Metadata-Version: 2.4
Name: qualys-cli
Version: 0.1.3
Summary: Unified command-line interface for the Qualys Cloud Platform REST APIs (VM, PC, PM, ETM, WAS, TotalCloud, Cloud Agent, Container Security, CSAM, Subscription, Asset, and User management).
Project-URL: Homepage, https://www.qualys.com
Author: qualys-cli contributors
License: MIT License
        
        Copyright (c) 2026 qualys-cli contributors
        
        Permission is hereby granted, free of charge, to any person obtaining a copy
        of this software and associated documentation files (the "Software"), to deal
        in the Software without restriction, including without limitation the rights
        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
        copies of the Software, and to permit persons to whom the Software is
        furnished to do so, subject to the following conditions:
        
        The above copyright notice and this permission notice shall be included in all
        copies or substantial portions of the Software.
        
        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
        SOFTWARE.
License-File: LICENSE
Keywords: cli,cspm,patch-management,qualys,security,vm,vulnerability-management
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: MacOS
Classifier: Operating System :: Microsoft :: Windows
Classifier: Operating System :: POSIX
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: System :: Systems Administration
Classifier: Topic :: Utilities
Requires-Python: >=3.11
Requires-Dist: brotli>=1.1
Requires-Dist: click>=8.1
Requires-Dist: httpx>=0.27
Requires-Dist: keyring>=24
Requires-Dist: pyyaml>=6
Requires-Dist: rich>=13
Requires-Dist: typer<0.26,>=0.12
Requires-Dist: xmltodict>=0.13
Requires-Dist: zstandard>=0.22
Provides-Extra: codegen
Requires-Dist: anthropic>=0.30; extra == 'codegen'
Requires-Dist: defusedxml>=0.7; extra == 'codegen'
Requires-Dist: pydantic>=2; extra == 'codegen'
Requires-Dist: pypdf>=4; extra == 'codegen'
Requires-Dist: selectolax>=0.3; extra == 'codegen'
Requires-Dist: trafilatura>=1.9; extra == 'codegen'
Description-Content-Type: text/markdown

# qualys-cli

[![PyPI](https://img.shields.io/pypi/v/qualys-cli.svg)](https://pypi.org/project/qualys-cli/)
[![Python](https://img.shields.io/pypi/pyversions/qualys-cli.svg)](https://pypi.org/project/qualys-cli/)
[![License](https://img.shields.io/pypi/l/qualys-cli.svg)](https://pypi.org/project/qualys-cli/)

A unified command-line interface for the Qualys Cloud Platform REST APIs —
covering VM, PC, Patch Management, ETM, WAS, TotalCloud (TC), Cloud Agent (CA),
Container Security (CS), CSAM, Subscription, Asset, and User management. Rich
table output, JSON / YAML / JSONL export, automatic retry with backoff, JWT
auto-refresh, OS-keyring credential storage, and a clean machine-readable mode
for scripting and AI agents.

```text
  ╭─────────────────────────────────────────────────╮
  │  qualys-cli   ·   273 endpoints, one CLI        │
  │  vm · pc · pm · etm · was · tc · ca · cs        │
  │  csam · sub · asset · user · scanauth           │
  ╰─────────────────────────────────────────────────╯
```

## Installation

```bash
# Recommended — isolated install
pipx install qualys-cli

# Or into the current environment
pip install qualys-cli
```

Python 3.11 or newer. Works on macOS, Linux, and Windows.

## Quick start

```bash
# 1. Configure credentials (interactive — password stored in OS keyring)
qualys-cli configure

# 2. Run any command
qualys-cli vm host list --limit 10
qualys-cli was webapp list
qualys-cli pm job list --format json
```

### Non-interactive setup

```bash
qualys-cli configure \
  --url https://qualysapi.qualys.com \
  --username "$QUALYS_USERNAME" \
  --password "$QUALYS_PASSWORD" \
  --output-mode agentic
```

Credentials resolve in this priority order:
1. `QUALYS_URL` / `QUALYS_USERNAME` / `QUALYS_PASSWORD` / `QUALYS_TOKEN` env vars
2. OS keyring (per-profile entry)
3. `~/.config/qualys-cli/config.toml`

Multiple profiles via `--profile <name>` or `QUALYS_PROFILE`. List with `qualys-cli profiles`.

## Output modes

The CLI has two top-level modes that govern the *default* output style:

| Mode          | Default output                  | Spinners / colours | Use case                      |
|---------------|---------------------------------|--------------------|-------------------------------|
| `interactive` | Rich table (first 25 rows)      | Yes                | Humans in a terminal          |
| `agentic`     | JSON, no decoration             | No                 | Scripts, pipelines, AI agents |

Switch the persistent default for a profile:

```bash
qualys-cli mode                # show current
qualys-cli mode agentic        # set agentic
qualys-cli mode interactive    # set interactive
```

Or set per-shell with `export QUALYS_OUTPUT_MODE=agentic`.

