> ## Documentation Index
> Fetch the complete documentation index at: https://ctpf.q-uestionable.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit CLI Reference

> Command reference for qai audit

Use the `qai audit` subcommand to scan MCP servers, enumerate capabilities, and generate security reports.

```bash theme={null}
qai audit --help
```

## qai audit scan

Scan an MCP server for security vulnerabilities across all 10 OWASP MCP Top 10 categories.

```bash theme={null}
qai audit scan [TARGET] [OPTIONS]
```

TARGET can be a URL (for SSE or Streamable HTTP servers) or a command string (for stdio servers). When provided, transport is inferred automatically and printed to the terminal. Use `--transport` to override the inference.

### Options

| Flag               | Type       | Required | Description                                                                                |
| ------------------ | ---------- | -------- | ------------------------------------------------------------------------------------------ |
| `TARGET`           | positional | No       | Server URL or command. Prompted interactively if omitted.                                  |
| `--transport`      | enum       | No       | Transport type: `stdio`, `sse`, or `streamable-http`. Inferred from TARGET when omitted.   |
| `--command`        | string     | No       | Server command for stdio (alternative to positional TARGET)                                |
| `--url`            | string     | No       | Server URL for SSE/HTTP (alternative to positional TARGET)                                 |
| `--checks`         | string     | No       | Comma-separated scanner names (e.g., `injection,auth,token_exposure`). Omit to run all 10. |
| `--format`         | enum       | No       | Output format: `json`, `sarif`, `html`, `ndjson`, `csv` (default: `json`)                  |
| `--output`         | string     | No       | Output file path (default: `results/scan.{format_ext}`)                                    |
| `--verbose` / `-v` | flag       | No       | Enable debug logging                                                                       |

### Transport Inference

When `--transport` is omitted, qai infers the transport from TARGET:

* **URL ending in `/sse`** → SSE (high confidence, proceeds automatically)
* **URL without clear signal** → prompts for transport choice in interactive terminals, fails with error in scripts
* **Command string** (no `://`) → stdio (high confidence, proceeds automatically)

The inferred transport is always printed: `Inferred transport: sse (override with --transport)`.

### Examples

Scan an SSE server (transport inferred from URL):

```bash theme={null}
qai audit scan http://localhost:3000/sse
```

Scan a stdio server:

```bash theme={null}
qai audit scan "npx @modelcontextprotocol/server-memory"
```

Explicit transport override:

```bash theme={null}
qai audit scan http://localhost:3000/mcp --transport streamable-http
```

Output as SARIF:

```bash theme={null}
qai audit scan http://localhost:3000/sse --format sarif --output audit-report.sarif
```

Run specific scanners only:

```bash theme={null}
qai audit scan "python my_server.py" --checks injection,auth,token_exposure
```

Backward-compatible flag syntax (still works):

```bash theme={null}
qai audit scan --transport stdio --command "python my_server.py"
```

<Note>
  Audit results are automatically saved to the database. Use the database ID returned in the output to retrieve or compare scan results over time.
</Note>

<Tip>
  Use `--format sarif` to generate reports compatible with GitHub Code Scanning integration.
</Tip>

## qai audit enumerate

Enumerate MCP server capabilities without running security checks. Useful for discovery and asset inventory.

```bash theme={null}
qai audit enumerate [TARGET] [OPTIONS]
```

TARGET works the same as `audit scan` — URL or command string with automatic transport inference.

### Options

| Flag          | Type       | Required | Description                                                   |
| ------------- | ---------- | -------- | ------------------------------------------------------------- |
| `TARGET`      | positional | No       | Server URL or command. Prompted interactively if omitted.     |
| `--transport` | enum       | No       | Transport type override: `stdio`, `sse`, or `streamable-http` |
| `--command`   | string     | No       | Server command for stdio (alternative to positional TARGET)   |
| `--url`       | string     | No       | Server URL for SSE/HTTP (alternative to positional TARGET)    |

### Examples

```bash theme={null}
qai audit enumerate http://localhost:3000/sse
qai audit enumerate "npx @modelcontextprotocol/server-memory"
```

Output includes server name, protocol version, and lists of all tools, resources, and prompts.

## qai audit list-checks

List all available scanner modules with their OWASP MCP Top 10 mappings.

```bash theme={null}
qai audit list-checks [OPTIONS]
```

### Options

| Flag          | Type   | Description                                                                                                           |
| ------------- | ------ | --------------------------------------------------------------------------------------------------------------------- |
| `--framework` | string | Show framework IDs for a specific framework: `owasp_mcp_top10`, `owasp_agentic_top10`, `mitre_atlas`, `cwe`, or `all` |

### Example

```bash theme={null}
qai audit list-checks --framework owasp_mcp_top10
```

Output is a table with scanner module name, category, description, status (Ready/Planned), and framework mappings if `--framework` is specified.

## qai audit report

Generate a report from previously saved scan results in JSON format.

```bash theme={null}
qai audit report --input <path> [OPTIONS]
```

### Options

| Flag       | Type   | Required | Description                                                                |
| ---------- | ------ | -------- | -------------------------------------------------------------------------- |
| `--input`  | string | Yes      | Path to saved scan results JSON file (from `qai audit scan`)               |
| `--format` | enum   | No       | Output format: `json`, `sarif`, `html`, `ndjson`, `csv` (default: `sarif`) |
| `--output` | string | No       | Output file path (default: input path with new extension)                  |

### Example

```bash theme={null}
qai audit report \
  --input results/scan.json \
  --format sarif \
  --output security-findings.sarif
```

<Tip>
  Use `qai audit report` to regenerate findings in different formats without re-scanning the server. The `--input` file must be the JSON export from `qai audit scan` (not SARIF, HTML, or CSV). If you only have a non-JSON export, re-export the scan from the database first.
</Tip>
