qualys-cli 0.1.1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (66) hide show
  1. qualys_cli-0.1.1/.gitignore +40 -0
  2. qualys_cli-0.1.1/CHANGELOG.md +107 -0
  3. qualys_cli-0.1.1/LICENSE +21 -0
  4. qualys_cli-0.1.1/PKG-INFO +319 -0
  5. qualys_cli-0.1.1/README.md +252 -0
  6. qualys_cli-0.1.1/docs/usage.html +1230 -0
  7. qualys_cli-0.1.1/pyproject.toml +178 -0
  8. qualys_cli-0.1.1/src/qualys_cli/__init__.py +1 -0
  9. qualys_cli-0.1.1/src/qualys_cli/__main__.py +8 -0
  10. qualys_cli-0.1.1/src/qualys_cli/audit.py +616 -0
  11. qualys_cli-0.1.1/src/qualys_cli/auth.py +187 -0
  12. qualys_cli-0.1.1/src/qualys_cli/cache.py +123 -0
  13. qualys_cli-0.1.1/src/qualys_cli/cli.py +1168 -0
  14. qualys_cli-0.1.1/src/qualys_cli/client.py +1043 -0
  15. qualys_cli-0.1.1/src/qualys_cli/commands/__init__.py +0 -0
  16. qualys_cli-0.1.1/src/qualys_cli/commands/asset.py +183 -0
  17. qualys_cli-0.1.1/src/qualys_cli/commands/ca.py +403 -0
  18. qualys_cli-0.1.1/src/qualys_cli/commands/cs.py +410 -0
  19. qualys_cli-0.1.1/src/qualys_cli/commands/csam.py +752 -0
  20. qualys_cli-0.1.1/src/qualys_cli/commands/etm.py +170 -0
  21. qualys_cli-0.1.1/src/qualys_cli/commands/pc.py +255 -0
  22. qualys_cli-0.1.1/src/qualys_cli/commands/pm.py +412 -0
  23. qualys_cli-0.1.1/src/qualys_cli/commands/scanauth.py +291 -0
  24. qualys_cli-0.1.1/src/qualys_cli/commands/sub.py +163 -0
  25. qualys_cli-0.1.1/src/qualys_cli/commands/tc.py +539 -0
  26. qualys_cli-0.1.1/src/qualys_cli/commands/user.py +104 -0
  27. qualys_cli-0.1.1/src/qualys_cli/commands/vm.py +562 -0
  28. qualys_cli-0.1.1/src/qualys_cli/commands/was.py +1278 -0
  29. qualys_cli-0.1.1/src/qualys_cli/config.py +331 -0
  30. qualys_cli-0.1.1/src/qualys_cli/extras.py +702 -0
  31. qualys_cli-0.1.1/src/qualys_cli/flair.py +202 -0
  32. qualys_cli-0.1.1/src/qualys_cli/formatters.py +896 -0
  33. qualys_cli-0.1.1/src/qualys_cli/history.py +133 -0
  34. qualys_cli-0.1.1/src/qualys_cli/http_server.py +126 -0
  35. qualys_cli-0.1.1/src/qualys_cli/mcp_server.py +341 -0
  36. qualys_cli-0.1.1/src/qualys_cli/metrics.py +106 -0
  37. qualys_cli-0.1.1/src/qualys_cli/platforms.py +67 -0
  38. qualys_cli-0.1.1/src/qualys_cli/queries.py +137 -0
  39. qualys_cli-0.1.1/tests/__init__.py +0 -0
  40. qualys_cli-0.1.1/tests/conftest.py +43 -0
  41. qualys_cli-0.1.1/tests/test_agent_mode.py +199 -0
  42. qualys_cli-0.1.1/tests/test_all_commands_smoke.py +328 -0
  43. qualys_cli-0.1.1/tests/test_asset.py +120 -0
  44. qualys_cli-0.1.1/tests/test_audit.py +276 -0
  45. qualys_cli-0.1.1/tests/test_ca.py +257 -0
  46. qualys_cli-0.1.1/tests/test_client.py +77 -0
  47. qualys_cli-0.1.1/tests/test_csam.py +378 -0
  48. qualys_cli-0.1.1/tests/test_error_handling.py +131 -0
  49. qualys_cli-0.1.1/tests/test_etm.py +186 -0
  50. qualys_cli-0.1.1/tests/test_features.py +590 -0
  51. qualys_cli-0.1.1/tests/test_flair.py +120 -0
