qualys-cli.

A unified command-line interface for the Qualys Cloud Platform — VM, PC, WAS, TotalCloud, Cloud Agent, Container Security, CSAM, Patch, ETM, and more.

27Modules
227Commands
v0.1.0Version
3.12+Python
MITLicense

1 Install

pipx install qualys-cli

2 Configure

qualys-cli configure

3 Run

qualys-cli vm host list

4 Pipe to JSON

qualys-cli mode agentic

Global flags & output modes

Two persistent output modes govern the default rendering: interactive (rich tables, colours, animated cyber-themed spinner — the default) and agentic (clean JSON, no decoration — best for scripts, CI, and AI agents).

Flag / commandWhat it does
qualys-cli modeShow current output mode for the active profile
qualys-cli mode agenticSwitch to agentic (JSON) output persistently
qualys-cli mode interactiveSwitch back to rich-table output
--format json|jsonl|yaml|table|csv|tsv|markdownOne-shot per-command output override. Note: csv, tsv, and markdown auto-uncap (no 25-row truncation) since they're typically piped to spreadsheets / tickets.
--limit 0Remove the default 25-row table cap (table format only — exports already uncap automatically)
--output-file results.jsonDump full data to a file (JSON / YAML / CSV / NDJSON by extension)
--where field=value · field!=v · field~regex · field>=N · field>N · field<=N · field<NPost-filter rows after extraction. Numeric coercion when both sides parse as numbers; field names match case-insensitively (e.g. severity matches SEVERITY).
--columns name,id,statusOverride default table columns
--sort field[:asc|:desc] · --sort-by FIELD [--sort-desc]Sort rows in memory (case-insensitive field match). --sort is the terse form; --sort-by + --sort-desc is the verbose pair.
--jq '.path[].name'jq-lite expression on the parsed payload (dotted keys, [] flatten, [N] index)
--dry-run / --explainPrint the resolved HTTP request and exit (no network I/O)
-v / -vvLog requests and response sizes; secrets and Authorization headers redacted
--profile NAMESelect a named credential profile
--version / -VPrint version and exit
QUALYS_OUTPUT_MODE=agenticPer-shell override for output mode
QUALYS_PROFILE=NAMEPer-shell profile override
QUALYS_URL / QUALYS_GATEWAY_URLOverride platform / gateway URLs (otherwise auto-detected)
QUALYS_USERNAME / QUALYS_PASSWORDPer-shell credential override (no keyring write)
QUALYS_AUDIT_LOG=offDisable audit logging for the current shell
QUALYS_AUDIT_FSYNC=1fsync() each audit line (SIEM-grade durability)
QUALYS_AUDIT_HMAC=0Disable tamper-evident HMAC chaining
QUALYS_TIMEOUT / QUALYS_CONNECT_TIMEOUTPer-call timeouts (seconds)
QUALYS_MAX_RETRIESRetry attempts (default 4)
QUALYS_BACKOFF_BASE / QUALYS_BACKOFF_CAPTune full-jitter backoff window
QUALYS_BODY_LIMIT_BYTESRefuse responses larger than N bytes (default 250 MB)
QUALYS_NO_FLAIR=1Disable the cyber-themed cycling spinner
QUALYS_CACHE=off / QUALYS_CACHE_TTLControl the ETag-aware response cache

Security & resiliency

Every call is wrapped in retry-with-jitter, audit logging with correlation IDs, and a typed exception hierarchy with deterministic exit codes. Secrets never reach disk, logs, or stderr.

Credential storage

Passwords stored in the OS keyring (macOS Keychain / Linux Secret Service / Windows Credential Manager). Config file is 0600.

Secret redaction

Argv, query strings, request bodies, and verbose logs are scrubbed before any persistence. JWT tokens are summarised as a stable jwt:<sha256-prefix> fingerprint.

Audit log (JSONL, HMAC-chained)

Default ~/.config/qualys-cli/audit.log. One JSON object per lifecycle event and HTTP call, each cryptographically chained to the previous via HMAC-SHA-256. qualys-cli verify-audit detects tampering. Size-rotates at 10 MB.

Correlation IDs

Each invocation gets one X-Correlation-ID; each attempt gets an X-Request-ID. Both are sent on the wire and stamped into every audit and error record.

Retry & backoff

Full-jitter exponential backoff on 408, 425, 429, 500, 502, 503, 504, and transport errors. Honours Retry-After on 429/503. JWT auto-refreshes on 401 without consuming the retry budget.

Typed errors

Auth, NotFound, RateLimit, Timeout, Network, Server, Configuration — each with a distinct exit code (3, 4, 5, 6, 6, 7, 2) and a closed-set type in the JSON error payload.

Tunables

Override timeouts and retry behaviour via env: QUALYS_TIMEOUT, QUALYS_CONNECT_TIMEOUT, QUALYS_MAX_RETRIES, QUALYS_BACKOFF_BASE, QUALYS_BACKOFF_CAP, QUALYS_MAX_CONNECTIONS, QUALYS_MAX_KEEPALIVE.

Defensive defaults

Destructive operations require --yes. No telemetry. No update checks. The only outbound traffic is to the configured Qualys platform URL.

Idempotent retries

Only GET / HEAD / DELETE retry by default; POST / PUT / PATCH require explicit opt-in to avoid silent double-submits (vm scan launch never fires twice). Read-shaped /search/ POSTs are auto-detected.

Scope-restricted profiles

allowed_modules in a profile pins it to a subset of API surfaces (e.g. analyst account → vm only). Out-of-scope commands are refused before any HTTP call.

PII redaction

redact_fields in a profile scrubs response payloads before rendering — name, email, ssn, etc. Mirrors the existing argv / body redaction so PII never reaches stdout, logs, or files.

Body-size guard

Refuses to load > 250 MB into memory unless --output-file streams to disk. Prevents OOM on legacy report exports.

Connection-error taxonomy

DNS / TLS / refused / reset / timeout each map to a distinct error class with its own hint, so a misconfigured proxy doesn't masquerade as a credential problem.

Concurrency safety

Per-profile JWT-exchange lock so parallel pagination workers don't clobber each other's tokens. Audit-log writes re-resolve the file handle inside the lock so rotation is safe under high call volume.

Cache hygiene

The local ETag cache only stores 200 OK responses with non-empty bodies. 304 Not Modified serves the previously-cached body without overwriting it; 4xx / 5xx never poison the cache.

Read-only preflight

qualys-cli doctor exchanges a fresh JWT to verify credentials but discards it — running doctor on a cron does NOT mutate config.toml or invalidate other workers' cached tokens.

Bind-anywhere safety

qualys-cli serve refuses non-loopback hosts unless the operator explicitly passes --allow-public-network. The server has no auth on the wire, so this prevents an accidental --host 0.0.0.0 from exposing the CLI to the LAN.

Saved-query safety

Query names are restricted to [A-Za-z0-9_-]+ with a defence-in-depth check that the resolved path stays inside the queries directory. TOML serialisation goes through json.dumps so descriptions / args containing quotes, backslashes, newlines, or Unicode round-trip safely.

MCP & integrations — wire qualys-cli into Claude / Cursor / agents

qualys-cli mcp runs a Model Context Protocol stdio server. Every CLI command is published as an MCP tool whose JSON Schema is generated from its option signature, so Claude Desktop, Cursor, and any MCP-aware agent can drive the full Qualys API surface natively.

No console output by design

MCP servers speak JSON-RPC on stdin / stdout; any extra output would corrupt the protocol. So when you run qualys-cli mcp in a terminal it just sits silently waiting for a client to write a request to stdin. To verify it's alive, paste this and press Enter:

{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}

You should see a single JSON line back. Ctrl-C to exit.

1 · Find the Claude Desktop config file

OSPath
macOS~/Library/Application Support/Claude/claude_desktop_config.json
Windows%APPDATA%\Claude\claude_desktop_config.json
Linux~/.config/Claude/claude_desktop_config.json

2 · Use the absolute path to qualys-cli

Claude Desktop launches MCP servers without a shell, so qualys-cli on PATH won't be found. Resolve the absolute path:

which qualys-cli
# e.g. /Users/you/.local/bin/qualys-cli  (pipx install)
#      /Users/you/repo/.venv/bin/qualys-cli  (uv venv)

3 · Add to claude_desktop_config.json

{
  "mcpServers": {
    "qualys-cli": {
      "command": "/absolute/path/to/qualys-cli",
      "args": ["mcp"],
      "env": {
        "QUALYS_PROFILE": "default",
        "QUALYS_AUDIT_LOG": "/Users/you/.config/qualys-cli/audit.log"
      }
    }
  }
}

If you already have other MCP servers, add the "qualys-cli": {…} entry alongside them inside the existing mcpServers object — don't create a second block.

4 · Fully relaunch Claude Desktop

Cmd-Q (not just close the window) then reopen. Servers are only re-scanned on a full relaunch. In a new chat, click the 🔌 tools icon at the bottom-right of the input box — you should see qualys-cli with ~227 tools listed using underscore-separated names (vm_host_list, csam_asset_list, pm_job_list, csam_vuln_list-easm, …). Anthropic's tool-name validator requires ^[a-zA-Z0-9_-]{1,64}$, so the MCP server uses _ as the path separator (not .); CLI verbs with hyphens such as rotate-jwt are preserved intact.

5 · Troubleshoot via the Claude Desktop logs

tail -f ~/Library/Logs/Claude/mcp*.log
Log / error saysFix
spawn qualys-cli ENOENTUse the absolute path to the binary (step 2).
Error: No username for profile 'default'Run qualys-cli configure once in a terminal so creds land in the keyring, then relaunch Claude.
JSONDecodeError on first frameSomething on stdout is corrupting the protocol. Make sure no print() lurks in a startup hook.
EPIPE on shutdownHarmless — expected when Claude tears the server down.
tools.N.FrontendRemoteMcpToolDefinition.name: String should match pattern '^[a-zA-Z0-9_-]{1,64}$'Upgrade qualys-cli — older builds emitted tool names with dots (vm.host.list); current builds use underscores (vm_host_list) which match Anthropic's validator.
Validator complains about id being null / missing, plus unrecognized_keys: ["error"] on responsesUpgrade qualys-cli — older builds responded to JSON-RPC notifications (e.g. notifications/initialized) with a method-not-found error frame and id: null, which Anthropic's strict validator rejects. Current builds drop notifications silently and only respond to actual requests.

Test before wiring Claude Desktop — use the official MCP inspector

Browse the tool catalogue, fire tools/list and tools/call interactively, and see every JSON-RPC frame on the wire — far easier than tailing logs:

npx @modelcontextprotocol/inspector qualys-cli mcp

Audit trail of MCP-driven calls

The MCP server runs each tool by shelling out to a fresh qualys-cli process in agentic mode, so every Claude-driven invocation lands in the audit log with its own correlation ID — exactly as if a human had typed the command:

tail -f ~/.config/qualys-cli/audit.log | jq .

Cursor & other MCP clients

Cursor's ~/.cursor/mcp.json uses the same shape as Claude Desktop's config — drop in the identical "qualys-cli" entry. Any MCP-aware client (Continue.dev, Cline, Zed AI, custom agents via the @modelcontextprotocol/sdk packages) can drive it too — the JSON-RPC interface is standard.

Alternative — local HTTP bridge

Prefer REST over MCP? qualys-cli serve boots a localhost HTTP server on 127.0.0.1:8765 with three endpoints: GET / (health), GET /tools (catalogue), POST /run (invoke a command). Useful for low-code tools, Postman collections, and dashboards.

No commands match your search

Try a shorter term, or press Esc to clear.

VM

Vulnerability Management

Hosts, scans, knowledgebase, option profiles, reports, schedules, scanner appliances

Basic auth · XML17 commands

scan4

vm scan list
qualys-cli vm scan list

List VM scans.

Qualys API doc ↗
qualys-cli vm scan list
Options  ·  9 optional
  • --state
    TEXT
    Running|Paused|Cancelled|Finished|Error|Queued|Loading
    Allowed Running Paused Cancelled Finished Error Queued Loading
  • --type
    TEXT
    On-Demand|Scheduled|API
    Allowed On-Demand Scheduled API
  • --target
    TEXT
    Target IP/range
  • --launched-after
    TEXT
    Datetime YYYY-MM-DD
  • --limit -n
    INTEGER
    Default 25
  • --all
    FLAG
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
vm scan launch
qualys-cli vm scan launch

Launch a VM scan.

