|
+
- `stdout` contains only data (JSON / JSONL / YAML / table text).
|
|
259
|
+
- `stderr` carries status, spinners, and human-readable errors. All decoration
|
|
260
|
+
is suppressed when stderr is not a TTY.
|
|
261
|
+
- Exit code `0` = success, `1` = any error.
|
|
262
|
+
- When stderr is not a TTY, errors are emitted as
|
|
263
|
+
`{"error": "...", "type": "..."}` JSON.
|
|
264
|
+
|
|
265
|
+
## Authentication
|
|
266
|
+
|
|
267
|
+
| Module group | Auth | Endpoint family |
|
|
268
|
+
|----------------------------------------------|-------------|----------------------------------|
|
|
269
|
+
| VM, PC, Asset, User, ScanAuth, Sub, WAS | HTTP Basic | `/api/2.0/fo/`, `/qps/rest/` |
|
|
270
|
+
| TC, PM, ETM, CS, CSAM | JWT Bearer | API gateway (`/csapi/`, `/etm/`) |
|
|
271
|
+
| CA agent ops | HTTP Basic | `/qps/rest/` |
|
|
272
|
+
| CA activation-key / config | JWT Bearer | `/caui/v1/` |
|
|
273
|
+
|
|
274
|
+
JWT tokens are fetched via `POST /auth`, cached in `config.toml`, and
|
|
275
|
+
auto-refreshed on 401.
|
|
276
|
+
|
|
277
|
+
## Development
|
|
278
|
+
|
|
279
|
+
```bash
|
|
280
|
+
uv sync
|
|
281
|
+
uv run pytest # tests
|
|
282
|
+
uv run ruff check src/ # lint
|
|
283
|
+
uv run mypy src/ # type check
|
|
284
|
+
uv run qualys-cli --help # smoke
|
|
285
|
+
uv build # build sdist + wheel into dist/
|
|
286
|
+
```
|
|
287
|
+
|
|
288
|
+
### Regenerating commands from Qualys docs
|
|
289
|
+
|
|
290
|
+
The codegen pipeline is opt-in via the `codegen` extra (it pulls in
|
|
291
|
+
`anthropic`, `trafilatura`, `selectolax`, `pypdf`):
|
|
292
|
+
|
|
293
|
+
```bash
|
|
294
|
+
uv sync --extra codegen
|
|
295
|
+
export ANTHROPIC_API_KEY=sk-ant-...
|
|
296
|
+
uv run scripts/ingest_docs.py # cache HTML pages
|
|
297
|
+
uv run scripts/extract_endpoints.py # LLM extraction → api-model.json
|
|
298
|
+
uv run scripts/generate_commands.py # regenerate commands/*.py
|
|
299
|
+
```
|
|
300
|
+
|
|
301
|
+
Generated files are marked with `# Auto-generated from api-model.json` and are
|
|
302
|
+
safe to overwrite. Files without that header are treated as hand-edited and
|
|
303
|
+
left alone.
|
|
304
|
+
|
|
305
|
+
## Releasing
|
|
306
|
+
|
|
307
|
+
Releases are published to PyPI by GitHub Actions on a tag push:
|
|
308
|
+
|
|
309
|
+
```bash
|
|
310
|
+
# Bump version in pyproject.toml, update CHANGELOG.md, commit
|
|
311
|
+
git tag v0.1.1 && git push --tags
|
|
312
|
+
```
|
|
313
|
+
|
|
314
|
+
PyPI publishing uses Trusted Publishing (OIDC) — no API token is stored.
|
|
315
|
+
Configure once at https://pypi.org/manage/project/qualys-cli/settings/publishing/.
|
|
316
|
+
|
|
317
|
+
## License
|
|
318
|
+
|
|
319
|
+
[MIT](LICENSE)
|