  52. qualys_cli-0.1.1/tests/test_formatters.py +338 -0
  53. qualys_cli-0.1.1/tests/test_global_flags.py +342 -0
  54. qualys_cli-0.1.1/tests/test_help.py +102 -0
  55. qualys_cli-0.1.1/tests/test_high_fixes.py +393 -0
  56. qualys_cli-0.1.1/tests/test_main.py +28 -0
  57. qualys_cli-0.1.1/tests/test_med_fixes.py +272 -0
  58. qualys_cli-0.1.1/tests/test_pc.py +159 -0
  59. qualys_cli-0.1.1/tests/test_pm.py +57 -0
  60. qualys_cli-0.1.1/tests/test_resiliency.py +270 -0
  61. qualys_cli-0.1.1/tests/test_scanauth.py +184 -0
  62. qualys_cli-0.1.1/tests/test_security_fixes.py +366 -0
  63. qualys_cli-0.1.1/tests/test_sub.py +137 -0
  64. qualys_cli-0.1.1/tests/test_tc.py +319 -0
  65. qualys_cli-0.1.1/tests/test_user.py +107 -0
  66. qualys_cli-0.1.1/tests/test_vm.py +182 -0
@@ -0,0 +1,40 @@
1
+ .venv/
2
+ .install-check/
3
+ __pycache__/
4
+ *.pyc
5
+ *.pyo
6
+ .cache/
7
+ dist/
8
+ build/
9
+ *.egg-info/
10
+ .mypy_cache/
11
+ .ruff_cache/
12
+ .pytest_cache/
13
+ .coverage
14
+ .coverage.*
15
+ htmlcov/
16
+ coverage.xml
17
+ .tox/
18
+
19
+ # IDE
20
+ .idea/
21
+ .vscode/
22
+ *.swp
23
+ *.swo
24
+
25
+ # OS
26
+ .DS_Store
27
+ Thumbs.db
28
+
29
+ # Env / secrets
30
+ .env
31
+ .env.*
32
+ !.env.example
33
+
34
+ # Development / internal files (not for PyPI)
35
+ CLAUDE.md
36
+ .claude/
37
+ user-prefs-export.xml
38
+ api-model.json
39
+ docs/design.md
40
+ packaging/
@@ -0,0 +1,107 @@
1
+ # Changelog
2
+
3
+ All notable changes to `qualys-cli` are documented here. Format follows
4
+ [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the project adheres
5
+ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
6
+
7
+ ## [Unreleased]
8
+
9
+ ## [0.1.1] — 2026-07-08
10
+
11
+ ### Security
12
+ - `locked_mode` is now actually enforced (previously documented but a no-op):
13
+ refuses free-form `--output-file` writes, suppresses `-v`/`-vv` request
14
+ logging, and refuses to run against a profile that still has a plaintext
15
+ password in `config.toml`.
16
+ - Fixed a path-traversal vulnerability in command history (`--profile` /
17
+ `qualys-cli replay <correlation_id>`) that could read or write files outside
18
+ the history directory.
19
+ - Removed the wildcard `Access-Control-Allow-Origin: *` CORS header from the
20
+ local `qualys-cli serve` HTTP server — it allowed any website open in the
21
+ operator's browser to drive `POST /run` (arbitrary command execution)
22
+ cross-origin.
23
+ - `qualys-cli configure`: a failed/unavailable OS keyring write no longer
24
+ silently loses the password. It now falls back to plaintext storage in
25
+ `config.toml` with an explicit warning (previously the credential was
26
+ stored nowhere and auth failed on the next command with a confusing error).
27
+ - `--password` on `qualys-cli configure` now warns that passing secrets as a
28
+ CLI flag can leak via shell history / `ps`; prefer the interactive prompt
29
+ or `QUALYS_PASSWORD`.