Qualys API doc ↗
qualys-cli vm scan launch --title VALUE --ip VALUE
Options  ·  2 required · + 2 required (one-of) · 7 optional
One-of required: --option-id --option-title — pass at least one
  • --title
    TEXT required
    Scan title
  • --ip
    TEXT required
    Target IP(s), ranges or network IDs
  • --option-id
    TEXT required (one-of)
    Option profile ID (required if --option-title not given)
  • --option-title
    TEXT required (one-of)
    Option profile title (required if --option-id not given)
  • --scanner
    TEXT
    Scanner appliance name(s), comma-separated
  • --asset-groups
    TEXT
    Asset group IDs, comma-separated (alternative to --ip)
  • --asset-group-ids
    TEXT
    Asset group IDs by name, comma-separated
  • --priority
    INTEGER
    0 (no priority) – 9 (emergency)
  • --ip-network-id
    TEXT
    Network ID for the target IPs
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
vm scan cancel
qualys-cli vm scan cancel

Cancel a running scan.

Qualys API doc ↗
qualys-cli vm scan cancel <scan-ref>
Options  ·  1 required · 1 optional
  • SCAN_REF
    TEXT required positional
    Scan reference (scan/1234567890.12345)
  • --verbose -v
    FLAG (repeatable)
vm scan fetch
qualys-cli vm scan fetch

Fetch scan results (downloads XML to file).

Qualys API doc ↗
qualys-cli vm scan fetch <scan-ref>
Options  ·  1 required · 2 optional
  • SCAN_REF
    TEXT required positional
    Scan reference
  • --output-file -o
    TEXT
    Default scan-results.xml
  • --verbose -v
    FLAG (repeatable)

host2

vm host list
qualys-cli vm host list

List hosts in the asset inventory.

Qualys API doc ↗
qualys-cli vm host list
Options  ·  8 optional
  • --ips
    TEXT
    Comma-separated IPs or ranges
  • --ag-ids
    TEXT
    Asset group IDs
  • --os
    TEXT
    OS regex pattern
  • --limit -n
    INTEGER
    Default 25
  • --all
    FLAG
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
vm host detection
qualys-cli vm host detection

List host vulnerability detections.

Qualys API doc ↗
qualys-cli vm host detection
Options  ·  8 optional
  • --ips
    TEXT
  • --qids
    TEXT
    Comma-separated QIDs
  • --severities
    TEXT
    1-5 comma-separated
  • --limit -n
    INTEGER
    Default 25
  • --all
    FLAG
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)

kb1

vm kb list
qualys-cli vm kb list

List vulnerabilities from the KnowledgeBase.

Qualys API doc ↗
qualys-cli vm kb list
Options  ·  + 3 required (one-of) · 16 optional
One-of required: --id-max --id-min --ids — pass at least one
  • --ids
    TEXT required (one-of)
    Comma-separated QID(s)
  • --id-min
    TEXT required (one-of)
    Minimum QID in range
  • --id-max
    TEXT required (one-of)
    Maximum QID in range
  • --cve
    TEXT
    Comma-separated CVE IDs
  • --published-after
    TEXT
    YYYY-MM-DD[THH:MM:SSZ]
  • --published-before
    TEXT
    YYYY-MM-DD[THH:MM:SSZ]
  • --last-modified-after
    TEXT
    YYYY-MM-DD[THH:MM:SSZ]
  • --last-modified-before
    TEXT
    YYYY-MM-DD[THH:MM:SSZ]
  • --details
    TEXT
    Basic|All|None
    Allowed Basic All None
  • --patchable/--not-patchable
    BOOLEAN
    Filter by whether a patch exists
  • --discovery-method
    TEXT
    Remote|Authenticated|RemoteOnly|AuthenticatedOnly|RemoteAndAuthenticated
    Allowed Remote Authenticated RemoteOnly AuthenticatedOnly RemoteAndAuthenticated
  • --show-pci-reasons
    FLAG
    Include PCI pass/fail reasons
  • --show-disabled-flag
    FLAG
    Include the disabled flag for each QID
  • --show-supported-modules-info
    FLAG
    Include supported-module info
  • --show-qid-change-log
    FLAG
    Include QID change-log entries
  • --limit -n
    INTEGER
    Default 25
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)

option-profile3

vm option-profile list
qualys-cli vm option-profile list

List VM option profiles.

Qualys API doc ↗
qualys-cli vm option-profile list
Options  ·  6 optional
  • --ids
    TEXT
  • --title-contains
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
vm option-profile create
qualys-cli vm option-profile create

Create a VM option profile.

Qualys API doc ↗
qualys-cli vm option-profile create --title VALUE
Options  ·  1 required · 1 optional
  • --title
    TEXT required
  • --verbose -v
    FLAG (repeatable)
vm option-profile delete
qualys-cli vm option-profile delete

Delete VM option profile(s).

Qualys API doc ↗
qualys-cli vm option-profile delete <ids>
Options  ·  1 required · 2 optional
  • IDS
    TEXT required positional
    Option profile ID(s)
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

report4

vm report list
qualys-cli vm report list

List VM/PC reports.

Qualys API doc ↗
qualys-cli vm report list
Options  ·  7 optional
  • --id
    TEXT
  • --state
    TEXT
    Running|Finished|Canceled
    Allowed Running Finished Canceled
  • --type
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
vm report launch
qualys-cli vm report launch

Launch a VM/PC report.

Qualys API doc ↗
qualys-cli vm report launch --template-id VALUE --title VALUE
Options  ·  2 required · 3 optional
  • --template-id
    TEXT required
  • --title
    TEXT required
  • --output-format
    TEXT
    PDF|HTML|XML|CSV|DOCX
    Allowed PDF HTML XML CSV DOCX
    Default PDF
  • --ips
    TEXT
  • --verbose -v
    FLAG (repeatable)
vm report fetch
qualys-cli vm report fetch

Fetch (download) a completed report.

Qualys API doc ↗
qualys-cli vm report fetch <report-id>
Options  ·  1 required · 2 optional
  • REPORT_ID
    TEXT required positional
  • --output-file -o
    TEXT
    Default report.pdf
  • --verbose -v
    FLAG (repeatable)
vm report delete
qualys-cli vm report delete

Delete a report.

Qualys API doc ↗
qualys-cli vm report delete <report-id>
Options  ·  1 required · 2 optional
  • REPORT_ID
    TEXT required positional
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

scan-schedule2

vm scan-schedule list
qualys-cli vm scan-schedule list

List VM scan schedules.

Qualys API doc ↗
qualys-cli vm scan-schedule list
Options  ·  5 optional
  • --ids
    TEXT
  • --active/--inactive
    BOOLEAN
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
vm scan-schedule delete
qualys-cli vm scan-schedule delete

Delete scan schedule(s).

Qualys API doc ↗
qualys-cli vm scan-schedule delete <ids>
Options  ·  1 required · 2 optional
  • IDS
    TEXT required positional
    Schedule ID(s)
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

appliance1

vm appliance list
qualys-cli vm appliance list

List scanner appliances.

Qualys API doc ↗
qualys-cli vm appliance list
Options  ·  5 optional
  • --ids
    TEXT
  • --name
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
PC

Policy Compliance

Compliance scans, schedules, policies, posture, option profiles

Basic auth · XML8 commands

scan2

pc scan list
qualys-cli pc scan list

List compliance scans.

Qualys API doc ↗
qualys-cli pc scan list
Options  ·  6 optional
  • --state
    TEXT
  • --launched-after
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
pc scan launch
qualys-cli pc scan launch

Launch a compliance scan.

Qualys API doc ↗
qualys-cli pc scan launch --title VALUE --ip VALUE
Options  ·  2 required · + 2 required (one-of) · 4 optional
One-of required: --option-id --option-title — pass at least one
  • --title
    TEXT required
  • --ip
    TEXT required
  • --option-id
    TEXT required (one-of)
    Option profile ID (required if --option-title not given)
  • --option-title
    TEXT required (one-of)
    Option profile title (required if --option-id not given)
  • --scanner
    TEXT
    Scanner appliance name(s)
  • --asset-groups
    TEXT
    Asset group IDs, comma-separated (alternative to --ip)
  • --priority
    INTEGER
    0–9
  • --verbose -v
    FLAG (repeatable)

scan-schedule2

pc scan-schedule list
qualys-cli pc scan-schedule list

List compliance scan schedules.

Qualys API doc ↗
qualys-cli pc scan-schedule list
Options  ·  3 optional
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
pc scan-schedule delete
qualys-cli pc scan-schedule delete

Delete a compliance scan schedule.

Qualys API doc ↗
qualys-cli pc scan-schedule delete <id->
Options  ·  1 required · 2 optional
  • ID_
    TEXT required positional
    Schedule ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

policy2

pc policy list
qualys-cli pc policy list

List compliance policies.

Qualys API doc ↗
qualys-cli pc policy list
Options  ·  6 optional
  • --ids
    TEXT
    Comma-separated policy ID(s)
  • --title
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
pc policy export
qualys-cli pc policy export

Export a policy to XML.

Qualys API doc ↗
qualys-cli pc policy export
Options  ·  + 1 required (one-of) · 5 optional
One-of required: --title — pass at least one
  • ID_
    TEXT positional
    Policy ID (omit if using --title)
  • --title
    TEXT required (one-of)
    Look up policy by title instead of ID
  • --show-user-controls
    FLAG
    Include user-defined controls
  • --show-appendix
    FLAG
    Include the policy appendix
  • --output-file -o
    TEXT
    Default policy.xml
  • --verbose -v
    FLAG (repeatable)

posture1

pc posture list
qualys-cli pc posture list

List compliance posture info.

Qualys API doc ↗
qualys-cli pc posture list --policy-id VALUE
Options  ·  1 required · 7 optional
  • --policy-id
    TEXT required
    Policy ID to evaluate posture against (required by the API).
  • --host-id
    TEXT
  • --control-id
    TEXT
  • --status
    TEXT
    Pass|Fail|Error
    Allowed Pass Fail Error
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)

option-profile1

pc option-profile list
qualys-cli pc option-profile list

List PC option profiles.

Qualys API doc ↗
qualys-cli pc option-profile list
Options  ·  4 optional
  • --ids
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
WAS

Web Application Scanning

Web apps, scans, findings, auth records, schedules, reports, catalog, DNS overrides, imports

Basic auth · QPS XML60 commands

webapp7

was webapp list
qualys-cli was webapp list

Search/list web applications.

Qualys API doc ↗
qualys-cli was webapp list
Options  ·  7 optional
  • --name
    TEXT
    Filter by name (CONTAINS)
  • --url
    TEXT
    Filter by URL (CONTAINS)
  • --tag-id
    TEXT
    Filter by tag ID
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
was webapp get
qualys-cli was webapp get

Get details of a web application.

Qualys API doc ↗
qualys-cli was webapp get <webapp-id>
Options  ·  1 required · 2 optional
  • WEBAPP_ID
    TEXT required positional
    Web application ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was webapp count
qualys-cli was webapp count

Get the count of web applications.

Qualys API doc ↗
qualys-cli was webapp count
Options  ·  3 optional
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was webapp create
qualys-cli was webapp create

Create a web application.

Qualys API doc ↗
qualys-cli was webapp create --name VALUE --url VALUE
Options  ·  2 required · 1 optional
  • --name
    TEXT required
    Web application name
  • --url
    TEXT required
    Starting URL (e.g. https://myapp.com)
  • --verbose -v
    FLAG (repeatable)
was webapp update
qualys-cli was webapp update

Update a web application.

Qualys API doc ↗
qualys-cli was webapp update <webapp-id>
Options  ·  1 required · 3 optional
  • WEBAPP_ID
    TEXT required positional
    Web application ID
  • --name
    TEXT
    New name
  • --url
    TEXT
    New URL
  • --verbose -v
    FLAG (repeatable)
was webapp delete
qualys-cli was webapp delete

Delete a web application.

