Reference
Complete reference for all qtz-discovery-cli commands, global flags, environment variables,
and the .qtz-discovery.yaml configuration file format.
Global Flags
These flags apply to every command.
| Flag | Env var | Default | Description |
|---|
--server | QTZ_SERVER_URL | — | Quantizant portal base URL |
--org-id | QTZ_SERVER_ORG_ID | — | Organization ID |
--api-key | QTZ_SERVER_API_KEY | — | Portal API key |
--upload | QTZ_UPLOAD | false | Upload findings to portal after scan |
--log-level | QTZ_LOG_LEVEL | info | debug | info | warn | error |
--format | QTZ_FORMAT | cbom | Output format (see Output Formats) |
--output | QTZ_OUTPUT | stdout | Output file path |
--config | — | .qtz-discovery.yaml | Config file path |
scan source
Source targeting
| Flag | Default | Description |
|---|
--branch | main | Git branch to scan |
--commit | — | Pin to specific commit SHA |
--depth | 0 | Shallow clone depth (0 = full history) |
--token | — | Git access token for private repos (QTZ_GIT_TOKEN) |
--exclude | — | Glob patterns to exclude (e.g. vendor/**,*.pb.go) |
--git-history | false | Scan git commit history for past crypto patterns |
--since | 90d | Git history time window (e.g. 30d, 2024-01-01) |
Scan control
| Flag | Default | Description |
|---|
--sast | true | Enable SAST (static pattern detection) |
--sca | true | Enable SCA (dependency analysis) |
--ecosystem | all | SCA ecosystem filter: go|npm|python|maven|cargo|ruby|php|nuget|dart|elixir|swift|scala|clojure|haskell|r|erlang|perl|ocaml|nim|all |
Filtering & severity
| Flag | Default | Description |
|---|
--min-severity | info | Filter findings below: critical|high|medium|low|info |
--ignore | — | Suppress specific pattern IDs (e.g. RSA-001,HASH-001) |
--ignore-category | — | Suppress entire categories (e.g. Asymmetric,Hash) |
--fail-on | — | Exit 2 if findings at or above severity: critical|high|medium|low|info |
Baseline comparison
| Flag | Default | Description |
|---|
--baseline | — | JSON file of previous findings — only report new findings |
--update-baseline | false | Overwrite baseline file with current findings |
Portal upload
| Flag | Env var | Default | Description |
|---|
--source-id | QTZ_SOURCE_ID | — | Source UUID. Omit to auto-create a new source; provide to append scan results to an existing source. |
AI analysis (requires portal connection)
| Flag | Default | Description |
|---|
--llm | false | Enable AI-driven deep analysis (requires --server) |
--llm-quality | auto | Analysis depth: auto|fast|deep|chain |
--llm-max-files | 50 | Max source files sent to AI per scan (0 = unlimited) |
--llm-batch-size | 10 | File chunks per AI server request |
--llm-chunk-window | 300 | Lines per chunk for large-file splitting |
--llm-chunk-overlap | 50 | Overlap lines between adjacent chunks (0 = none) |
--scan-budget | — | Max USD for AI analysis (e.g. 2.50; 0 = unlimited) |
--dry-run | false | Count candidate files without running AI analysis (requires --llm) |
--resume | false | Resume an interrupted AI scan |
--checkpoint-file | — | Explicit checkpoint file path (default: auto-computed) |
Reporting
| Flag | Default | Description |
|---|
--show-score | false | Print transition readiness score (0–100) |
scan network
| Flag | Default | Description |
|---|
--timeout | 10s | Connection timeout per target |
--sni | — | Override Server Name Indication (default: hostname) |
--insecure | false | Skip TLS certificate verification |
--protocols | auto | Protocols to probe: tls | ssh (default: auto-detect by port) |
--skip-vulns | false | Suppress individual vulnerability findings |
--skip-quantum | false | Skip quantum-risk analysis |
report summary
report summary <cbom.json> renders a human-readable summary to stdout.
It inherits the global --format and --output flags — no command-specific flags.
# Default table output
qtz-discovery-cli report summary cbom.json
# Interactive terminal dashboard
qtz-discovery-cli report summary cbom.json --format dashboard
# Write JSON summary to file
qtz-discovery-cli report summary cbom.json --format json --output summary.json
report convert
| Flag | Default | Description |
|---|
--to | — | Required. Target format: json | sarif |
--output | stdout | Write to file path |
mcp serve
Starts the MCP server. Without --addr, listens on stdin/stdout (stdio transport).
| Flag | Default | Description |
|---|
--addr | — | Listen address for HTTP transport (e.g. 127.0.0.1:8080); omit for stdio |
--transport | sse | HTTP transport variant (only when --addr is set): sse | streamable-http |
| Transport | Endpoints |
|---|
| stdio | stdin / stdout |
| sse | /sse (events) & /message (commands) |
| streamable-http | /mcp (MCP 2025-03-26) |
Environment Variables
| Variable | Description |
|---|
QTZ_SERVER_URL | Quantizant portal base URL |
QTZ_SERVER_ORG_ID | Organization ID |
QTZ_SERVER_API_KEY | Portal API key |
QTZ_SOURCE_ID | Source UUID for upload tagging (scan source only) |
QTZ_GIT_TOKEN | Git access token for private repositories |
QTZ_UPLOAD | Upload findings after scan when set to true |
QTZ_LOG_LEVEL | Log verbosity: debug | info | warn | error |
QTZ_FORMAT | Default output format |
QTZ_OUTPUT | Default output file path |
Config File (.qtz-discovery.yaml)
Place .qtz-discovery.yaml in your project root or ~/.qtz/.
CLI flags always take precedence over config file values.
# .qtz-discovery.yaml
log_level: info # debug | info | warn | error
# Portal connection (required for AI analysis and uploads)
server:
url: https://discovery.quantizant.io/
org_id: your-org-id
api_key: your-api-key # Better: use QTZ_SERVER_API_KEY env var
upload: false # Set true to auto-upload after every scan
# scan source defaults
scan:
source:
branch: main
depth: 0 # 0 = full history
excludes:
- vendor/**
- "*.pb.go"
- node_modules/**
llm:
enabled: false
max_files: 50
chunk_window_lines: 300
chunk_overlap_lines: 50
network:
timeout: 10s
insecure: false
# Default output
output:
format: cbom # cbom | sarif | json | csv | table | dashboard
Config File Lookup Order
The CLI searches for config files in this order (first found wins):
- Path specified by
--config flag .qtz-discovery.yaml in the current directoryconfig.yaml in the current directory (fallback name)~/.qtz/.qtz-discovery.yaml~/.qtz/config.yaml
Severity Levels
| Level | Description |
|---|
critical | Immediate quantum or classical threat (e.g. RSA-1024, expired cert, TLS 1.0) |
high | Significant risk — should be remediated before compliance deadline |
medium | Notable issue — plan remediation within 12 months |
low | Best practice violation — address in next review cycle |
info | Informational — inventory item, no immediate action required |
Exit Codes
| Code | Meaning |
|---|
0 | Success |
1 | General error (bad config, auth failure, I/O error, etc.) |
2 | Scan completed but --fail-on threshold was exceeded |
Quantum Risk Classifications
| Classification | Meaning |
|---|
VULNERABLE | Algorithm broken by Shor's or Grover's algorithm on a CRQC |
PARTIAL | Classical algorithm with insufficient key size for post-quantum era |
HYBRID | Classical+PQC hybrid in use — transitional but not fully quantum-safe |
SAFE | NIST-approved PQC algorithm (ML-KEM, ML-DSA, SLH-DSA) or equivalent |