Configuration
qtz-discovery-cli reads configuration from (in order of precedence):
- Command-line flags
- Environment variables
.qtz-discovery.yamlin the current directoryconfig.yamlin the current directory (fallback name)~/.qtz/.qtz-discovery.yaml~/.qtz/config.yaml
Config File
Create a .qtz-discovery.yaml in your project root:
# .qtz-discovery.yaml
log_level: info # debug | info | warn | error
# Portal connection (optional — for AI analysis, uploads, team features)
server:
url: https://discovery.quantizant.ai/
org_id: your-org-id
api_key: your-api-key # Better: use QTZ_SERVER_API_KEY env var
upload: false # Set true to auto-upload after every scan
# scan source defaults
scan:
source:
branch: main
depth: 0 # 0 = full history
excludes:
- vendor/**
- "*.pb.go"
- node_modules/**
# Output defaults
output:
format: cyclonedx # cyclonedx | sarif | json | csv | table | dashboardGlobal Flags
These flags apply to all commands:
| Flag | Env Var | Default | Description |
|---|---|---|---|
--server | QTZ_SERVER_URL | — | Quantizant portal base URL |
--org-id | QTZ_SERVER_ORG_ID | — | Organization ID for API calls |
--api-key | QTZ_SERVER_API_KEY | — | API key for authentication |
--config | — | .qtz-discovery.yaml | Config file path |
--log-level | QTZ_LOG_LEVEL | info | debug | info | warn | error |
--output | — | stdout | Write output to file |
--format | — | cyclonedx | Output format (see Output Formats) |
--upload | QTZ_UPLOAD | false | Upload findings to portal after scan |
--sync | — | false | Sync classification standards from server before scan |
--standard | — | nist | Quantum-risk classification standard: nist|cnsa2|acsc|bsi|cccs|eccg |
--verbose | — | false | Enable verbose output (equivalent to --log-level debug) |
--experimental | — | false | Enable experimental scan modalities: iac, runtime, infra |
Environment Variables
Sensitive values should be set as environment variables rather than in the config file:
export QTZ_SERVER_URL=https://discovery.quantizant.ai/
export QTZ_SERVER_ORG_ID=your-org-id
export QTZ_SERVER_API_KEY=your-api-keyIn CI/CD, set these as secrets in your pipeline (see CI/CD Integration).
Multiple Profiles
Use --config to switch between environments:
# Development
qtz-discovery-cli scan source . --config .qtz-dev.yaml
# Production
qtz-discovery-cli scan source . --config .qtz-prod.yaml