Qualys API doc ↗
qualys-cli was webapp delete <webapp-id>
Options  ·  1 required · 2 optional
  • WEBAPP_ID
    TEXT required positional
    Web application ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)
was webapp purge
qualys-cli was webapp purge

Purge all scan data for a web application.

Qualys API doc ↗
qualys-cli was webapp purge <webapp-id>
Options  ·  1 required · 2 optional
  • WEBAPP_ID
    TEXT required positional
    Web application ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

scan9

was scan list
qualys-cli was scan list

Search/list WAS scans.

Qualys API doc ↗
qualys-cli was scan list
Options  ·  8 optional
  • --name
    TEXT
    Filter by scan name (CONTAINS)
  • --webapp-id
    TEXT
    Filter by web application ID
  • --status
    TEXT
    SUBMITTED|RUNNING|FINISHED|ERROR|CANCELLED
    Allowed SUBMITTED RUNNING FINISHED ERROR CANCELLED
  • --type
    TEXT
    VULNERABILITY|DISCOVERY
    Allowed VULNERABILITY DISCOVERY
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
was scan get
qualys-cli was scan get

Get scan details.

Qualys API doc ↗
qualys-cli was scan get <scan-id>
Options  ·  1 required · 2 optional
  • SCAN_ID
    TEXT required positional
    Scan ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was scan count
qualys-cli was scan count

Get count of WAS scans.

Qualys API doc ↗
qualys-cli was scan count
Options  ·  3 optional
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was scan status
qualys-cli was scan status

Get current status of a scan.

Qualys API doc ↗
qualys-cli was scan status <scan-id>
Options  ·  1 required · 3 optional
  • SCAN_ID
    TEXT required positional
    Scan ID
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
was scan launch
qualys-cli was scan launch

Launch a WAS scan on a single web application.

Qualys API doc ↗
qualys-cli was scan launch --name VALUE --webapp-id VALUE --profile-id VALUE
Options  ·  3 required · 3 optional
  • --name
    TEXT required
    Scan name
  • --webapp-id
    TEXT required
    Web application ID to scan
  • --profile-id
    TEXT required
    Option profile ID
  • --type
    TEXT
    VULNERABILITY|DISCOVERY
    Allowed VULNERABILITY DISCOVERY
    Default VULNERABILITY
  • --scanner-type
    TEXT
    EXTERNAL|INTERNAL
    Allowed EXTERNAL INTERNAL
    Default EXTERNAL
  • --verbose -v
    FLAG (repeatable)
was scan cancel
qualys-cli was scan cancel

Cancel an in-progress scan.

Qualys API doc ↗
qualys-cli was scan cancel <scan-id>
Options  ·  1 required · 2 optional
  • SCAN_ID
    TEXT required positional
    Scan ID
  • --keep-results
    FLAG
    Retain partial results
  • --verbose -v
    FLAG (repeatable)
was scan results
qualys-cli was scan results

Download raw XML results for a completed scan.

Qualys API doc ↗
qualys-cli was scan results <scan-id>
Options  ·  1 required · 2 optional
  • SCAN_ID
    TEXT required positional
    Scan ID
  • --output-file -o
    TEXT
    Default scan-results.xml
  • --verbose -v
    FLAG (repeatable)
was scan delete
qualys-cli was scan delete

Delete a scan.

Qualys API doc ↗
qualys-cli was scan delete <scan-id>
Options  ·  1 required · 2 optional
  • SCAN_ID
    TEXT required positional
    Scan ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)
was scan scan-again
qualys-cli was scan scan-again

Re-run a completed scan with the same settings.

Qualys API doc ↗
qualys-cli was scan scan-again <scan-id>
Options  ·  1 required · 1 optional
  • SCAN_ID
    TEXT required positional
    Scan ID to re-run
  • --verbose -v
    FLAG (repeatable)

finding9

was finding list
qualys-cli was finding list

Search/list findings.

Qualys API doc ↗
qualys-cli was finding list
Options  ·  9 optional
  • --webapp-id
    TEXT
  • --qid
    TEXT
    Qualys finding ID
  • --status
    TEXT
    NEW|ACTIVE|REOPENED|PROTECTED|FIXED
    Allowed NEW ACTIVE REOPENED PROTECTED FIXED
  • --type
    TEXT
    VULNERABILITY|SENSITIVE_CONTENT|INFORMATION_GATHERED
    Allowed VULNERABILITY SENSITIVE_CONTENT INFORMATION_GATHERED
  • --severity
    TEXT
    1-5
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
was finding get
qualys-cli was finding get

Get details of a finding.

Qualys API doc ↗
qualys-cli was finding get <finding-id>
Options  ·  1 required · 2 optional
  • FINDING_ID
    TEXT required positional
    Finding ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was finding count
qualys-cli was finding count

Get count of findings.

Qualys API doc ↗
qualys-cli was finding count
Options  ·  4 optional
  • --webapp-id
    TEXT
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was finding ignore
qualys-cli was finding ignore

Ignore a finding.

Qualys API doc ↗
qualys-cli was finding ignore <finding-id> --reason FALSE_POSITIVE
Options  ·  2 required · 2 optional
  • FINDING_ID
    TEXT required positional
    Finding ID
  • --reason
    TEXT required
    Ignore reason (e.g. FALSE_POSITIVE, NOT_APPLICABLE)
    Allowed FALSE_POSITIVE NOT_APPLICABLE
  • --comment
    TEXT
  • --verbose -v
    FLAG (repeatable)
was finding reactivate
qualys-cli was finding reactivate

Reactivate (un-ignore) a finding.

Qualys API doc ↗
qualys-cli was finding reactivate <finding-id>
Options  ·  1 required · 1 optional
  • FINDING_ID
    TEXT required positional
    Finding ID
  • --verbose -v
    FLAG (repeatable)
was finding restore
qualys-cli was finding restore

Restore a fixed finding to active state.

Qualys API doc ↗
qualys-cli was finding restore <finding-id>
Options  ·  1 required · 1 optional
  • FINDING_ID
    TEXT required positional
    Finding ID
  • --verbose -v
    FLAG (repeatable)
was finding retest
qualys-cli was finding retest

Request a retest of a specific finding.

Qualys API doc ↗
qualys-cli was finding retest <finding-id>
Options  ·  1 required · 1 optional
  • FINDING_ID
    TEXT required positional
    Finding ID
  • --verbose -v
    FLAG (repeatable)
was finding retest-status
qualys-cli was finding retest-status

Get the retest status of a finding.

Qualys API doc ↗
qualys-cli was finding retest-status <finding-id>
Options  ·  1 required · 1 optional
  • FINDING_ID
    TEXT required positional
    Finding ID
  • --verbose -v
    FLAG (repeatable)
was finding edit-severity
qualys-cli was finding edit-severity

Edit the severity of a finding.

Qualys API doc ↗
qualys-cli was finding edit-severity <finding-id> --severity VALUE
Options  ·  2 required · 2 optional
  • FINDING_ID
    TEXT required positional
    Finding ID
  • --severity
    INTEGER required
    New severity 1-5
  • --comment
    TEXT
  • --verbose -v
    FLAG (repeatable)

auth-record4

was auth-record list
qualys-cli was auth-record list

Search/list authentication records.

Qualys API doc ↗
qualys-cli was auth-record list
Options  ·  5 optional
  • --name
    TEXT
    Filter by name (CONTAINS)
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
was auth-record get
qualys-cli was auth-record get

Get authentication record details.

Qualys API doc ↗
qualys-cli was auth-record get <auth-id>
Options  ·  1 required · 2 optional
  • AUTH_ID
    TEXT required positional
    Authentication record ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was auth-record count
qualys-cli was auth-record count

Get count of authentication records.

Qualys API doc ↗
qualys-cli was auth-record count
Options  ·  3 optional
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was auth-record delete
qualys-cli was auth-record delete

Delete an authentication record.

Qualys API doc ↗
qualys-cli was auth-record delete <auth-id>
Options  ·  1 required · 2 optional
  • AUTH_ID
    TEXT required positional
    Authentication record ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

option-profile5

was option-profile list
qualys-cli was option-profile list

Search/list option profiles.

Qualys API doc ↗
qualys-cli was option-profile list
Options  ·  5 optional
  • --name
    TEXT
    Filter by name (CONTAINS)
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
was option-profile get
qualys-cli was option-profile get

Get option profile details.

Qualys API doc ↗
qualys-cli was option-profile get <profile-id>
Options  ·  1 required · 2 optional
  • PROFILE_ID
    TEXT required positional
    Option profile ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was option-profile count
qualys-cli was option-profile count

Get count of option profiles.

Qualys API doc ↗
qualys-cli was option-profile count
Options  ·  3 optional
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was option-profile create
qualys-cli was option-profile create

Create an option profile with default settings.

Qualys API doc ↗
qualys-cli was option-profile create --name VALUE
Options  ·  1 required · 1 optional
  • --name
    TEXT required
    Option profile name
  • --verbose -v
    FLAG (repeatable)
was option-profile delete
qualys-cli was option-profile delete

Delete an option profile.

Qualys API doc ↗
qualys-cli was option-profile delete <profile-id>
Options  ·  1 required · 2 optional
  • PROFILE_ID
    TEXT required positional
    Option profile ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

schedule7

was schedule list
qualys-cli was schedule list

Search/list scan schedules.

Qualys API doc ↗
qualys-cli was schedule list
Options  ·  7 optional
  • --name
    TEXT
    Filter by name (CONTAINS)
  • --webapp-id
    TEXT
  • --active/--inactive
    BOOLEAN
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
was schedule get
qualys-cli was schedule get

Get schedule details.

Qualys API doc ↗
qualys-cli was schedule get <schedule-id>
Options  ·  1 required · 2 optional
  • SCHEDULE_ID
    TEXT required positional
    Schedule ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was schedule count
qualys-cli was schedule count

Get count of scan schedules.

Qualys API doc ↗
qualys-cli was schedule count
Options  ·  3 optional
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was schedule create
qualys-cli was schedule create

Create a scan schedule.

Qualys API doc ↗
qualys-cli was schedule create --name VALUE --webapp-id VALUE --profile-id VALUE
Options  ·  3 required · 2 optional
  • --name
    TEXT required
    Schedule name
  • --webapp-id
    TEXT required
    Web application ID
  • --profile-id
    TEXT required
    Option profile ID
  • --type
    TEXT
    VULNERABILITY|DISCOVERY
    Allowed VULNERABILITY DISCOVERY
    Default VULNERABILITY
  • --verbose -v
    FLAG (repeatable)
was schedule activate
qualys-cli was schedule activate

Activate a scan schedule.

Qualys API doc ↗
qualys-cli was schedule activate <schedule-id>
Options  ·  1 required · 1 optional
  • SCHEDULE_ID
    TEXT required positional
    Schedule ID
  • --verbose -v
    FLAG (repeatable)
was schedule deactivate
qualys-cli was schedule deactivate

Deactivate a scan schedule.

Qualys API doc ↗
qualys-cli was schedule deactivate <schedule-id>
Options  ·  1 required · 1 optional
  • SCHEDULE_ID
    TEXT required positional
    Schedule ID
  • --verbose -v
    FLAG (repeatable)
was schedule delete
qualys-cli was schedule delete

Delete a scan schedule.

Qualys API doc ↗
qualys-cli was schedule delete <schedule-id>
Options  ·  1 required · 2 optional
  • SCHEDULE_ID
    TEXT required positional
    Schedule ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

report8

was report list
qualys-cli was report list

Search/list reports.

Qualys API doc ↗
qualys-cli was report list
Options  ·  6 optional
  • --name
    TEXT
    Filter by name (CONTAINS)
  • --status
    TEXT
    RUNNING|COMPLETE|ERROR
    Allowed RUNNING COMPLETE ERROR
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
was report get
qualys-cli was report get

Get report details.

Qualys API doc ↗
qualys-cli was report get <report-id>
Options  ·  1 required · 2 optional
  • REPORT_ID
    TEXT required positional
    Report ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was report status
qualys-cli was report status

Get the status of a report.