30
+ - Tightened the POST-retry heuristic so mutating endpoints that happen to
31
+ contain `/search/` or `/count/` in their path (e.g. `.../search/reset`,
32
+ `.../count/purge`) are no longer auto-retried as if they were idempotent.
33
+
34
+ ### Fixed
35
+ - `pc scan-schedule list` / `delete`: corrected endpoint from
36
+ `/api/2.0/fo/schedule/compliance/` to `/api/2.0/fo/schedule/scan/compliance/`.
37
+ - `pc option-profile list`: corrected endpoint from
38
+ `/api/2.0/fo/subscription/option_profile/compliance/` to
39
+ `.../option_profile/pc/`.
40
+ - `tc evaluation list`: now requires `--account-id` and targets
41
+ `/cloudview-api/rest/v1/{provider}/evaluations/{accountId}` per the API spec
42
+ (the previous unparameterised path returned 404).
43
+ - `pm job get` / `runs` / `summary` / `create` / `update`: corrected to use the
44
+ documented `/pm/v1/deploymentjob/...` (singular) family. `update` switched
45
+ from PUT to PATCH at `/pm/v1/deploymentjob/update/{id}`. `summary` now hits
46
+ `.../{id}/deploymentjobresult/summary`.
47
+ - `pm job change-status`: rewritten to match
48
+ `POST /pm/v1/deploymentjobs/update/status/{Enabled|Disabled}` with `jobIds`
49
+ body — accepts a comma-separated list of job IDs and an action argument.
50
+ - `csam domain count`: switched from GET to POST and added optional
51
+ `--type` / `--filter-type` per the documented body parameters.
52
+ - `csam org count`: added missing `--format` / `--output-file` flags so
53
+ `--format json` no longer rejects the option.
54
+ - `was scan status`: added missing `--format` / `--output-file` flags.
55
+ - `batch --output-file` to a path with a missing parent directory now creates
56
+ the directory (or fails cleanly) instead of crashing with an unhandled
57
+ `OSError`.
58
+
59
+ ### Changed
60
+ - `vm kb list` now requires at least one scoping flag
61
+ (`--ids`, `--id-min`/`--id-max`, `--cve`, `--published-after`, or
62
+ `--last-modified-after`). The unfiltered KnowledgeBase exceeded the request
63
+ read timeout and the in-memory body cap.
64
+ - `pc posture list`: `--policy-id` is now required (the API mandates it; the
65
+ previous behaviour surfaced a backend error).
66
+
67
+ ## [0.1.0] — 2026-05-02
68
+
69
+ Initial public release.
70
+
71
+ ### Added
72
+ - Coverage of 273 Qualys REST endpoints across modules: VM, PC, PM, ETM, WAS,
73
+ TotalCloud (TC), Cloud Agent (CA), Container Security (CS), CSAM, Asset, User,
74
+ Subscription (Sub), Scan Auth.
75
+ - Dual auth: HTTP Basic and JWT Bearer, selected per-command. JWT tokens are
76
+ fetched via `/auth` and cached in the local config file; refreshed on 401.
77
+ - API gateway routing: PM, ETM, CS, CSAM, TC, and CA config commands target
78
+ the regional gateway URL automatically.
79
+ - Profile system with credentials resolved from env vars → OS keyring →
80
+ `~/.config/qualys-cli/config.toml`. Multiple named profiles supported via
81
+ `--profile` or `QUALYS_PROFILE`.
82
+ - Platform auto-detection from username — sets API and gateway URLs based on
83
+ the user's Qualys POD without manual configuration.
84
+ - Output modes: `interactive` (rich tables + colours) and `agentic` (JSON, no
85
+ decoration) — switchable via `qualys-cli mode <mode>` or
86
+ `QUALYS_OUTPUT_MODE`. Per-command overrides via `--format json|jsonl|yaml|table`.
87
+ - Bulk export to file via `--output-file` (JSON / YAML auto-detected from
88
+ extension); table still rendered to terminal.
89
+ - Pagination helpers for both Qualys QPS XML cursor responses and JSON
90
+ page-numbered APIs.
91
+ - Automatic retry with exponential backoff on connection errors and 5xx; honours
92
+ `Retry-After` on 429.
