Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.q-uestionable.ai/llms.txt

Use this file to discover all available pages before exploring further.

Use the qai audit subcommand to scan MCP servers, enumerate capabilities, and generate security reports. 
qai audit --help

qai audit scan

Scan an MCP server for security vulnerabilities across all 10 OWASP MCP Top 10 categories. 
qai audit scan [TARGET] [OPTIONS]
TARGET can be a URL (for SSE or Streamable HTTP servers) or a command string (for stdio servers). When provided, transport is inferred automatically and printed to the terminal. Use --transport to override the inference.

Options

FlagTypeRequiredDescription
TARGETpositionalNoServer URL or command. Prompted interactively if omitted.
--transportenumNoTransport type: stdio, sse, or streamable-http. Inferred from TARGET when omitted.
--commandstringNoServer command for stdio (alternative to positional TARGET)
--urlstringNoServer URL for SSE/HTTP (alternative to positional TARGET)
--checksstringNoComma-separated scanner names (e.g., injection,auth,token_exposure). Omit to run all 10.
--formatenumNoOutput format: json, sarif, html, ndjson, csv (default: json)
--outputstringNoOutput file path (default: results/scan.{format_ext})
--verbose / -vflagNoEnable debug logging

Transport Inference

When --transport is omitted, qai infers the transport from TARGET:
  • URL ending in /sse → SSE (high confidence, proceeds automatically)
  • URL without clear signal → prompts for transport choice in interactive terminals, fails with error in scripts
  • Command string (no ://) → stdio (high confidence, proceeds automatically)
The inferred transport is always printed: Inferred transport: sse (override with --transport).

Examples

Scan an SSE server (transport inferred from URL): 
qai audit scan http://localhost:3000/sse
Scan a stdio server: 
qai audit scan "npx @modelcontextprotocol/server-memory"
Explicit transport override: 
qai audit scan http://localhost:3000/mcp --transport streamable-http
Output as SARIF: 
qai audit scan http://localhost:3000/sse --format sarif --output audit-report.sarif
Run specific scanners only: 
qai audit scan "python my_server.py" --checks injection,auth,token_exposure
Backward-compatible flag syntax (still works): 
qai audit scan --transport stdio --command "python my_server.py"
Audit results are automatically saved to the database. Use the database ID returned in the output to retrieve or compare scan results over time.
Use --format sarif to generate reports compatible with GitHub Code Scanning integration.

qai audit enumerate

Enumerate MCP server capabilities without running security checks. Useful for discovery and asset inventory. 
qai audit enumerate [TARGET] [OPTIONS]
TARGET works the same as audit scan — URL or command string with automatic transport inference.

Options

FlagTypeRequiredDescription
TARGETpositionalNoServer URL or command. Prompted interactively if omitted.
--transportenumNoTransport type override: stdio, sse, or streamable-http
--commandstringNoServer command for stdio (alternative to positional TARGET)
--urlstringNoServer URL for SSE/HTTP (alternative to positional TARGET)

Examples

qai audit enumerate http://localhost:3000/sse
qai audit enumerate "npx @modelcontextprotocol/server-memory"
Output includes server name, protocol version, and lists of all tools, resources, and prompts.

qai audit list-checks

List all available scanner modules with their OWASP MCP Top 10 mappings. 
qai audit list-checks [OPTIONS]

Options

FlagTypeDescription
--frameworkstringShow framework IDs for a specific framework: owasp_mcp_top10, owasp_agentic_top10, mitre_atlas, cwe, or all

Example

qai audit list-checks --framework owasp_mcp_top10
Output is a table with scanner module name, category, description, status (Ready/Planned), and framework mappings if --framework is specified.

qai audit report

Generate a report from previously saved scan results in JSON format. 
qai audit report --input <path> [OPTIONS]

Options

FlagTypeRequiredDescription
--inputstringYesPath to saved scan results JSON file (from qai audit scan)
--formatenumNoOutput format: json, sarif, html, ndjson, csv (default: sarif)
--outputstringNoOutput file path (default: input path with new extension)

Example

qai audit report \
  --input results/scan.json \
  --format sarif \
  --output security-findings.sarif
Use qai audit report to regenerate findings in different formats without re-scanning the server. The --input file must be the JSON export from qai audit scan (not SARIF, HTML, or CSV). If you only have a non-JSON export, re-export the scan from the database first.