Qualys API doc ↗
qualys-cli was report status <report-id>
Options  ·  1 required · 1 optional
  • REPORT_ID
    TEXT required positional
    Report ID
  • --verbose -v
    FLAG (repeatable)
was report count
qualys-cli was report count

Get count of reports.

Qualys API doc ↗
qualys-cli was report count
Options  ·  3 optional
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was report create-webapp
qualys-cli was report create-webapp

Create a web application vulnerability report.

Qualys API doc ↗
qualys-cli was report create-webapp --name VALUE --webapp-id VALUE
Options  ·  2 required · 3 optional
  • --name
    TEXT required
    Report name
  • --webapp-id
    TEXT required
    Web application ID
  • --template-id
    TEXT
    Report template ID
  • --format-type
    TEXT
    PDF|HTML|XML|CSV|WORD
    Allowed PDF HTML XML CSV WORD
    Default PDF
  • --verbose -v
    FLAG (repeatable)
was report create-scan
qualys-cli was report create-scan

Create a scan-based report.

Qualys API doc ↗
qualys-cli was report create-scan --name VALUE --scan-id VALUE
Options  ·  2 required · 3 optional
  • --name
    TEXT required
    Report name
  • --scan-id
    TEXT required
    Scan ID
  • --template-id
    TEXT
  • --format-type
    TEXT
    PDF|HTML|XML|CSV
    Allowed PDF HTML XML CSV
    Default PDF
  • --verbose -v
    FLAG (repeatable)
was report download
qualys-cli was report download

Download a completed report.

Qualys API doc ↗
qualys-cli was report download <report-id>
Options  ·  1 required · 2 optional
  • REPORT_ID
    TEXT required positional
    Report ID
  • --output-file -o
    TEXT
    Default was-report.pdf
  • --verbose -v
    FLAG (repeatable)
was report delete
qualys-cli was report delete

Delete a report.

Qualys API doc ↗
qualys-cli was report delete <report-id>
Options  ·  1 required · 2 optional
  • REPORT_ID
    TEXT required positional
    Report ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

catalog4

was catalog list
qualys-cli was catalog list

List catalog entries.

Qualys API doc ↗
qualys-cli was catalog list
Options  ·  5 optional
  • --name
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
was catalog count
qualys-cli was catalog count

Get count of catalog entries.

Qualys API doc ↗
qualys-cli was catalog count
Options  ·  3 optional
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was catalog add-to-subscription
qualys-cli was catalog add-to-subscription

Add a catalog entry to the subscription (creates a web application).

Qualys API doc ↗
qualys-cli was catalog add-to-subscription <catalog-id>
Options  ·  1 required · 1 optional
  • CATALOG_ID
    TEXT required positional
    Catalog entry ID
  • --verbose -v
    FLAG (repeatable)
was catalog delete
qualys-cli was catalog delete

Delete catalog entries.

Qualys API doc ↗
qualys-cli was catalog delete <catalog-id>
Options  ·  1 required · 2 optional
  • CATALOG_ID
    TEXT required positional
    Catalog entry ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

dns5

was dns list
qualys-cli was dns list

List DNS overrides.

Qualys API doc ↗
qualys-cli was dns list
Options  ·  5 optional
  • --name
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
was dns get
qualys-cli was dns get

Get DNS override details.

Qualys API doc ↗
qualys-cli was dns get <dns-id>
Options  ·  1 required · 2 optional
  • DNS_ID
    TEXT required positional
    DNS override ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was dns count
qualys-cli was dns count

Get count of DNS overrides.

Qualys API doc ↗
qualys-cli was dns count
Options  ·  3 optional
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
was dns create
qualys-cli was dns create

Create a DNS override.

Qualys API doc ↗
qualys-cli was dns create --name VALUE --hostname VALUE --ip VALUE
Options  ·  3 required · 1 optional
  • --name
    TEXT required
    DNS override name
  • --hostname
    TEXT required
    Hostname to override
  • --ip
    TEXT required
    IP address to map to
  • --verbose -v
    FLAG (repeatable)
was dns delete
qualys-cli was dns delete

Delete a DNS override.

Qualys API doc ↗
qualys-cli was dns delete <dns-id>
Options  ·  1 required · 2 optional
  • DNS_ID
    TEXT required positional
    DNS override ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

import2

was import burp
qualys-cli was import burp

Import findings from a Burp Suite XML export.

Qualys API doc ↗
qualys-cli was import burp --webapp-id VALUE --file VALUE
Options  ·  2 required · 2 optional
  • --webapp-id
    TEXT required
    Target web application ID
  • --file
    TEXT required
    Path to Burp Suite XML export file
  • --purge-results
    FLAG
    Remove previous results
  • --verbose -v
    FLAG (repeatable)
was import owasp-zap
qualys-cli was import owasp-zap

Import findings from an OWASP ZAP XML report.

Qualys API doc ↗
qualys-cli was import owasp-zap --webapp-id VALUE --file VALUE
Options  ·  2 required · 3 optional
  • --webapp-id
    TEXT required
    Target web application ID
  • --file
    TEXT required
    Path to OWASP ZAP XML report file
  • --purge-results
    FLAG
  • --close-unreported
    FLAG
    Mark unfound issues as fixed
  • --verbose -v
    FLAG (repeatable)
TC

TotalCloud (CSPM)

Cloud connectors, evaluations, alert rules, exceptions, IaC scans, CDR findings

JWT Bearer · JSON15 commands

connector1

tc connector list
qualys-cli tc connector list

List cloud connectors for a given provider.

Qualys API doc ↗
qualys-cli tc connector list --provider VALUE
Options  ·  1 required · 7 optional
  • --provider -p
    TEXT required
    Cloud provider: AWS | AZURE | GCP
  • --filter
    TEXT
    QQL filter (name, state, connector.uuid)
  • --page-no
    INTEGER
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)

evaluation1

tc evaluation list
qualys-cli tc evaluation list

List evaluation statistics per control for a cloud account.

Qualys API doc ↗
qualys-cli tc evaluation list --provider VALUE --account-id VALUE
Options  ·  2 required · 7 optional
  • --provider -p
    TEXT required
    Cloud provider: AWS | AZURE | GCP
  • --account-id
    TEXT required
    Cloud account ID to evaluate (required path segment in the API).
  • --filter
    TEXT
    QQL filter
  • --page-no
    INTEGER
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)

report3

tc report list
qualys-cli tc report list

List assessment reports.

Qualys API doc ↗
qualys-cli tc report list
Options  ·  9 optional
  • --created-by
    TEXT
    Filter by creator username
  • --name
    TEXT
  • --status
    TEXT
    Accepted|Completed|Failed|Generated|Processing
    Allowed Accepted Completed Failed Generated Processing
  • --page-no
    INTEGER
    Default 1
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
tc report create
qualys-cli tc report create

Create an assessment report.

Qualys API doc ↗
qualys-cli tc report create --name VALUE --cloud-type AWS --start-date VALUE --end-date VALUE --report-format VALUE --policy-ids VALUE --connector-ids VALUE
Options  ·  7 required · 10 optional
  • --name
    TEXT required
    Report name
  • --cloud-type
    TEXT required
    AWS|Azure|GCP|OCI
    Allowed AWS Azure GCP OCI
  • --start-date
    TEXT required
    e.g. 2025-09-03T15:43:38Z
  • --end-date
    TEXT required
  • --report-format
    TEXT required
    Output format: csv|pdf|ON_SCREEN (required)
  • --policy-ids
    TEXT required
    Comma-separated policy IDs (required by API)
  • --connector-ids
    TEXT required
    Comma-separated connector IDs (required by API)
  • --execution-type
    TEXT
    RUN_TIME|BUILD_TIME|SCHEDULED
    Allowed RUN_TIME BUILD_TIME SCHEDULED
    Default RUN_TIME
  • --tag-ids
    TEXT
    Comma-separated tag IDs
  • --group-ids
    TEXT
    Comma-separated connector-group IDs
  • --query
    TEXT
    QQL filter for resources
  • --description
    TEXT
  • --include-resource-arn
    FLAG
    AWS only: include resource ARNs in PDF
  • --resource-results
    TEXT
    Comma-separated subset of: PASS, PassE, FAIL
    Allowed PASS PassE FAIL
  • --iac-resource-results
    TEXT
    Comma-separated IaC resource result filter
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
tc report download
qualys-cli tc report download

Download an assessment report as a ZIP.

Qualys API doc ↗
qualys-cli tc report download <report-id>
Options  ·  1 required · 2 optional
  • REPORT_ID
    TEXT required positional
    Report ID
  • --output-file -o
    TEXT
    Default tc-report.zip
  • --verbose -v
    FLAG (repeatable)

rule5

tc rule list
qualys-cli tc rule list

List alert rules.

Qualys API doc ↗
qualys-cli tc rule list --cloud-type AWS --rule-type VALUE
Options  ·  2 required · 7 optional
  • --cloud-type
    TEXT required
    AWS|Azure|GCP|OCI
    Allowed AWS Azure GCP OCI
  • --rule-type
    TEXT required
    simple_alert|time_window_schedule_alert (required by API)
  • --filter
    TEXT
    QQL filter (ruleName, ruleState, etc.)
  • --page-no
    INTEGER
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
tc rule create
qualys-cli tc rule create

Create an alert rule.

Qualys API doc ↗
qualys-cli tc rule create --cloud-type AWS --rule-type VALUE --name VALUE --qql VALUE --action-id VALUE --action-type VALUE
Options  ·  6 required · 3 optional
  • --cloud-type
    TEXT required
    AWS|Azure|GCP|OCI
    Allowed AWS Azure GCP OCI
  • --rule-type
    TEXT required
    simple_alert|time_window_schedule_alert
  • --name
    TEXT required
  • --qql
    TEXT required
    Rule QQL query
  • --action-id
    TEXT required
  • --action-type
    TEXT required
    qemail|pagerduty|slack
  • --description
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
tc rule enable
qualys-cli tc rule enable

Enable one or more rules.

Qualys API doc ↗
qualys-cli tc rule enable <rule-ids> --cloud-type AWS --rule-type VALUE
Options  ·  3 required · 2 optional
  • RULE_IDS
    TEXT required positional
    Comma-separated rule IDs
  • --cloud-type
    TEXT required
    AWS|Azure|GCP|OCI
    Allowed AWS Azure GCP OCI
  • --rule-type
    TEXT required
    simple_alert|time_window_schedule_alert (required by API)
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
tc rule disable
qualys-cli tc rule disable

Disable one or more rules.

Qualys API doc ↗
qualys-cli tc rule disable <rule-ids> --cloud-type AWS --rule-type VALUE
Options  ·  3 required · 2 optional
  • RULE_IDS
    TEXT required positional
    Comma-separated rule IDs
  • --cloud-type
    TEXT required
    AWS|Azure|GCP|OCI
    Allowed AWS Azure GCP OCI
  • --rule-type
    TEXT required
    simple_alert|time_window_schedule_alert (required by API)
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
tc rule delete
qualys-cli tc rule delete

Delete one or more rules.

Qualys API doc ↗
qualys-cli tc rule delete <rule-ids> --cloud-type AWS --rule-type VALUE
Options  ·  3 required · 2 optional
  • RULE_IDS
    TEXT required positional
    Comma-separated rule IDs
  • --cloud-type
    TEXT required
    AWS|Azure|GCP|OCI
    Allowed AWS Azure GCP OCI
  • --rule-type
    TEXT required
    simple_alert|time_window_schedule_alert (required by API)
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

exception2

tc exception list
qualys-cli tc exception list

List exceptions.

Qualys API doc ↗
qualys-cli tc exception list
Options  ·  7 optional
  • --filter
    TEXT
    QQL filter (exception.provider, exception.status, etc.)
  • --page-no
    INTEGER
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
tc exception delete
qualys-cli tc exception delete

Delete exceptions.

Qualys API doc ↗
qualys-cli tc exception delete <exception-ids>
Options  ·  1 required · 2 optional
  • EXCEPTION_IDS
    TEXT required positional
    Comma-separated exception IDs
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

iac2

tc iac list
qualys-cli tc iac list

List IaC scans.