93
+ - Structured error extraction from XML (`SIMPLE_RETURN`, `ServiceResponse`) and
94
+ JSON error bodies. Errors emitted as JSON on stderr when stderr is not a TTY.
95
+ - `-v` / `-vv` request logging (secrets never logged).
96
+ - `qualys-cli configure` interactive wizard and `qualys-cli profiles` listing.
97
+
98
+ ### Internal
99
+ - 30 unit tests covering client, formatters, agent mode, and PM smoke tests.
100
+ - Strict mypy on core modules (`client`, `config`, `formatters`, `auth`,
101
+ `platforms`); relaxed on auto-generated command modules.
102
+ - Ruff lint clean (E, F, I, UP, B, C4, SIM rule sets).
103
+ - Codegen pipeline (`scripts/`) is opt-in via the `codegen` extra.
104
+
105
+ [Unreleased]: https://github.com/qualys/qualys-cli/compare/v0.1.1...HEAD
106
+ [0.1.1]: https://github.com/qualys/qualys-cli/compare/v0.1.0...v0.1.1
107
+ [0.1.0]: https://github.com/qualys/qualys-cli/releases/tag/v0.1.0
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 qualys-cli contributors
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
@@ -0,0 +1,319 @@
1
+ Metadata-Version: 2.4
2
+ Name: qualys-cli
3
+ Version: 0.1.1
4
+ Summary: Command-line interface for the Qualys REST APIs (VM, PC, PM, ETM, WAS, TC, CA, CS, CSAM, Sub, Asset, User).
5
+ Project-URL: Homepage, https://github.com/qualys/qualys-cli
6
+ Project-URL: Documentation, https://github.com/qualys/qualys-cli#readme
7
+ Project-URL: Issues, https://github.com/qualys/qualys-cli/issues
8
+ Project-URL: Changelog, https://github.com/qualys/qualys-cli/blob/main/CHANGELOG.md
9
+ Author: qualys-cli contributors
10
+ License: MIT License
11
+
12
+ Copyright (c) 2026 qualys-cli contributors
13
+
14
+ Permission is hereby granted, free of charge, to any person obtaining a copy
15
+ of this software and associated documentation files (the "Software"), to deal
16
+ in the Software without restriction, including without limitation the rights
17
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
18
+ copies of the Software, and to permit persons to whom the Software is
19
+ furnished to do so, subject to the following conditions:
20
+
21
+ The above copyright notice and this permission notice shall be included in all
22
+ copies or substantial portions of the Software.
23
+
24
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
25
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
26
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
27
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
28
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
29
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
30
+ SOFTWARE.
31
+ License-File: LICENSE
32
+ Keywords: cli,cspm,patch-management,qualys,security,vm,vulnerability-management
33
+ Classifier: Development Status :: 4 - Beta
34
+ Classifier: Environment :: Console
35
+ Classifier: Intended Audience :: Information Technology
36
+ Classifier: Intended Audience :: System Administrators
37
+ Classifier: License :: OSI Approved :: MIT License
38
+ Classifier: Operating System :: MacOS
39
+ Classifier: Operating System :: Microsoft :: Windows
40
+ Classifier: Operating System :: POSIX
41
+ Classifier: Programming Language :: Python :: 3
42
+ Classifier: Programming Language :: Python :: 3 :: Only
43
+ Classifier: Programming Language :: Python :: 3.11
44
+ Classifier: Programming Language :: Python :: 3.12
45
