qai audit subcommand to scan MCP servers, enumerate capabilities, and generate security reports.
qai audit scan
Scan an MCP server for security vulnerabilities across all 10 OWASP MCP Top 10 categories.--transport to override the inference.
Options
| Flag | Type | Required | Description |
|---|---|---|---|
TARGET | positional | No | Server URL or command. Prompted interactively if omitted. |
--transport | enum | No | Transport type: stdio, sse, or streamable-http. Inferred from TARGET when omitted. |
--command | string | No | Server command for stdio (alternative to positional TARGET) |
--url | string | No | Server URL for SSE/HTTP (alternative to positional TARGET) |
--checks | string | No | Comma-separated scanner names (e.g., injection,auth,token_exposure). Omit to run all 10. |
--format | enum | No | Output format: json, sarif, html, ndjson, csv (default: json) |
--output | string | No | Output file path (default: results/scan.{format_ext}) |
--verbose / -v | flag | No | Enable debug logging |
Transport Inference
When--transport is omitted, qai infers the transport from TARGET:
- URL ending in
/sse→ SSE (high confidence, proceeds automatically) - URL without clear signal → prompts for transport choice in interactive terminals, fails with error in scripts
- Command string (no
://) → stdio (high confidence, proceeds automatically)
Inferred transport: sse (override with --transport).
Examples
Scan an SSE server (transport inferred from URL):Audit results are automatically saved to the database. Use the database ID returned in the output to retrieve or compare scan results over time.
qai audit enumerate
Enumerate MCP server capabilities without running security checks. Useful for discovery and asset inventory.audit scan — URL or command string with automatic transport inference.
Options
| Flag | Type | Required | Description |
|---|---|---|---|
TARGET | positional | No | Server URL or command. Prompted interactively if omitted. |
--transport | enum | No | Transport type override: stdio, sse, or streamable-http |
--command | string | No | Server command for stdio (alternative to positional TARGET) |
--url | string | No | Server URL for SSE/HTTP (alternative to positional TARGET) |
Examples
qai audit list-checks
List all available scanner modules with their OWASP MCP Top 10 mappings.Options
| Flag | Type | Description |
|---|---|---|
--framework | string | Show framework IDs for a specific framework: owasp_mcp_top10, owasp_agentic_top10, mitre_atlas, cwe, or all |
Example
--framework is specified.
qai audit report
Generate a report from previously saved scan results in JSON format.Options
| Flag | Type | Required | Description |
|---|---|---|---|
--input | string | Yes | Path to saved scan results JSON file (from qai audit scan) |
--format | enum | No | Output format: json, sarif, html, ndjson, csv (default: sarif) |
--output | string | No | Output file path (default: input path with new extension) |