Qualys API doc ↗
qualys-cli tc iac list
Options  ·  7 optional
  • --filter
    TEXT
    QQL filter (status, scanUuid, scanDate)
  • --page-no
    INTEGER
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
tc iac get
qualys-cli tc iac get

Get IaC scan result by UUID.

Qualys API doc ↗
qualys-cli tc iac get <scan-uuid>
Options  ·  1 required · 3 optional
  • SCAN_UUID
    TEXT required positional
    Scan UUID
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)

cdr1

tc cdr findings
qualys-cli tc cdr findings

Get CDR security threat findings.

Qualys API doc ↗
qualys-cli tc cdr findings --query VALUE --start-at VALUE --end-at VALUE
Options  ·  3 required · 8 optional
  • --query
    TEXT required
    QQL query (e.g. tc.findings.cloudProvider:AWS)
  • --start-at
    TEXT required
    Start timestamp e.g. 2025-01-01T00:00:00Z
  • --end-at
    TEXT required
    End timestamp
  • --cloud-provider
    TEXT
    AWS|AZURE|GCP
    Allowed AWS AZURE GCP
  • --cloud-account
    TEXT
  • --limit-val
    TEXT
    Max records to return
  • --offset
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
CA

Cloud Agent

Agent lifecycle, on-demand scans, activation keys, configuration profiles

Basic + JWT · XML/JSON15 commands

agent7

ca agent list
qualys-cli ca agent list

List cloud agents (POST search).

Qualys API doc ↗
qualys-cli ca agent list
Options  ·  8 optional
  • --tag
    TEXT
    Tag NAME filter (default: "Cloud Agent" — override if your account uses a different tag)
  • --tag-id
    TEXT
    Tag ID filter (more reliable than name)
  • --tracking-method
    TEXT
    Filter by tracking method (e.g. AGENT) — alternative to --tag
  • --fields
    TEXT
    Comma-separated fields to include in the response
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
ca agent count
qualys-cli ca agent count

Get count of cloud agents in the account.

Qualys API doc ↗
qualys-cli ca agent count
Options  ·  6 optional
  • --tag
    TEXT
    Tag NAME filter (default: "Cloud Agent" — override if your account uses a different tag)
  • --tag-id
    TEXT
    Tag ID filter (more reliable than name)
  • --tracking-method
    TEXT
    Filter by tracking method (e.g. AGENT) — alternative to --tag
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
ca agent activate
qualys-cli ca agent activate

Activate a cloud agent for one or more modules.

Qualys API doc ↗
qualys-cli ca agent activate <asset-id> --module AGENT_VM
Options  ·  2 required · 1 optional
  • ASSET_ID
    TEXT required positional
    Asset ID of the agent
  • --module
    TEXT required
    Module(s): AGENT_VM,AGENT_PC,AGENT_FIM,AGENT_EDR,AGENT_SCA
    Allowed AGENT_VM AGENT_PC AGENT_FIM AGENT_EDR AGENT_SCA
  • --verbose -v
    FLAG (repeatable)
ca agent deactivate
qualys-cli ca agent deactivate

Deactivate a cloud agent for one or more modules.

Qualys API doc ↗
qualys-cli ca agent deactivate <asset-id> --module AGENT_VM
Options  ·  2 required · 1 optional
  • ASSET_ID
    TEXT required positional
    Asset ID of the agent
  • --module
    TEXT required
    Module(s): AGENT_VM,AGENT_PC,AGENT_FIM,AGENT_EDR,AGENT_SCA
    Allowed AGENT_VM AGENT_PC AGENT_FIM AGENT_EDR AGENT_SCA
  • --verbose -v
    FLAG (repeatable)
ca agent uninstall
qualys-cli ca agent uninstall

Uninstall a cloud agent.

Qualys API doc ↗
qualys-cli ca agent uninstall <asset-id>
Options  ·  1 required · 2 optional
  • ASSET_ID
    TEXT required positional
    Asset ID of the agent
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)
ca agent bulk-activate
qualys-cli ca agent bulk-activate

Bulk activate agents matching a tag.

Qualys API doc ↗
qualys-cli ca agent bulk-activate --module VALUE
Options  ·  1 required · 2 optional
  • --module
    TEXT required
    Module(s) to activate
  • --tag
    TEXT
    Tag name filter
    Default Cloud Agent
  • --verbose -v
    FLAG (repeatable)
ca agent bulk-deactivate
qualys-cli ca agent bulk-deactivate

Bulk deactivate agents matching a tag.

Qualys API doc ↗
qualys-cli ca agent bulk-deactivate --module VALUE
Options  ·  1 required · 2 optional
  • --module
    TEXT required
    Module(s) to deactivate
  • --tag
    TEXT
    Tag name filter
    Default Cloud Agent
  • --verbose -v
    FLAG (repeatable)

scan1

ca scan launch-ods
qualys-cli ca scan launch-ods

Launch an on-demand scan for agents matching a tag.

Qualys API doc ↗
qualys-cli ca scan launch-ods --scan-type Inventory_Scan
Options  ·  1 required · 3 optional
  • --scan-type
    TEXT required
    Inventory_Scan|Vulnerability_Scan|PolicyCompliance_Scan|UDC_Scan|SCA_Scan|SWCA_scan
    Allowed Inventory_Scan Vulnerability_Scan PolicyCompliance_Scan UDC_Scan SCA_Scan SWCA_scan
  • --tag
    TEXT
    Tag name filter for target assets
    Default Cloud Agent
  • --override-cpu
    FLAG
    Override CPU throttle limits
  • --verbose -v
    FLAG (repeatable)

act-key4

ca act-key list
qualys-cli ca act-key list

Search/list activation keys.

Qualys API doc ↗
qualys-cli ca act-key list
Options  ·  4 optional
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
ca act-key get
qualys-cli ca act-key get

Get activation key details.

Qualys API doc ↗
qualys-cli ca act-key get <key-id>
Options  ·  1 required · 2 optional
  • KEY_ID
    TEXT required positional
    Activation key ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
ca act-key create
qualys-cli ca act-key create

Create a new activation key.

Qualys API doc ↗
qualys-cli ca act-key create --title VALUE
Options  ·  1 required · 7 optional
  • --title
    TEXT required
    Activation key title
  • --licenses
    TEXT
    Comma-separated license types (e.g. VM,PC,FIM,EDR,SCA)
    Allowed VM PC FIM EDR SCA
  • --network-id
    TEXT
  • --expire-date
    TEXT
    ISO datetime e.g. 2026-12-31T23:59:59Z
  • --max-agents
    INTEGER
    Maximum agents allowed for this key
  • --tags
    TEXT
    Comma-separated tag IDs
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
ca act-key delete
qualys-cli ca act-key delete

Delete an activation key.

Qualys API doc ↗
qualys-cli ca act-key delete <key-id>
Options  ·  1 required · 2 optional
  • KEY_ID
    TEXT required positional
    Activation key ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

config3

ca config list
qualys-cli ca config list

List configuration profiles.

Qualys API doc ↗
qualys-cli ca config list
Options  ·  4 optional
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
ca config create
qualys-cli ca config create

Create a configuration profile.

Qualys API doc ↗
qualys-cli ca config create --name VALUE
Options  ·  1 required · 2 optional
  • --name
    TEXT required
    Profile name
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
ca config delete
qualys-cli ca config delete

Delete a configuration profile.

Qualys API doc ↗
qualys-cli ca config delete <profile-id>
Options  ·  1 required · 2 optional
  • PROFILE_ID
    TEXT required positional
    Profile ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)
CS

Container Security

Images, containers, registries, sensors, vulnerability reports

JWT Bearer · JSON18 commands

image5

cs image list
qualys-cli cs image list

List images in the account (max 10,000).

Qualys API doc ↗
qualys-cli cs image list
Options  ·  8 optional
  • --filter
    TEXT
    Qualys QQL filter
  • --page-number
    INTEGER
    Default 1
  • --page-size
    INTEGER
    Default 50
  • --server-sort
    TEXT
    Server-side sort, e.g. created:desc. Use --sort/--sort-by for client-side post-processing.
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
cs image get
qualys-cli cs image get

Get details of a specific image.

Qualys API doc ↗
qualys-cli cs image get <image-sha>
Options  ·  1 required · 3 optional
  • IMAGE_SHA
    TEXT required positional
    Image SHA value
  • --scan-details
    TEXT
    malware,secrets,compliance
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
cs image vulns
qualys-cli cs image vulns

Get vulnerability details for an image.

Qualys API doc ↗
qualys-cli cs image vulns <image-sha>
Options  ·  1 required · 7 optional
  • IMAGE_SHA
    TEXT required positional
    Image SHA value
  • --filter
    TEXT
  • --page-number
    INTEGER
    Default 1
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
cs image software
qualys-cli cs image software

List software installed on an image.

Qualys API doc ↗
qualys-cli cs image software <image-sha>
Options  ·  1 required · 6 optional
  • IMAGE_SHA
    TEXT required positional
    Image SHA value
  • --page-number
    INTEGER
    Default 1
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
cs image delete
qualys-cli cs image delete

Delete images matching a filter.

Qualys API doc ↗
qualys-cli cs image delete --filter VALUE
Options  ·  1 required · 2 optional
  • --filter
    TEXT required
    QQL filter to select images to delete
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

container4

cs container list
qualys-cli cs container list

List containers in the account.

Qualys API doc ↗
qualys-cli cs container list
Options  ·  8 optional
  • --filter
    TEXT
    Qualys QQL filter
  • --page-number
    INTEGER
    Default 1
  • --page-size
    INTEGER
    Default 50
  • --server-sort
    TEXT
    Server-side sort (passed to API). Use --sort/--sort-by for client-side.
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
cs container get
qualys-cli cs container get

Get details of a specific container.

Qualys API doc ↗
qualys-cli cs container get <container-sha>
Options  ·  1 required · 2 optional
  • CONTAINER_SHA
    TEXT required positional
    Container SHA
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
cs container vulns
qualys-cli cs container vulns

Get vulnerability details for a container.

Qualys API doc ↗
qualys-cli cs container vulns <container-sha>
Options  ·  1 required · 7 optional
  • CONTAINER_SHA
    TEXT required positional
    Container SHA
  • --filter
    TEXT
  • --page-number
    INTEGER
    Default 1
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
cs container software
qualys-cli cs container software

List software installed on a container.

Qualys API doc ↗
qualys-cli cs container software <container-sha>
Options  ·  1 required · 6 optional
  • CONTAINER_SHA
    TEXT required positional
    Container SHA
  • --page-number
    INTEGER
    Default 1
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)

registry3

cs registry list
qualys-cli cs registry list

List registries.

Qualys API doc ↗
qualys-cli cs registry list
Options  ·  7 optional
  • --filter
    TEXT
  • --page-number
    INTEGER
    Default 1
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
cs registry get
qualys-cli cs registry get

Get registry details.

Qualys API doc ↗
qualys-cli cs registry get <registry-uuid>
Options  ·  1 required · 2 optional
  • REGISTRY_UUID
    TEXT required positional
    Registry UUID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
cs registry delete
qualys-cli cs registry delete

Delete one or more registries.

Qualys API doc ↗
qualys-cli cs registry delete <registry-uuids>
Options  ·  1 required · 2 optional
  • REGISTRY_UUIDS
    TEXT required positional
    Comma-separated registry UUIDs
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

sensor2

cs sensor list
qualys-cli cs sensor list

List sensors.

Qualys API doc ↗
qualys-cli cs sensor list
Options  ·  8 optional
  • --filter
    TEXT
  • --page-number
    INTEGER
    Default 1
  • --page-size
    INTEGER
    Default 50
  • --server-sort
    TEXT
    Server-side sort (passed to API). Use --sort/--sort-by for client-side.
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
cs sensor get
qualys-cli cs sensor get

Get sensor details.

Qualys API doc ↗
qualys-cli cs sensor get <sensor-uuid>
Options  ·  1 required · 2 optional
  • SENSOR_UUID
    TEXT required positional
    Sensor UUID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)

report4

cs report list
qualys-cli cs report list

List vulnerability reports.