+ Classifier: Programming Language :: Python :: 3.13
46
+ Classifier: Topic :: Security
47
+ Classifier: Topic :: System :: Systems Administration
48
+ Classifier: Topic :: Utilities
49
+ Requires-Python: >=3.11
50
+ Requires-Dist: brotli>=1.1
51
+ Requires-Dist: click>=8.1
52
+ Requires-Dist: httpx>=0.27
53
+ Requires-Dist: keyring>=24
54
+ Requires-Dist: pyyaml>=6
55
+ Requires-Dist: rich>=13
56
+ Requires-Dist: typer<0.26,>=0.12
57
+ Requires-Dist: xmltodict>=0.13
58
+ Requires-Dist: zstandard>=0.22
59
+ Provides-Extra: codegen
60
+ Requires-Dist: anthropic>=0.30; extra == 'codegen'
61
+ Requires-Dist: defusedxml>=0.7; extra == 'codegen'
62
+ Requires-Dist: pydantic>=2; extra == 'codegen'
63
+ Requires-Dist: pypdf>=4; extra == 'codegen'
64
+ Requires-Dist: selectolax>=0.3; extra == 'codegen'
65
+ Requires-Dist: trafilatura>=1.9; extra == 'codegen'
66
+ Description-Content-Type: text/markdown
67
+
68
+ # qualys-cli
69
+
70
+ [![CI](https://github.com/qualys/qualys-cli/actions/workflows/ci.yml/badge.svg)](https://github.com/qualys/qualys-cli/actions/workflows/ci.yml)
71
+ [![PyPI](https://img.shields.io/pypi/v/qualys-cli.svg)](https://pypi.org/project/qualys-cli/)
72
+ [![Python](https://img.shields.io/pypi/pyversions/qualys-cli.svg)](https://pypi.org/project/qualys-cli/)
73
+ [![License](https://img.shields.io/pypi/l/qualys-cli.svg)](LICENSE)
74
+
75
+ A unified command-line interface for the Qualys REST APIs — covering VM, PC,
76
+ Patch Management, ETM, WAS, TotalCloud (TC), Cloud Agent (CA), Container
77
+ Security (CS), CSAM, Subscription, Asset, and User management. Rich table
78
+ output, JSON / YAML / JSONL export, automatic retry with backoff, JWT auto-
79
+ refresh, OS-keyring credential storage, and a clean machine-readable mode for
80
+ scripting and AI agents.
81
+
82
+ ```text
83
+ ╭─────────────────────────────────────────────────╮
84
+ │ qualys-cli · 273 endpoints, one CLI │
85
+ │ vm · pc · pm · etm · was · tc · ca · cs │
86
+ │ csam · sub · asset · user · scanauth │
87
+ ╰─────────────────────────────────────────────────╯
88
+ ```
89
+
90
+ ## Install
91
+
92
+ ```bash
93
+ # End user (recommended)
94
+ pipx install qualys-cli
95
+
96
+ # Or from source
97
+ pipx install git+https://github.com/qualys/qualys-cli
98
+
99
+ # Development
100
+ git clone https://github.com/qualys/qualys-cli && cd qualys-cli
101
+ uv sync
102
+ uv run qualys-cli --help
103
+ ```
104
+
105
+ Python 3.11+ required. Works on macOS, Linux, and Windows.
106
+
107
+ ## Quick start
108
+
109
+ ```bash
110
+ # 1. Configure credentials (interactive — password stored in OS keyring)
111
+ qualys-cli configure
112
+
113
+ # 2. Run any command
114
+ qualys-cli vm host list --limit 10
115
+ qualys-cli was webapp list
116
+ qualys-cli pm job list --format json
117
+ ```
118
+
119
+ ### Non-interactive setup (CI / Docker)
120
+
121
+ ```bash
122
+ qualys-cli configure \
123
+ --url https://qualysapi.qualys.com \
124
+ --username "$QUALYS_USERNAME" \
125
+ --password "$QUALYS_PASSWORD" \
126
+ --output-mode agentic
127
+ ```
128
+
129
+ Credentials resolve in this priority order:
130
+ 1. `QUALYS_URL` / `QUALYS_USERNAME` / `QUALYS_PASSWORD` / `QUALYS_TOKEN` env vars
131
+ 2. OS keyring (per-profile entry)
132
+ 3. `~/.config/qualys-cli/config.toml`
133
+
134
+ Multiple profiles via `--profile <name>` or `QUALYS_PROFILE`. List with `qualys-cli profiles`.