### Per-command output flags

These work on every command and override the mode default:

| Flag                          | Behaviour                                                     |
|-------------------------------|--------------------------------------------------------------|
| `--format json`               | Full JSON to stdout                                          |
| `--format jsonl`              | One flattened JSON object per line (JSON Lines / NDJSON)     |
| `--format yaml`               | YAML to stdout                                               |
| `--format table`              | Rich table (forced)                                         |
| `--limit 0`                   | Remove the default 25-row cap                               |
| `--output-file results.json`  | Dump full data to file (extension picks JSON or YAML)       |
| `-v`, `-vv`                   | Log requests (and response sizes); secrets never logged     |

## Examples by module

### VM (Vulnerability Management)
```bash
qualys-cli vm host list --ips 10.0.0.0/24
qualys-cli vm host detection --ips 10.0.0.0/24
qualys-cli vm scan launch --title "Weekly" --ip 10.0.1.0/24 --option-id 12345
qualys-cli vm scan fetch SCAN-REF-123 --output-file results.json
```

### Patch Management (PM)
```bash
qualys-cli pm job list --format json
qualys-cli pm job create --name "Critical patches" \
  --patch-ids "12345,67890" --asset-group-ids "AG-1"
qualys-cli pm patch list --severity Critical
```

### Web Application Scanning (WAS)
```bash
qualys-cli was webapp list --name "prod"
qualys-cli was webapp get 12345
qualys-cli was scan launch --webapp-id 12345 --name "Nightly WAS"
qualys-cli was finding list --webapp-id 12345 --severity 5
qualys-cli was report download 99999 --output-file was-report.pdf
```

### TotalCloud (TC) — CSPM
```bash
qualys-cli tc connector list --provider AWS
qualys-cli tc evaluation list --provider AWS --account-id 123456789012
qualys-cli tc rule list --cloud-type AWS --rule-type simple_alert
qualys-cli tc exception list
```

### Cloud Agent (CA), Container Security (CS), CSAM
```bash
qualys-cli ca agent list --status Active
qualys-cli ca actkey create --title "Linux Prod" --modules VM,PC

qualys-cli cs image list --filter "vulns.severity5Count:>0"
qualys-cli cs image get <sha>
qualys-cli cs container list --severity Critical

qualys-cli csam asset list --updated-after 2026-01-01T00:00Z
qualys-cli csam vuln list-easm --filter "vulnerability.cvss=GREATER=7"
```

### Subscription, Asset, User
```bash
qualys-cli sub info
qualys-cli sub export --output-file sub-backup.xml
qualys-cli asset ip add --ips 10.0.0.0/24 --tracking-method IP
qualys-cli user create --username jdoe --first-name Jane --last-name Doe \
  --email jane@example.com --user-role scanner
```

Tip: append `--help` to any command (e.g. `qualys-cli was scan launch --help`)
for the full flag set.

## Bundled documentation

A comprehensive HTML usage reference covering every command ships inside the
package. The `docs` command finds and opens it — no path guessing required, and
it works identically for `pip` and `pipx` installs:

```bash
qualys-cli docs              # open the reference in your default browser
qualys-cli docs --no-open    # just print the file path (and size)
qualys-cli docs --stdout     # write the raw HTML to stdout (pipe it anywhere)
```

## LLM / agent usage

The CLI is built to be safe to drive from a script or an AI agent:

```bash
# JSON output (set agentic mode persistently, or use --format json per call)
qualys-cli mode agentic
qualys-cli vm host list | jq '.HOST_LIST_OUTPUT.RESPONSE.HOST_LIST'

# JSON Lines — one record per line, ideal for streaming
qualys-cli pm job list --format jsonl | jq -r '.id'

# Errors emitted as JSON on stderr when stderr is not a TTY
qualys-cli --profile nonexistent vm host list 2>/tmp/err.json
# {"error": "No username for profile 'nonexistent'...", "type": "configuration_error"}
```

**Behaviour contract for agents:**
- `stdout` contains only data (JSON / JSONL / YAML / table text).
- `stderr` carries status, spinners, and human-readable errors. All decoration
  is suppressed when stderr is not a TTY.
- Exit code `0` = success, `1` = any error.
- When stderr is not a TTY, errors are emitted as
  `{"error": "...", "type": "..."}` JSON.

## Authentication

| Module group                                 | Auth        | Endpoint family                  |
|----------------------------------------------|-------------|----------------------------------|
| VM, PC, Asset, User, ScanAuth, Sub, WAS      | HTTP Basic  | `/api/2.0/fo/`, `/qps/rest/`     |
| TC, PM, ETM, CS, CSAM                        | JWT Bearer  | API gateway (`/csapi/`, `/etm/`) |
| CA agent ops                                 | HTTP Basic  | `/qps/rest/`                     |
| CA activation-key / config                   | JWT Bearer  | `/caui/v1/`                      |

JWT tokens are fetched via `POST /auth`, cached in `config.toml`, and
auto-refreshed on 401.

## License

MIT