Qualys API doc ↗
qualys-cli cs report list
Options  ·  4 optional
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
cs report create
qualys-cli cs report create

Create a new vulnerability report request.

Qualys API doc ↗
qualys-cli cs report create --name VALUE --template CS_IMAGE_VULNERABILITY --expire-after VALUE
Options  ·  3 required · 4 optional
  • --name
    TEXT required
    Report title (max 150 chars)
  • --template
    TEXT required
    CS_IMAGE_VULNERABILITY|CS_CONTAINER_VULNERABILITY|CS_IMAGE_SECRETS|CS_IMAGE_MALWARE
    Allowed CS_IMAGE_VULNERABILITY CS_CONTAINER_VULNERABILITY CS_IMAGE_SECRETS CS_IMAGE_MALWARE
  • --expire-after
    TEXT required
    Days until expiry: 1|7|30|90
  • --filter
    TEXT
    QQL filter
  • --description
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
cs report download
qualys-cli cs report download

Download a report in JSON format.

Qualys API doc ↗
qualys-cli cs report download <report-uuid>
Options  ·  1 required · 2 optional
  • REPORT_UUID
    TEXT required positional
    Report UUID
  • --output-file -o
    TEXT
    Default cs-report.json
  • --verbose -v
    FLAG (repeatable)
cs report delete
qualys-cli cs report delete

Delete one or more reports.

Qualys API doc ↗
qualys-cli cs report delete <report-uuids>
Options  ·  1 required · 2 optional
  • REPORT_UUIDS
    TEXT required positional
    Comma-separated report UUIDs
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)
CSAM

CyberSecurity Asset Management

Assets, EASM, vulnerabilities, domains, reports, software components, business metadata, third-party connectors, organizations

JWT Bearer · JSON27 commands

asset4

csam asset count
qualys-cli csam asset count

Get the count of assets matching filter criteria.

Qualys API doc ↗
qualys-cli csam asset count
Options  ·  5 optional
  • --filter
    TEXT (repeatable)
    Repeatable filter as field=op=value (e.g. asset.riskScore=GREATER=500)
  • --updated-after
    TEXT
    yyyy-MM-ddTHH:mmZ
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
csam asset list
qualys-cli csam asset list

Get host details for all assets (max 100 per call, use --last-seen-id to paginate).

Qualys API doc ↗
qualys-cli csam asset list
Options  ·  9 optional
  • --filter
    TEXT (repeatable)
    Repeatable filter as field=op=value (e.g. asset.riskScore=GREATER=500)
  • --updated-after
    TEXT
    yyyy-MM-ddTHH:mmZ
  • --last-seen-id
    INTEGER
    Paginate from this asset ID
  • --include-fields
    TEXT
    Comma-separated fields to include
  • --exclude-fields
    TEXT
    Comma-separated fields to exclude
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
csam asset get
qualys-cli csam asset get

Get host details for a specific asset.

Qualys API doc ↗
qualys-cli csam asset get <asset-id>
Options  ·  1 required · 4 optional
  • ASSET_ID
    TEXT required positional
    Asset ID
  • --include-fields
    TEXT
  • --exclude-fields
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
csam asset sn-export
qualys-cli csam asset sn-export

Export an asset in ServiceNow-style format including software-instance details.

Qualys API doc ↗
qualys-cli csam asset sn-export <asset-id>
Options  ·  1 required · 3 optional
  • ASSET_ID
    TEXT required positional
    Asset ID
  • --format -f
    TEXT
    Default json
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)

easm9

csam easm list
qualys-cli csam easm list

List EASM profiles.

Qualys API doc ↗
qualys-cli csam easm list
Options  ·  6 optional
  • --name
    TEXT
    Filter by profile name
  • --page-number
    INTEGER
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
csam easm create
qualys-cli csam easm create

Create an EASM profile.

Qualys API doc ↗
qualys-cli csam easm create --name VALUE
Options  ·  1 required · 4 optional
  • --name
    TEXT required
    Profile name
  • --default
    FLAG
    Set as default profile
  • --domain-security
    FLAG
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
csam easm update
qualys-cli csam easm update

Update an EASM profile.

Qualys API doc ↗
qualys-cli csam easm update <profile-id>
Options  ·  1 required · 4 optional
  • PROFILE_ID
    TEXT required positional
    EASM profile ID
  • --name
    TEXT
  • --active/--inactive
    BOOLEAN
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
csam easm delete
qualys-cli csam easm delete

Delete an EASM profile.

Qualys API doc ↗
qualys-cli csam easm delete <profile-id>
Options  ·  1 required · 2 optional
  • PROFILE_ID
    TEXT required positional
    EASM profile ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)
csam easm activate
qualys-cli csam easm activate

Activate an EASM profile.

Qualys API doc ↗
qualys-cli csam easm activate <profile-id>
Options  ·  1 required · 1 optional
  • PROFILE_ID
    TEXT required positional
    EASM profile ID
  • --verbose -v
    FLAG (repeatable)
csam easm deactivate
qualys-cli csam easm deactivate

Deactivate an EASM profile.

Qualys API doc ↗
qualys-cli csam easm deactivate <profile-id>
Options  ·  1 required · 1 optional
  • PROFILE_ID
    TEXT required positional
    EASM profile ID
  • --verbose -v
    FLAG (repeatable)
csam easm orgs
qualys-cli csam easm orgs

List EASM organizations/subsidiaries.

Qualys API doc ↗
qualys-cli csam easm orgs
Options  ·  6 optional
  • --page-number
    INTEGER
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
csam easm status
qualys-cli csam easm status

Get EASM discovery status for a profile.

Qualys API doc ↗
qualys-cli csam easm status --name VALUE
Options  ·  1 required · 2 optional
  • --name
    TEXT required
    EASM profile name
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
csam easm patch
qualys-cli csam easm patch

Partially update an EASM profile via PATCH (additive — does not affect `easm update`).

Qualys API doc ↗
qualys-cli csam easm patch <profile-name> --body VALUE
Options  ·  2 required · 2 optional
  • PROFILE_NAME
    TEXT required positional
    EASM profile name
  • --body
    TEXT required
    Raw JSON body for the PATCH request
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)

vuln3

csam vuln list-easm
qualys-cli csam vuln list-easm

List EASM-discovered vulnerabilities.

Qualys API doc ↗
qualys-cli csam vuln list-easm
Options  ·  6 optional
  • --filter
    TEXT (repeatable)
    Repeatable filter as field=op=value (e.g. vulnerabilities.severity=EQUALS=2)
  • --last-seen-id
    TEXT
    Pagination cursor — pass the lastSeenId from the previous response
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
csam vuln list-scan
qualys-cli csam vuln list-scan

List vulnerabilities discovered by EASM scan.

Qualys API doc ↗
qualys-cli csam vuln list-scan
Options  ·  6 optional
  • --filter
    TEXT (repeatable)
    Repeatable filter as field=op=value (e.g. vulnerabilities.severity=EQUALS=2)
  • --last-seen-id
    TEXT
    Pagination cursor — pass the lastSeenId from the previous response
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
csam vuln data
qualys-cli csam vuln data

Fetch vulnerability data for software/OS CPEs across assets.

Qualys API doc ↗
qualys-cli csam vuln data --cpe-ids VALUE
Options  ·  1 required · 7 optional
  • --cpe-ids
    TEXT required
    Comma-separated CPE IDs (max 100)
  • --cpe-type
    TEXT
    Qualys|NIST
    Allowed Qualys NIST
  • --page-number
    INTEGER
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)

domain2

csam domain list
qualys-cli csam domain list

List unresolved and typosquatted domains discovered by EASM.

Qualys API doc ↗
qualys-cli csam domain list
Options  ·  8 optional
  • --type
    TEXT
    UNRESOLVED_DOMAINS
  • --filter-type
    TEXT
    ALL|DOMAIN|SUBDOMAIN
    Allowed ALL DOMAIN SUBDOMAIN
  • --page-size
    INTEGER
    Default 5000
  • --last-id
    INTEGER
    Paginate from this domain ID
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
csam domain count
qualys-cli csam domain count

Get count of unresolved domains.

Qualys API doc ↗
qualys-cli csam domain count
Options  ·  5 optional
  • --type
    TEXT
    UNRESOLVED_DOMAINS
  • --filter-type
    TEXT
    ALL|DOMAIN|SUBDOMAIN
    Allowed ALL DOMAIN SUBDOMAIN
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)

report2

csam report create
qualys-cli csam report create

Create an EASM summary report.

Qualys API doc ↗
qualys-cli csam report create --name VALUE --format-type VALUE --template VALUE --report-type VALUE
Options  ·  4 required · 4 optional
  • --name
    TEXT required
    Report name
  • --format-type
    TEXT required
    Output format e.g. PDF
  • --template
    TEXT required
    e.g. EASM_LEAD
  • --report-type
    TEXT required
    e.g. EASM_LEAD
  • --description
    TEXT
  • --query
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
csam report download
qualys-cli csam report download

Download a completed report by name.

Qualys API doc ↗
qualys-cli csam report download --name VALUE
Options  ·  1 required · 2 optional
  • --name
    TEXT required
    Exact report name
  • --output-file -o
    TEXT
    Default csam-report.pdf
  • --verbose -v
    FLAG (repeatable)

component2

csam component list
qualys-cli csam component list

List software components (SwCA) discovered across assets.

Qualys API doc ↗
qualys-cli csam component list
Options  ·  8 optional
  • --filter
    TEXT
    JSON filter body
  • --page-number
    INTEGER
  • --page-size
    INTEGER
    Default 50
  • --last-seen-id
    INTEGER
    Paginate from this component ID
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
csam component list-by-asset
qualys-cli csam component list-by-asset

List software components (SwCA) for a single asset.

Qualys API doc ↗
qualys-cli csam component list-by-asset <asset-id>
Options  ·  1 required · 7 optional
  • ASSET_ID
    TEXT required positional
    Asset ID to fetch components for
  • --filter
    TEXT
    JSON filter body
  • --page-number
    INTEGER
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)

business2

csam business import-asset
qualys-cli csam business import-asset

Import business metadata (criticality, owner, environment, etc.) for assets.

Qualys API doc ↗
qualys-cli csam business import-asset <input-file>
Options  ·  1 required · 2 optional
  • INPUT_FILE
    TEXT required positional
    CSV/JSON file with asset business metadata
  • --yes -y
    FLAG
    Skip confirmation
  • --verbose -v
    FLAG (repeatable)
csam business import-app
qualys-cli csam business import-app

Upsert business application metadata (apps and asset linkages).

Qualys API doc ↗
qualys-cli csam business import-app <input-file>
Options  ·  1 required · 2 optional
  • INPUT_FILE
    TEXT required positional
    CSV/JSON file with business application metadata
  • --yes -y
    FLAG
    Skip confirmation
  • --verbose -v
    FLAG (repeatable)

connector1

csam connector sync
qualys-cli csam connector sync

Push third-party assets/findings into CSAM via the webhook connector.

Qualys API doc ↗
qualys-cli csam connector sync <input-file>
Options  ·  1 required · 1 optional
  • INPUT_FILE
    TEXT required positional
    JSON payload describing third-party assets/findings
  • --verbose -v
    FLAG (repeatable)

org2

csam org list
qualys-cli csam org list

Search organizations and subsidiaries (POST search).

Qualys API doc ↗
qualys-cli csam org list
Options  ·  7 optional
  • --filter
    TEXT
    JSON filter body
  • --page-number
    INTEGER
  • --page-size
    INTEGER
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
csam org count
qualys-cli csam org count

Count organizations and subsidiaries matching a filter.

Qualys API doc ↗
qualys-cli csam org count
Options  ·  4 optional
  • --filter
    TEXT
    JSON filter body
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
PM

Patch Management

Deployment jobs, mitigations, patches, reports, managed assets

JWT Bearer · JSON19 commands

job8

pm job list
qualys-cli pm job list

List deployment jobs.

Qualys API doc ↗
qualys-cli pm job list
Options  ·  5 optional
  • --limit -n
    INTEGER
    Default 25
  • --all
    FLAG
    Fetch all pages
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    table|json|yaml
    Default table
  • --verbose -v
    FLAG (repeatable)
pm job get
qualys-cli pm job get

Get a deployment job by ID.