135
+
136
+ ## Output modes
137
+
138
+ The CLI has two top-level modes that govern the *default* output style:
139
+
140
+ | Mode | Default output | Spinners / colours | Use case |
141
+ |---------------|---------------------------------|--------------------|------------------------------|
142
+ | `interactive` | Rich table (first 25 rows) | Yes | Humans in a terminal |
143
+ | `agentic` | JSON, no decoration | No | Scripts, pipelines, AI agents |
144
+
145
+ Switch the persistent default for a profile:
146
+
147
+ ```bash
148
+ qualys-cli mode # show current
149
+ qualys-cli mode agentic # set agentic
150
+ qualys-cli mode interactive # set interactive
151
+ ```
152
+
153
+ Or set per-shell with `export QUALYS_OUTPUT_MODE=agentic`.
154
+
155
+ ### Per-command output flags
156
+
157
+ These work on every command and override the mode default:
158
+
159
+ | Flag | Behaviour |
160
+ |-------------------------------|----------------------------------------------------------------|
161
+ | `--format json` | Full JSON to stdout |
162
+ | `--format jsonl` | One flattened JSON object per line (JSON Lines / NDJSON) |
163
+ | `--format yaml` | YAML to stdout |
164
+ | `--format table` | Rich table (forced) |
165
+ | `--limit 0` | Remove the default 25-row cap |
166
+ | `--output-file results.json` | Dump full data to file (extension picks JSON or YAML) |
167
+ | `-v`, `-vv` | Log requests (and response sizes); secrets never logged |
168
+
169
+ ## Examples by module
170
+
171
+ ### VM (Vulnerability Management)
172
+ ```bash
173
+ qualys-cli vm host list --ips 10.0.0.0/24
174
+ qualys-cli vm host detection --ips 10.0.0.0/24
175
+ qualys-cli vm scan launch --title "Weekly" --ip 10.0.1.0/24 --option-id 12345
176
+ qualys-cli vm scan fetch SCAN-REF-123 --output-file results.json
177
+ ```
178
+
179
+ ### Patch Management (PM)
180
+ ```bash
181
+ qualys-cli pm job list --format json
182
+ qualys-cli pm job create --name "Critical patches" \
183
+ --patch-ids "12345,67890" --asset-group-ids "AG-1"
184
+ qualys-cli pm patch list --severity Critical
185
+ ```
186
+
187
+ ### Web Application Scanning (WAS)
188
+ ```bash
189
+ qualys-cli was webapp list --name "prod"
190
+ qualys-cli was webapp get 12345
191
+ qualys-cli was scan launch --webapp-id 12345 --name "Nightly WAS"
192
+ qualys-cli was finding list --webapp-id 12345 --severity 5
193
+ qualys-cli was report download 99999 --output-file was-report.pdf
194
+ ```
195
+
196
+ ### TotalCloud (TC) — CSPM
197
+ ```bash
198
+ qualys-cli tc connector list --provider AWS
199
+ qualys-cli tc evaluation list --provider AWS --account-id 123456789012
200
+ qualys-cli tc rule list --cloud-type AWS --rule-type simple_alert
201
+ qualys-cli tc exception list
202
+ ```
203
+
204
+ ### Cloud Agent (CA), Container Security (CS), CSAM
205
+ ```bash
206
+ qualys-cli ca agent list --status Active
207
+ qualys-cli ca actkey create --title "Linux Prod" --modules VM,PC
208
+
209
+ qualys-cli cs image list --filter "vulns.severity5Count:>0"
210
+ qualys-cli cs image get <sha>
211
+ qualys-cli cs container list --severity Critical
212
+
213
+ qualys-cli csam asset list --updated-after 2026-01-01T00:00Z
214
+ qualys-cli csam vuln list-easm --filter "vulnerability.cvss=GREATER=7"
215
+ ```
216
+
217
+ ### Subscription, Asset, User
218
+ ```bash
219
+ qualys-cli sub info
220
+ qualys-cli sub export --output-file sub-backup.xml
221
+ qualys-cli asset ip add --ips 10.0.0.0/24 --tracking-method IP
222
+ qualys-cli user create --username jdoe --first-name Jane --last-name Doe \
223
+ --email jane@example.com --user-role scanner
224
+ ```
225
+
226
+ Tip: append `--help` to any command (e.g. `qualys-cli was scan launch --help`)
227
+ for the full flag set.
