> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vigolium.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Vigolium

> High-fidelity vulnerability scanner fusing agentic AI with native speed, modularity, and precision

<Frame caption="Vigolium Workbench, scan overview with severity breakdown and finding details">
  <img src="https://mintcdn.com/vigolium/zoiYo6Ai1Y8VJhNS/images/vigolium-main-workbench.png?fit=max&auto=format&n=zoiYo6Ai1Y8VJhNS&q=85&s=ce742509a2fdc2c1959da3a6d7358d99" alt="Vigolium Workbench showing scan overview with severity breakdown and individual finding details" width="3416" height="2292" data-path="images/vigolium-main-workbench.png" />
</Frame>

[Vigolium](https://github.com/vigolium/vigolium) is a high-fidelity web vulnerability scanner that fuses agentic AI with native speed, modularity, and precision. It combines deterministic multi-phase scanning with AI-driven autonomous analysis to deliver comprehensive security coverage, from injection flaws and access control issues to framework-specific vulnerabilities and blind out-of-band attacks.

The platform is built around three key components that work together to provide a complete vulnerability scanning solution.

## <Icon icon="puzzle-piece" /> Key Components

<Columns cols={3}>
  <Card title="Vigolium CLI" icon="terminal">
    The core scanning engine. Handles all scanning logic, module execution, and heavy lifting, from content discovery and browser-based spidering to active fuzzing and agentic AI scanning.
  </Card>

  <Card title="Vigolium Workbench" icon="desktop">
    A self-hosted dashboard for visualizing scan results, managing projects, and tracking findings across your infrastructure. Deploy it on your own servers for full control over your data.
  </Card>

  <Card title="Vigolium Console" icon="cloud">
    A cloud-based solution that provides managed scanning, team collaboration, and centralized reporting without the overhead of self-hosting.
  </Card>
</Columns>

## <Icon icon="download" /> Installation

<Tabs>
  <Tab title="Native Installation (Recommended)">
    ```bash theme={null}
    curl -fsSL https://vigolium.com/install.sh | bash
    ```

    Installs `~/.local/bin/vigolium` and adds it to your shell profile. The installer verifies the SHA-256 checksum before installing.
  </Tab>

  <Tab title="npm" icon="npm">
    ```bash theme={null}
    npm install -g @vigolium/vigolium
    ```

    Thin launcher that pulls the prebuilt binary for your platform as an optional dependency (Node 16+).
  </Tab>

  <Tab title="Bun" icon="bolt">
    ```bash theme={null}
    bun add -g @vigolium/vigolium
    ```

    Installs the Vigolium launcher globally with Bun. Same prebuilt-binary launcher as the npm install path; Bun is just a faster package manager.
  </Tab>

  <Tab title="Homebrew" icon="apple">
    ```bash theme={null}
    brew install vigolium/tap/vigolium
    ```

    Installs the latest release from the Vigolium tap on macOS and Linux. Upgrade with `brew upgrade vigolium`.
  </Tab>

  <Tab title="Docker" icon="docker">
    ```bash theme={null}
    docker pull j3ssie/vigolium:latest
    docker run --rm j3ssie/vigolium:latest scan -h
    ```

    The container entrypoint is the `vigolium` binary, pass any subcommand directly.
  </Tab>

  <Tab title="Build from Source" icon="bolt">
    ```bash theme={null}
    git clone https://github.com/vigolium/vigolium.git
    cd vigolium
    make build
    ```

    Requires Go 1.26+, Bun 1.3.11+, `git`, and `make`. Always use `make build` (not `go build`), it injects version metadata.
  </Tab>

  <Tab title="Windows">
    <Check>Vigolium only supports Linux and macOS natively. Windows users should use WSL or the Docker image.</Check>
  </Tab>
</Tabs>

For a guided walkthrough including validation and your first scan, see the [Quickstart](/getting-started/quickstart).

***

## <Icon icon="radar" /> Scanning Mode

### Agentic Scan

Agentic scanning uses AI agents to drive or augment the scanning process. Invoked via `vigolium agent <mode>`. All AI dispatch is routed through the in-process **olium** engine, which supports eleven providers: `openai-codex-oauth`, `anthropic-api-key`, `anthropic-oauth`, `openai-api-key`, `openai-responses`, `anthropic-cli`, `anthropic-claude-sdk-bridge`, `anthropic-compatible`, `anthropic-vertex`, `google-vertex`, and `openai-compatible` (Ollama / OpenRouter / LM Studio / vLLM).