Qualys API doc ↗
qualys-cli pm job get <job-id>
Options  ·  1 required · 2 optional
  • JOB_ID
    TEXT required positional
    Deployment job ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
pm job create
qualys-cli pm job create

Create a deployment job.

Qualys API doc ↗
qualys-cli pm job create --name VALUE --schedule-type On-demand
Options  ·  2 required · 5 optional
  • --name
    TEXT required
    Job name
  • --schedule-type
    TEXT required
    On-demand|Once|Daily|Weekly|Monthly
    Allowed On-demand Once Daily Weekly Monthly
  • --platform
    TEXT
    Windows|Linux
    Allowed Windows Linux
    Default Windows
  • --start
    TEXT
    Start datetime YYYY-MM-DD HH:MM:SS
  • --tag-ids
    TEXT
    Comma-separated tag UUIDs
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
pm job update
qualys-cli pm job update

Update a deployment job.

Qualys API doc ↗
qualys-cli pm job update <job-id>
Options  ·  1 required · 4 optional
  • JOB_ID
    TEXT required positional
    Deployment job ID
  • --name
    TEXT
  • --schedule-type
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
pm job delete
qualys-cli pm job delete

Delete a deployment job.

Qualys API doc ↗
qualys-cli pm job delete <job-id>
Options  ·  1 required · 2 optional
  • JOB_ID
    TEXT required positional
    Deployment job ID
  • --yes -y
    FLAG
    Skip confirmation
  • --verbose -v
    FLAG (repeatable)
pm job change-status
qualys-cli pm job change-status

Enable or disable one or more deployment jobs.

Qualys API doc ↗
qualys-cli pm job change-status <job-ids> <action>
Options  ·  2 required · 2 optional
  • JOB_IDS
    TEXT required positional
    Comma-separated deployment job IDs
  • ACTION
    TEXT required positional
    Enabled|Disabled
    Allowed Enabled Disabled
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
pm job runs
qualys-cli pm job runs

List runs for a deployment job.

Qualys API doc ↗
qualys-cli pm job runs <job-id>
Options  ·  1 required · 3 optional
  • JOB_ID
    TEXT required positional
    Deployment job ID
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
pm job summary
qualys-cli pm job summary

Get result summary for a deployment job.

Qualys API doc ↗
qualys-cli pm job summary <job-id>
Options  ·  1 required · 2 optional
  • JOB_ID
    TEXT required positional
    Deployment job ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)

mitigation3

pm mitigation list
qualys-cli pm mitigation list

List mitigation deployment jobs.

Qualys API doc ↗
qualys-cli pm mitigation list
Options  ·  4 optional
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
pm mitigation create
qualys-cli pm mitigation create

Create a mitigation job.

Qualys API doc ↗
qualys-cli pm mitigation create --name VALUE --schedule-type VALUE
Options  ·  2 required · 2 optional
  • --name
    TEXT required
  • --schedule-type
    TEXT required
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
pm mitigation delete
qualys-cli pm mitigation delete

Delete mitigation jobs.

Qualys API doc ↗
qualys-cli pm mitigation delete <job-id>
Options  ·  1 required · 2 optional
  • JOB_ID
    TEXT required positional
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)

patch3

pm patch list
qualys-cli pm patch list

List patches from the patch catalog.

Qualys API doc ↗
qualys-cli pm patch list
Options  ·  7 optional
  • --platform
    TEXT
    Windows|Linux
    Allowed Windows Linux
  • --severity
    TEXT
    Critical|Important|Moderate|Low
    Allowed Critical Important Moderate Low
  • --limit -n
    INTEGER
    Default 25
  • --all
    FLAG
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
pm patch count
qualys-cli pm patch count

Get patch count.

Qualys API doc ↗
qualys-cli pm patch count
Options  ·  4 optional
  • --platform
    TEXT
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
pm patch products
qualys-cli pm patch products

List products affected by a specific patch.

Qualys API doc ↗
qualys-cli pm patch products <patch-id>
Options  ·  1 required · 4 optional
  • PATCH_ID
    TEXT required positional
    Patch ID to list products for
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)

report4

pm report list
qualys-cli pm report list

List generated PM reports.

Qualys API doc ↗
qualys-cli pm report list
Options  ·  4 optional
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
pm report generate
qualys-cli pm report generate

Generate a deployment job progress report.

Qualys API doc ↗
qualys-cli pm report generate <job-id>
Options  ·  1 required · 4 optional
  • JOB_ID
    TEXT required positional
    Deployment job ID
  • --report-format
    TEXT
    CSV|PDF
    Allowed CSV PDF
    Default CSV
  • --name
    TEXT
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
pm report download
qualys-cli pm report download

Download a generated report to a local file.

Qualys API doc ↗
qualys-cli pm report download <report-id>
Options  ·  1 required · 2 optional
  • REPORT_ID
    TEXT required positional
    Report ID
  • --output-file -o
    TEXT
    Save path
    Default report.csv
  • --verbose -v
    FLAG (repeatable)
pm report columns
qualys-cli pm report columns

Fetch available report columns.

Qualys API doc ↗
qualys-cli pm report columns --platform Windows --report-section Asset
Options  ·  2 required · 2 optional
  • --platform
    TEXT required
    Windows|Linux
    Allowed Windows Linux
  • --report-section
    TEXT required
    Asset|Patch|JobProgress
    Allowed Asset Patch JobProgress
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)

asset1

pm asset list
qualys-cli pm asset list

List PM-managed assets.

Qualys API doc ↗
qualys-cli pm asset list
Options  ·  4 optional
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
ETM

Enterprise TruRisk Management

Finding reports — list, create, get, download, delete

JWT Bearer · JSON7 commands
On this pagereport7

report7

etm report list
qualys-cli etm report list

List active ETM reports.

Qualys API doc ↗
qualys-cli etm report list
Options  ·  6 optional
  • --offset
    INTEGER
    Pagination offset (0-based)
  • --page-size
    INTEGER
    Items per page on the API
    Default 50
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
etm report create
qualys-cli etm report create

Submit a finding report request.

Qualys API doc ↗
qualys-cli etm report create --report-format JSON
Options  ·  1 required · 6 optional
  • --report-format
    TEXT required
    JSON|PARQUET
    Allowed JSON PARQUET
  • --name
    TEXT
  • --description
    TEXT
  • --asset-qql
    TEXT
    Asset QQL filter
  • --findings-qql
    TEXT
    Findings QQL filter
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
etm report get
qualys-cli etm report get

Get details of a specific ETM report.

Qualys API doc ↗
qualys-cli etm report get <report-id>
Options  ·  1 required · 2 optional
  • REPORT_ID
    TEXT required positional
    Report ID
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
etm report download
qualys-cli etm report download

Download all resources for an ETM report as a ZIP.

Qualys API doc ↗
qualys-cli etm report download <report-id>
Options  ·  1 required · 2 optional
  • REPORT_ID
    TEXT required positional
    Report ID
  • --output-file -o
    TEXT
    Default etm-report.zip
  • --verbose -v
    FLAG (repeatable)
etm report download-resource
qualys-cli etm report download-resource

Download a specific resource file from an ETM report.

Qualys API doc ↗
qualys-cli etm report download-resource <report-id> <resource-name>
Options  ·  2 required · 2 optional
  • REPORT_ID
    TEXT required positional
    Report ID
  • RESOURCE_NAME
    TEXT required positional
    Resource name (e.g. part_15097524224131306.json)
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
etm report delete
qualys-cli etm report delete

Delete an ETM report.

Qualys API doc ↗
qualys-cli etm report delete <report-id>
Options  ·  1 required · 2 optional
  • REPORT_ID
    TEXT required positional
    Report ID
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)
etm report bulk-delete
qualys-cli etm report bulk-delete

Bulk delete ETM reports.

Qualys API doc ↗
qualys-cli etm report bulk-delete <report-ids>
Options  ·  1 required · 2 optional
  • REPORT_IDS
    TEXT required positional
    Comma-separated report IDs
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)
AST

Asset Management

IPs, networks, domains, asset groups

Basic auth · XML8 commands

ip2

asset ip list
qualys-cli asset ip list

List IPs in the subscription.

Qualys API doc ↗
qualys-cli asset ip list
Options  ·  6 optional
  • --ips
    TEXT
    Filter by IP/range
  • --network-id
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
asset ip add
qualys-cli asset ip add

Add IPs to the subscription.

Qualys API doc ↗
qualys-cli asset ip add <ips>
Options  ·  1 required · 2 optional
  • IPS
    TEXT required positional
    IP(s) or range(s) to add
  • --tracking
    TEXT
    IP|DNS|NETBIOS
    Allowed IP DNS NETBIOS
    Default IP
  • --verbose -v
    FLAG (repeatable)

network2

asset network list
qualys-cli asset network list

List networks.

Qualys API doc ↗
qualys-cli asset network list
Options  ·  4 optional
  • --ids
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
asset network create
qualys-cli asset network create

Create a network.

Qualys API doc ↗
qualys-cli asset network create --name VALUE
Options  ·  1 required · 2 optional
  • --name
    TEXT required
  • --description
    TEXT
  • --verbose -v
    FLAG (repeatable)

domain2

asset domain list
qualys-cli asset domain list

List asset domains.

Qualys API doc ↗
qualys-cli asset domain list
Options  ·  3 optional
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
asset domain create
qualys-cli asset domain create

Create an asset domain.

Qualys API doc ↗
qualys-cli asset domain create --name VALUE
Options  ·  1 required · 1 optional
  • --name
    TEXT required
  • --verbose -v
    FLAG (repeatable)

group2

asset group list
qualys-cli asset group list

List asset groups.

Qualys API doc ↗
qualys-cli asset group list
Options  ·  6 optional
  • --ids
    TEXT
  • --title
    TEXT
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
asset group delete
qualys-cli asset group delete

Delete asset group(s).

Qualys API doc ↗
qualys-cli asset group delete <ids>
Options  ·  1 required · 2 optional
  • IDS
    TEXT required positional
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)
SAU

Scan Auth Records

Authentication records and vaults — generic, Neo4j, Nginx

Basic auth · XML7 commands

record1

scanauth record list
qualys-cli scanauth record list

List authentication records.

Qualys API doc ↗
qualys-cli scanauth record list
Options  ·  9 optional
  • --type
    TEXT
    Auth record type — selects the per-type endpoint. One of: unix, windows, oracle, oracle_listener, ms_sql, mysql, db2, snmp, http, postgresql, vmware, ibm_was, tomcat, jboss, mongodb, cisco, checkpoint_firewall, palo_alto_firewall, ad_workspace, azure, aws, gcp, kubernetes, docker, nginx, neo4j, sybase, mariadb, informix, as400
  • --ids
    TEXT
    Filter by record IDs (comma-separated)
  • --title
    TEXT
    Filter by title substring
  • --id-min
    INTEGER
  • --id-max
    INTEGER
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)

vault2

scanauth vault list
qualys-cli scanauth vault list

List authentication vaults.

Qualys API doc ↗
qualys-cli scanauth vault list
Options  ·  9 optional
  • --title
    TEXT
  • --type
    TEXT
    Vault type (e.g. CyberArk AIM)
  • --modified
    TEXT
    Modified on/after YYYY-MM-DD
  • --orderby
    TEXT
    id|title|system_name|last_modified
  • --sortorder
    TEXT
    asc|desc
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
scanauth vault create
qualys-cli scanauth vault create

Create an authentication vault.

Qualys API doc ↗
qualys-cli scanauth vault create --title VALUE --type VALUE
Options  ·  2 required · + 1 required (one-of) · 11 optional
One-of required: --field — pass at least one
  • --title
    TEXT required
  • --type
    TEXT required
    Vault type (e.g. CyberArk AIM)
  • --comments
    TEXT
  • --appid
    TEXT
    CyberArk AIM: application ID (required for that type)
  • --safe
    TEXT
    CyberArk AIM / PIM: safe name (required for those types)
  • --url
    TEXT
    Vault server URL (required for most types)
  • --username
    TEXT
    Vault auth username
  • --password
    TEXT
    Vault auth password
  • --token
    TEXT
    API token (Thycotic, HashiCorp, etc.)
    Allowed Thycotic HashiCorp
  • --namespace
    TEXT
    HashiCorp namespace
  • --role
    TEXT
    HashiCorp role
  • --secret-id
    TEXT
    HashiCorp / Thycotic secret ID
  • --field
    TEXT (repeatable) required (one-of)
    Arbitrary type-specific field as key=value (repeatable). Use for any param not exposed as a dedicated flag.
  • --verbose -v
    FLAG (repeatable)

neo4j2

scanauth neo4j list
qualys-cli scanauth neo4j list

List Neo4j authentication records.