228
+
229
+ ## Documentation
230
+
231
+ A comprehensive usage reference with all 273 endpoints is included in the package:
232
+ - **Source install**: `docs/usage.html` in the repository
233
+ - **Pip install**: Located in your Python environment's `share/qualys-cli/docs/usage.html`
234
+
235
+ To find it after installation:
236
+ ```bash
237
+ python -c "import sys; print(sys.prefix + '/share/qualys-cli/docs/usage.html')"
238
+ ```
239
+
240
+ ## LLM / agent usage
241
+
242
+ The CLI is built to be safe to drive from a script or an AI agent:
243
+
244
+ ```bash
245
+ # JSON output (set agentic mode persistently, or use --format json per call)
246
+ qualys-cli mode agentic
247
+ qualys-cli vm host list | jq '.HOST_LIST_OUTPUT.RESPONSE.HOST_LIST'
248
+
249
+ # JSON Lines — one record per line, ideal for streaming
250
+ qualys-cli pm job list --format jsonl | jq -r '.id'
251
+
252
+ # Errors emitted as JSON on stderr when stderr is not a TTY
253
+ qualys-cli --profile nonexistent vm host list 2>/tmp/err.json
254
+ # {"error": "No username for profile 'nonexistent'...", "type": "configuration_error"}
255
+ ```
256
+
257
+ **Behaviour contract for agents:**
258
+ - `stdout` contains only data (JSON / JSONL / YAML / table text).
259
+ - `stderr` carries status, spinners, and human-readable errors. All decoration
260
+ is suppressed when stderr is not a TTY.
261
+ - Exit code `0` = success, `1` = any error.
262
+ - When stderr is not a TTY, errors are emitted as
263
+ `{"error": "...", "type": "..."}` JSON.
264
+
265
+ ## Authentication
266
+
267
+ | Module group | Auth | Endpoint family |
268
+ |----------------------------------------------|-------------|----------------------------------|
269
+ | VM, PC, Asset, User, ScanAuth, Sub, WAS | HTTP Basic | `/api/2.0/fo/`, `/qps/rest/` |
270
+ | TC, PM, ETM, CS, CSAM | JWT Bearer | API gateway (`/csapi/`, `/etm/`) |
271
+ | CA agent ops | HTTP Basic | `/qps/rest/` |
272
+ | CA activation-key / config | JWT Bearer | `/caui/v1/` |
273
+
274
+ JWT tokens are fetched via `POST /auth`, cached in `config.toml`, and
275
+ auto-refreshed on 401.
276
+
277
+ ## Development
278
+
279
+ ```bash
280
+ uv sync
281
+ uv run pytest # tests
282
+ uv run ruff check src/ # lint
283
+ uv run mypy src/ # type check
284
+ uv run qualys-cli --help # smoke
285
+ uv build # build sdist + wheel into dist/
286
+ ```
287
+
288
+ ### Regenerating commands from Qualys docs
289
+
290
+ The codegen pipeline is opt-in via the `codegen` extra (it pulls in
291
+ `anthropic`, `trafilatura`, `selectolax`, `pypdf`):
292
+
293
+ ```bash
294
+ uv sync --extra codegen
295
+ export ANTHROPIC_API_KEY=sk-ant-...
296
+ uv run scripts/ingest_docs.py # cache HTML pages
297
+ uv run scripts/extract_endpoints.py # LLM extraction → api-model.json
298
+ uv run scripts/generate_commands.py # regenerate commands/*.py
299
+ ```
300
+
301
+ Generated files are marked with `# Auto-generated from api-model.json` and are
302
+ safe to overwrite. Files without that header are treated as hand-edited and
303
+ left alone.
304
+
305
+ ## Releasing
306
+
307
+ Releases are published to PyPI by GitHub Actions on a tag push:
308
+
309
+ ```bash
310
+ # Bump version in pyproject.toml, update CHANGELOG.md, commit
311
+ git tag v0.1.1 && git push --tags
312
+ ```
313
+
314
+ PyPI publishing uses Trusted Publishing (OIDC) — no API token is stored.
315
+ Configure once at https://pypi.org/manage/project/qualys-cli/settings/publishing/.
316
+
317
+ ## License
318
+
319
+ [MIT](LICENSE)