| Mode          | Command                                 | Description                                                                                                                                                                                                                                                                                                  |
| ------------- | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Query**     | `vigolium agent query`                  | Single-shot prompt execution. Good for code review, endpoint discovery, secret detection. No network scanning.                                                                                                                                                                                               |
| **Autopilot** | `vigolium agent autopilot`              | Autonomous AI-driven pentest. The olium engine discovers endpoints, runs scans, and triages findings on its own, driving bash, file ops, and the vigolium CLI until it calls `halt_scan`. Supports diff-focused runs (`--diff`), `--intensity` preset bundles, and session resume.                           |
| **Swarm**     | `vigolium agent swarm`                  | AI-guided pipeline for targeted single-request or full-scope (`--discover`) scanning. The master agent selects modules, generates custom JS scanner extensions, runs code audit and SAST, executes scans, and triages results, with native Go handling the heavy lifting while AI intervenes at checkpoints. |
| **Audit**     | `vigolium agent audit`                  | Unified whitebox security audit driver (lite / balanced / deep). Runs the embedded vigolium-audit harness, the standalone piolium harness, or both side-by-side under one parent scan.                                                                                                                       |
| **Piolium**   | `vigolium agent audit --driver=piolium` | Pi-native whitebox audit driver (separate install). Up to 17 phases at `deep`, the most thorough audit available.                                                                                                                                                                                            |
| **Olium**     | `vigolium olium` / `vigolium ol`        | Interactive TUI chat or one-shot non-interactive prompt, the underlying agent runtime.                                                                                                                                                                                                                       |

All scan-oriented modes support `--source` for source-aware analysis and store session artifacts (plans, extensions, output) under `~/.vigolium/agent-sessions/`.

### Native Scan

Deterministic, multi-phase vulnerability scanning via `vigolium scan`. Fast, modular, and repeatable, runs content discovery, browser spidering, SPA crawling, and active/passive `dynamic-assessment` phases with **313 scanner modules** (198 active, 115 passive).

| Category                        | Coverage                                                                                                                                                                                                                                                                                              |
| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Injection**                   | XSS (reflected, DOM-based, SSR hydration), SQL injection (error-based, boolean/time-blind), NoSQL injection, SSTI/CSTI, CRLF injection, command injection, XXE/SAML, prototype pollution                                                                                                              |
| **Access Control**              | CSRF, IDOR, authorization bypass, mass assignment, forbidden bypass, HTTP method tampering                                                                                                                                                                                                            |
| **File & Path**                 | LFI, path traversal, file upload flaws, directory listing, backup/sensitive file discovery, path normalization bypass                                                                                                                                                                                 |
| **API & Protocol**              | GraphQL security suite (introspection, SQLi, IDOR/BOLA, DoS, batching), MCP server security (tool/resource/prompt fuzzing, session & origin checks), SSRF (direct & blind), open redirect, HTTP request smuggling, JWT vulnerabilities, JSONP callback, WebSocket security, race conditions           |
| **Framework-Specific**          | Spring Boot, Django, Laravel, Rails, Express, Next.js, Nuxt, Remix, ASP.NET/Blazor, IIS, Flask, FastAPI                                                                                                                                                                                               |
| **Enterprise & SaaS Platforms** | Adobe Experience Manager (dispatcher bypass, sensitive servlets, RCE-surface exposure, CVE probes), Salesforce Experience Cloud (Aura object/record exposure, guest Apex execution, Lightning debug mode), ServiceNow (widget & KB data exposure), Microsoft Power Pages (Dataverse Web API exposure) |
| **CMS**                         | WordPress (XML-RPC, user enum, AJAX exposure), Drupal, Joomla, CMS installer exposure                                                                                                                                                                                                                 |
| **Cloud & Infra**               | Firebase (RTDB, storage, auth, functions), cloud storage listing/takeover, default credentials, web cache poisoning, CORS misconfiguration                                                                                                                                                            |
| **Out-of-Band**                 | Blind vulnerabilities via OAST callbacks (blind SSRF, blind SSTI, OAST probes)                                                                                                                                                                                                                        |

***

## <Icon icon="terminal" /> Vigolium CLI

The CLI is the heart of Vigolium, powering all scanning operations with two complementary modes:

### CLI Highlights

* **Value-aware mutation**: classify parameter values by semantic type and generate intelligent mutations
* **Multi-phase pipeline**: external harvesting, content discovery, SPA crawling, and audit controlled by strategy presets
* **Scanning profiles**: bundle strategy, pace, scope, and module config into a single YAML file
* **Multiple input formats**: URLs, OpenAPI/Swagger, Postman, Burp Suite, cURL, Nuclei JSONL
* **Browser-based spider**: Chromium-driven crawler with SPA support, form filling, and JS analysis
* **Multi-session authentication**: inline sessions, session files, or full auth configs with login flows and token extraction
* **JavaScript extensions**: custom modules and hooks via embedded JS engine
* **Source-aware agentic scan**: pair `--source` with `swarm`, `autopilot`, or `audit` for code-context-aware AI scanning and audit
* **Concurrent architecture**: configurable worker pool with per-host rate limiting and hybrid queue
* **HTML reports**: self-contained HTML reports with sortable/filterable tables
* **API server mode**: REST API with Swagger UI, multi-format ingestion, transparent HTTP proxy

***

## <Icon icon="desktop" /> Vigolium Workbench

A self-hosted web dashboard that provides a visual interface for managing and analyzing your scan data. Deploy Workbench on your own infrastructure to maintain complete control over your vulnerability data while giving your team an intuitive way to:

* Browse and filter scan findings with severity breakdown per project
* Track vulnerability trends across repositories and scan history
* Manage multiple projects with multi-tenancy support
* View detailed request/response evidence for each finding

<Columns cols={2}>
  <Frame caption="Project overview with scan summary">
    <img src="https://mintcdn.com/vigolium/k7Q5uClvTZzF4YBg/images/vigolium-ui-dashboard-1.png?fit=max&auto=format&n=k7Q5uClvTZzF4YBg&q=85&s=1b5b5c796cc7b2b0599b8e2b1b422239" alt="Workbench project overview showing scan summary and severity counts" width="3824" height="2366" data-path="images/vigolium-ui-dashboard-1.png" />
  </Frame>

  <Frame caption="Findings list with filtering options">
    <img src="https://mintcdn.com/vigolium/k7Q5uClvTZzF4YBg/images/vigolium-ui-dashboard-2.png?fit=max&auto=format&n=k7Q5uClvTZzF4YBg&q=85&s=95e9fe18de264735a727b66cf86f8c41" alt="Workbench findings list with severity filters and search" width="3824" height="2158" data-path="images/vigolium-ui-dashboard-2.png" />
  </Frame>

  <Frame caption="Detailed finding view with request/response evidence">
    <img src="https://mintcdn.com/vigolium/k7Q5uClvTZzF4YBg/images/vigolium-ui-dashboard-3.png?fit=max&auto=format&n=k7Q5uClvTZzF4YBg&q=85&s=9ad18a0547a351fbe503be6119846b91" alt="Workbench detailed finding view showing HTTP request and response evidence" width="3824" height="2158" data-path="images/vigolium-ui-dashboard-3.png" />
  </Frame>

  <Frame caption="Scan history and trend tracking">
    <img src="https://mintcdn.com/vigolium/k7Q5uClvTZzF4YBg/images/vigolium-ui-dashboard-4.png?fit=max&auto=format&n=k7Q5uClvTZzF4YBg&q=85&s=4db776eeca0b23ec9c1231fdddc23feb" alt="Workbench scan history view with vulnerability trend tracking" width="3824" height="2158" data-path="images/vigolium-ui-dashboard-4.png" />
  </Frame>
</Columns>

<Columns cols={2}>
  <Frame caption="CLI Native Scan">
    <img src="https://mintcdn.com/vigolium/NLZDE082IZ_kV-1b/images/vigolium-cli-native-scan.png?fit=max&auto=format&n=NLZDE082IZ_kV-1b&q=85&s=c219c83a174dc5093f8d23aaf573e30c" alt="CLI Native Scan" width="4336" height="2804" data-path="images/vigolium-cli-native-scan.png" />
  </Frame>

  <Frame caption="CLI Native Scan 2">
    <img src="https://mintcdn.com/vigolium/LhScJ9FgxQS8TSGT/images/vigolium-cli-native-scan-2.png?fit=max&auto=format&n=LhScJ9FgxQS8TSGT&q=85&s=5b2b14db63c8918716fdc917ab7ea6df" alt="CLI Native Scan 2" width="3824" height="2366" data-path="images/vigolium-cli-native-scan-2.png" />
  </Frame>
</Columns>

<Columns cols={2}>
  <Frame caption="HTML report, summary with severity chart">
    <img src="https://mintcdn.com/vigolium/bNNIkqR-N7gw4AB_/images/vigolium-static-report-1.png?fit=max&auto=format&n=bNNIkqR-N7gw4AB_&q=85&s=7aba27cdbd14060961c450be78f50b84" alt="Self-contained HTML report showing vulnerability summary with severity chart" width="2624" height="2366" data-path="images/vigolium-static-report-1.png" />
  </Frame>