Qualys API doc ↗
qualys-cli scanauth neo4j list
Options  ·  3 optional
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
scanauth neo4j create
qualys-cli scanauth neo4j create

Create a Neo4j authentication record.

Qualys API doc ↗
qualys-cli scanauth neo4j create --title VALUE --username VALUE --password VALUE --ips VALUE --port VALUE
Options  ·  5 required · 2 optional
  • --title
    TEXT required
  • --username
    TEXT required
  • --password
    TEXT required
  • --ips
    TEXT required
  • --port
    INTEGER required
  • --database
    TEXT
  • --verbose -v
    FLAG (repeatable)

nginx2

scanauth nginx list
qualys-cli scanauth nginx list

List Nginx authentication records.

Qualys API doc ↗
qualys-cli scanauth nginx list
Options  ·  3 optional
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
scanauth nginx create
qualys-cli scanauth nginx create

Create an Nginx authentication record.

Qualys API doc ↗
qualys-cli scanauth nginx create --title VALUE --ips VALUE
Options  ·  2 required · 4 optional
  • --title
    TEXT required
  • --ips
    TEXT required
  • --unix-base-path
    TEXT
  • --unix-conf-path
    TEXT
  • --unix-prefix-path
    TEXT
  • --verbose -v
    FLAG (repeatable)
USR

User Management

List, create, and reset users in your subscription

Basic auth · XML3 commands
On this pagegeneral3

general3

user list
qualys-cli user list

List users in the subscription.

Qualys API doc ↗
qualys-cli user list
Options  ·  6 optional
  • --external-id-contains
    TEXT
  • --external-id-assigned
    INTEGER
    1=assigned, 0=unassigned
  • --limit -n
    INTEGER
    Default 25
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
user create
qualys-cli user create

Create a new user account.

Qualys API doc ↗
qualys-cli user create --role VALUE --business-unit VALUE --first-name VALUE --last-name VALUE --title VALUE --phone VALUE --email VALUE --address VALUE --city VALUE --country VALUE
Options  ·  10 required · 6 optional
  • --role
    TEXT required
    manager|unit_manager|scanner|reader|contact|administrator
  • --business-unit
    TEXT required
    'Unassigned' or existing BU title
  • --first-name
    TEXT required
  • --last-name
    TEXT required
  • --title
    TEXT required
    Job title
  • --phone
    TEXT required
  • --email
    TEXT required
  • --address
    TEXT required
  • --city
    TEXT required
  • --country
    TEXT required
    Country code
  • --state
    TEXT
  • --zip
    TEXT
  • --asset-groups
    TEXT
    Comma-separated asset groups
  • --send-email
    INTEGER
    1=send registration email, 0=return credentials
    Default 1
  • --external-id
    TEXT
  • --verbose -v
    FLAG (repeatable)
user change-password
qualys-cli user change-password

Reset passwords for users (auto-generated passwords).

Qualys API doc ↗
qualys-cli user change-password <user-logins>
Options  ·  1 required · 3 optional
  • USER_LOGINS
    TEXT required positional
    Comma-separated login IDs or 'all'
  • --send-email
    INTEGER
    1=send email, 0=return passwords in output
    Default 1
  • --yes -y
    FLAG
  • --verbose -v
    FLAG (repeatable)
SUB

Subscription Management

Subscription info, configuration export/import, user preferences

Basic auth · XML5 commands

general3

sub info
qualys-cli sub info

Show subscription details: product entitlements, user counts, scanner info.

Qualys API doc ↗
qualys-cli sub info
Options  ·  3 optional
  • --format -f
    TEXT
    Default table
  • --output-file -o
    TEXT
  • --verbose -v
    FLAG (repeatable)
sub export
qualys-cli sub export

Export full subscription configuration.

Qualys API doc ↗
qualys-cli sub export
Options  ·  3 optional
  • --output-file -o
    TEXT
  • --format -f
    TEXT
    Default table
  • --verbose -v
    FLAG (repeatable)
sub import
qualys-cli sub import

Import subscription configuration from a previously exported XML file.

Qualys API doc ↗
qualys-cli sub import <input-file>
Options  ·  1 required · 2 optional
  • INPUT_FILE
    TEXT required positional
    XML file produced by 'sub export'
  • --yes -y
    FLAG
    Skip confirmation
  • --verbose -v
    FLAG (repeatable)

user-prefs2

sub user-prefs export
qualys-cli sub user-prefs export

Export user preferences to an XML file.

Qualys API doc ↗
qualys-cli sub user-prefs export --user-id VALUE
Options  ·  1 required · 2 optional
  • --user-id
    TEXT required
    Numeric Qualys user ID (required by the API)
  • --output-file -o
    TEXT
    Default user-prefs-export.xml
  • --verbose -v
    FLAG (repeatable)
sub user-prefs import
qualys-cli sub user-prefs import

Import user preferences from a previously exported XML file.

Qualys API doc ↗
qualys-cli sub user-prefs import <input-file>
Options  ·  1 required · 2 optional
  • INPUT_FILE
    TEXT required positional
    XML file produced by 'user-prefs export'
  • --yes -y
    FLAG
    Skip confirmation
  • --verbose -v
    FLAG (repeatable)
DR

Doctor

Preflight: creds, JWT, gateway reachability, audit log writability

Local + HEAD1 commands
On this pagegeneral1

general1

doctor
qualys-cli doctor

Verify creds, JWT exchange, gateway reachability, and audit log writability.

qualys-cli doctor
Options  ·  2 optional
  • --profile -p
    TEXT
    Default default
  • --json
    FLAG
    Emit a single JSON object instead of a panel
HC

Health probe

Machine-readable liveness check (exit 0 iff API reachable)

Local + HEAD1 commands
On this pagegeneral1

general1

health
qualys-cli health

Exit 0 iff creds load and the gateway is reachable. JSON on stdout.

qualys-cli health
Options  ·  1 optional
  • --profile -p
    TEXT
    Default default
ST

Audit-log analytics

Local call counts, latency p50/p90/p99, retry rate, error breakdown

Local1 commands
On this pagegeneral1

general1

stats
qualys-cli stats

Compute call counts, latency percentiles, retry rate, and error breakdown.

qualys-cli stats
Options  ·  1 optional
  • --json
    FLAG
    Emit raw JSON only
RJ

Rotate JWT

Force a fresh credential exchange against /auth

JWT exchange1 commands
On this pagegeneral1

general1

rotate-jwt
qualys-cli rotate-jwt

Drop the cached JWT and exchange a new one against ``/auth``.

qualys-cli rotate-jwt
Options  ·  1 optional
  • --profile -p
    TEXT
    Default default
VA

Verify audit chain

Validate the HMAC chain of the local audit log

Local1 commands
On this pagegeneral1

general1

verify-audit
qualys-cli verify-audit

Verify that the local audit log hasn't been tampered with.

qualys-cli verify-audit
Options  ·  1 optional
  • PATH
    TEXT positional
    Path to audit.log (default: standard location)
LA

Show last response

Re-render the most recent successful response for the active profile

Local1 commands
On this pagegeneral1

general1

last
qualys-cli last

Re-render the most recent successful response captured for *profile*.

qualys-cli last
Options  ·  2 optional
  • --profile -p
    TEXT
    Default default
  • --format -f
    TEXT
    Default table
RP

Replay by correlation

Re-render a prior response by correlation ID

Local1 commands
On this pagegeneral1

general1

replay
qualys-cli replay

Re-render a specific previous response.

qualys-cli replay <correlation-id>
Options  ·  1 required · 2 optional
  • CORRELATION_ID
    TEXT required positional
    Correlation ID from a previous run
  • --profile -p
    TEXT
    Default default
  • --format -f
    TEXT
    Default table
WT

Watch a command

Re-run a list command on an interval (poll + diff)

Subprocess loop1 commands
On this pagegeneral1

general1

watch
qualys-cli watch

Re-run *cmd* every *interval* seconds, clearing the screen each time.

qualys-cli watch <cmd>
Options  ·  1 required · 2 optional
  • CMD
    TEXT (repeatable) required positional
    Command to repeat, e.g. vm scan list --state Running
  • --interval -n
    INTEGER
    Seconds between runs
    Default 15
  • --iterations
    INTEGER
    Stop after N runs (0 = forever)
BT

Batch runner

Execute a YAML batch of commands, optionally in parallel

Subprocess fan-out1 commands
On this pagegeneral1

general1

batch
qualys-cli batch

Run a list of commands sequentially or in parallel.

qualys-cli batch <input-file>
Options  ·  1 required · 3 optional
  • INPUT_FILE
    TEXT required positional
    YAML batch file (see examples/)
  • --parallel -j
    INTEGER
    Number of parallel workers
    Default 1
  • --continue-on-error
    FLAG
  • --output-file -o
    TEXT
QY

Saved-query library

List / show / save / run / delete reusable filter recipes

Local5 commands
On this pagegeneral5

general5

query list
qualys-cli query list

List every query under ~/.config/qualys-cli/queries/*.toml.

qualys-cli query list
query show
qualys-cli query show
qualys-cli query show <name>
Options  ·  1 required
  • NAME
    TEXT required positional
query save
qualys-cli query save

Save the given command tokens as a reusable query.

qualys-cli query save <name> <command>
Options  ·  2 required · 2 optional
  • NAME
    TEXT required positional
    Query name (file-system safe)
  • COMMAND
    TEXT (repeatable) required positional
    Command tokens, e.g. vm host list --ips 10.0.0.0/24
  • --description -d
    TEXT
  • --overwrite
    FLAG
query delete
qualys-cli query delete
qualys-cli query delete <name>
Options  ·  1 required
  • NAME
    TEXT required positional
query run
qualys-cli query run

Resolve a saved query and dispatch it.

qualys-cli query run <name>
Options  ·  1 required · 1 optional
  • NAME
    TEXT required positional
  • EXTRA_ARGS
    TEXT (repeatable) positional
    Additional argv appended after the saved args
CO

Shell completion

Print bash / zsh / fish / powershell completion scripts

Local1 commands
On this pagegeneral1

general1

completion
qualys-cli completion

Print the completion script for *shell* to stdout — eval / source it.

qualys-cli completion
Options  ·  1 optional
  • SHELL
    TEXT positional
    bash | zsh | fish | powershell
    Default bash
CA

Response cache

Manage the local ETag-aware SQLite cache

Local1 commands
On this pagegeneral1

general1

cache clear
qualys-cli cache clear

Drop every entry from the on-disk response cache.

qualys-cli cache clear
MCP

MCP server

Expose every command as an MCP tool over stdio (Claude / Cursor)

JSON-RPC stdio1 commands
On this pagegeneral1

general1

mcp
qualys-cli mcp

Boot a Model Context Protocol server.

qualys-cli mcp
Options  ·  1 optional
  • --profile -p
    TEXT
    Default default
SV

HTTP server

Run a localhost JSON-in / JSON-out HTTP front-end

Local HTTP1 commands
On this pagegeneral1

general1

serve
qualys-cli serve

Boot a tiny HTTP server: ``POST /run`` runs a CLI invocation and returns JSON.

qualys-cli serve
Options  ·  4 optional
  • --host
    TEXT
    Default 127.0.0.1
  • --port
    INTEGER
    Default 8765
  • --profile -p
    TEXT
    Default default
  • --allow-public-network
    FLAG
    Required when --host is not a loopback address. There is NO auth on the wire; the server will execute arbitrary qualys-cli commands for anyone who can reach it. Use only behind a firewall + reverse proxy that adds AuthN/Z.