  <Frame caption="HTML report, sortable findings table">
    <img src="https://mintcdn.com/vigolium/bNNIkqR-N7gw4AB_/images/vigolium-static-report-2.png?fit=max&auto=format&n=bNNIkqR-N7gw4AB_&q=85&s=a6fdec8f272861d76bdd355246959d13" alt="Self-contained HTML report with sortable and filterable findings table" width="2624" height="2366" data-path="images/vigolium-static-report-2.png" />
  </Frame>
</Columns>

***

## <Icon icon="cloud" /> Vigolium Cloud Console

A cloud-based solution for teams that want the power of Vigolium without managing infrastructure. Console is the **upgraded, fully-featured version of Vigolium**, managed scanning, centralized reporting, team collaboration, and extra features layered on top of the open-source core, so you can focus on fixing vulnerabilities instead of maintaining tooling.

<Callout icon="rocket" color="#FFC107" iconType="regular">
  Check out the Cloud Console at [console.vigolium.com](https://console.vigolium.com/).
</Callout>

<Columns cols={2}>
  <Frame caption="Native scan results in Vigolium Console">
    <img src="https://mintcdn.com/vigolium/7sCvbc6tyfE0FRFM/images/vigolium-native-scan.png?fit=max&auto=format&n=7sCvbc6tyfE0FRFM&q=85&s=c8a94abe488e2008abfb50402b64251f" alt="Vigolium Console native scan view" width="2872" height="1750" data-path="images/vigolium-native-scan.png" />
  </Frame>

  <Frame caption="Agentic scan results in Vigolium Console">
    <img src="https://mintcdn.com/vigolium/7sCvbc6tyfE0FRFM/images/vigolium-agentic-scan.png?fit=max&auto=format&n=7sCvbc6tyfE0FRFM&q=85&s=8d0ae511bffadbd783755d278e052d28" alt="Vigolium Console agentic scan view" width="2872" height="1750" data-path="images/vigolium-agentic-scan.png" />
  </Frame>
</Columns>

<Columns cols={2}>
  <Frame caption="Project list with severity breakdown per repository">
    <img src="https://mintcdn.com/vigolium/INiehdljY0lmbxY9/images/vigolium-opensource-audit-list.png?fit=max&auto=format&n=INiehdljY0lmbxY9&q=85&s=e3f375460a4e4cc320091fafe49b682a" alt="Open-source audit project list" width="2624" height="2366" data-path="images/vigolium-opensource-audit-list.png" />
  </Frame>

  <Frame caption="Detailed findings view for an individual project">
    <img src="https://mintcdn.com/vigolium/INiehdljY0lmbxY9/images/vigolium-opensource-audit-blur.png?fit=max&auto=format&n=INiehdljY0lmbxY9&q=85&s=d8dd70495db5500b4f0035bb0a25beed" alt="Open-source audit findings detail" width="2624" height="2366" data-path="images/vigolium-opensource-audit-blur.png" />
  </Frame>
</Columns>

***

## <Icon icon="compass" /> Where to Go Next

| I want to...                          | Start here                                                                  |
| ------------------------------------- | --------------------------------------------------------------------------- |
| Get up and running quickly            | [Quickstart](/getting-started/quickstart)                                   |
| Understand how native scanning works  | [How It Works](/native-scan/how-it-works)                                   |
| Pick the right scanning strategy      | [Strategies](/native-scan/strategies)                                       |
| Dive into individual scan phases      | [Phases](/native-scan/phases/), discovery, spidering, audit, extension, SPA |
| Try agentic scanning                  | [Agent Mode](/agentic-scan/agent-mode)                                      |
| Let AI drive scans autonomously       | [Autopilot](/agentic-scan/autopilot)                                        |
| Run multi-phase AI + native pipelines | [Swarm](/agentic-scan/swarm)                                                |
| Audit source code in depth            | [Agentic Security Audit](/getting-started/agentic-security-audit)           |
| Chat with the agent runtime           | [Olium](/agentic-scan/olium)                                                |
| Run Vigolium as an API server         | [Server Mode](/server-mode/)                                                |
| Tweak scan settings                   | [Configuration](/getting-started/configuration)                             |
| Export and format results             | [Output & Reporting](/getting-started/output-and-reporting)                 |
| Write custom JS extensions            | [Writing Extensions](/customization/writing-extensions)                     |
| Browse the REST API                   | [API References](/api-references/)                                          |

***

For any inquiries, feel free to contact us at [contact@vigolium.com](mailto:contact@vigolium.com).
