# Vigolium Documentation ## Docs - [Agent Mode](https://docs.vigolium.com/agentic-scan/agent-mode.md): Vigolium ships seven agent subcommands under `vigolium agent` covering autonomous scanning, AI-guided pipelines, a unified source-audit driver, single-shot prompts, and an interactive TUI. - [Agent Autopilot](https://docs.vigolium.com/agentic-scan/autopilot.md): The single-loop agentic scan: one long-running olium engine drives tools, reports findings, and halts on its own. - [How Agent Mode Works](https://docs.vigolium.com/agentic-scan/how-it-works.md): Architecture of Vigolium's agent runtime, the in-process olium engine, prompt orchestration, swarm/autopilot pipelines, and provider model. - [Olium Agent](https://docs.vigolium.com/agentic-scan/olium.md): The in-process AI agent runtime that powers every agentic feature in Vigolium, interactive TUI, headless prompts, and the engine library used by autopilot, swarm, query, and vigolium-audit. - [Agent Swarm](https://docs.vigolium.com/agentic-scan/swarm.md): AI-guided multi-phase scan: master agent reads requests, picks modules, generates JS extensions, runs the native scanner, and optionally triages findings. - [Using the Vigolium Scanner Skill in Claude Code & Codex](https://docs.vigolium.com/agentic-scan/using-vigolium-in-your-agent.md): Install and use the vigolium-scanner skill with AI coding agents for web vulnerability scanning and extension authoring. - [Vigolium API Reference](https://docs.vigolium.com/api-overview.md): Base URL: http://localhost:9002 (default). For detailed documentation on each endpoint category, see the individual reference pages below. - [Vigolium API Reference, Agent](https://docs.vigolium.com/api-references/agent.md): AI agent API with query, autopilot, swarm, and audit run modes, SSE streaming, session history, and OpenAI-compatible chat. - [Authentication](https://docs.vigolium.com/api-references/authentication.md): File-based user system with Bearer token authentication, roles, login, and token usage for the Vigolium API. - [Vigolium API Reference, Config](https://docs.vigolium.com/api-references/config.md): View and update server configuration using dot-notation keys with hot reload support. - [Vigolium API Reference, Generic Database API](https://docs.vigolium.com/api-references/database.md): Unified CRUD API for any database table with pagination, filtering, sorting, and full-text search. - [Vigolium API Reference, Diagnostics](https://docs.vigolium.com/api-references/diagnostics.md): System readiness check covering database connectivity, agent provider, third-party tools, and directory configuration. - [Vigolium API Reference, Extensions](https://docs.vigolium.com/api-references/extensions.md): Manage JavaScript and YAML extensions that add custom scanning logic, including listing, editing, and API docs. - [Vigolium API Reference, Findings](https://docs.vigolium.com/api-references/findings.md): List, retrieve, and delete vulnerability findings with filtering, pagination, and severity-based queries. - [Vigolium API Reference, HTTP Records](https://docs.vigolium.com/api-references/http-records.md): List, retrieve, and delete HTTP request/response records with filtering, pagination, and sorting options. - [Vigolium API Reference, Ingestion](https://docs.vigolium.com/api-references/ingestion.md): Import HTTP request/response data into the database for scanning via URLs, curl commands, HAR, OpenAPI, and more. - [Vigolium API Reference, Modules](https://docs.vigolium.com/api-references/modules.md): List registered active and passive scanner modules with search, tag filtering, and tag categories. - [Vigolium API Reference, OAST Interactions](https://docs.vigolium.com/api-references/oast-interactions.md): List, retrieve, and delete out-of-band application security testing interactions from interactsh callbacks. - [Vigolium API Reference, Overview](https://docs.vigolium.com/api-references/overview.md): Base URL, authentication, project scoping, health checks, and common endpoints for the Vigolium API server. - [Vigolium API Reference, Projects](https://docs.vigolium.com/api-references/projects.md): Manage projects for multi-tenant data isolation. All scan data is scoped to a project via project_uuid. - [Vigolium API Reference, Scan](https://docs.vigolium.com/api-references/scan.md): Single-target scans, scan management, scan history, pause/resume, logs, selective record scans, and repository uploads. - [Vigolium API Reference, Scope](https://docs.vigolium.com/api-references/scope.md): View and update the scope configuration that controls which HTTP records are in scope for scanning. - [Vigolium API Reference, Stats](https://docs.vigolium.com/api-references/stats.md): Retrieve aggregated statistics about HTTP records, scanner modules, and findings. - [Vigolium API Reference, Cloud Storage](https://docs.vigolium.com/api-references/storage.md): Cloud object storage integration for source code upload/download and scan result archival via S3-compatible APIs (GCS, AWS S3, MinIO). - [Agentic Scan Architecture](https://docs.vigolium.com/architecture/agentic-scan.md): How agent mode works, the in-process olium engine, prompt orchestration, the swarm/autopilot pipelines, and the provider model. - [Data & Persistence Architecture](https://docs.vigolium.com/architecture/data-and-storage.md): How scan data is scoped (multi-tenancy), modeled (the database schema), written (the repository pattern and async writer), and moved between machines (cloud storage). - [Native Scan Architecture](https://docs.vigolium.com/architecture/native-scan.md): Anatomy of a scan, tracing an HTTP request from the command line through the deterministic Go pipeline to a vulnerability finding. - [Architecture Overview](https://docs.vigolium.com/architecture/overview.md): The Vigolium system at a glance, operating modes, the two scanning paradigms, and how the pieces fit together. - [Server & API Architecture](https://docs.vigolium.com/architecture/server-and-api.md): The Fiber REST service, its process model, traffic ingestion paths, the REST surface, and the agent run API. - [Customizing & Extending Vigolium](https://docs.vigolium.com/customization/extending-vigolium.md): Covers every customization mechanism in Vigolium, from JS and YAML extensions to scanning profiles and the olium agent runtime. - [Writing Extensions](https://docs.vigolium.com/customization/writing-extensions.md): Guide to writing custom scanning extensions for Vigolium in JavaScript, YAML, quick checks, and snippets. - [Agentic Scanning](https://docs.vigolium.com/getting-started/agentic-scan.md): Drive vulnerability scanning with AI, autopilot (autonomous operator), swarm (AI-guided pipeline), or query (single-shot prompts). All dispatched through the in-process olium runtime. - [Agentic Security Audit](https://docs.vigolium.com/getting-started/agentic-security-audit.md): Multi-phase AI-driven whitebox source-code audit, vigolium-audit (embedded, Claude/Codex) and piolium (Pi-native), with a unified driver that runs both. - [Vigolium Cheat Sheet](https://docs.vigolium.com/getting-started/cheat-sheet.md): A one-page, copy-paste reference for the workflows you reach for most: live traffic mirroring, replaying through Burp, passive/secret scanning of forwarded traffic, importing external data, parallel fan-out, resuming, spec-driven scans, single-request scans, content discovery, filtering to one vulne… - [Choosing a Scan Mode](https://docs.vigolium.com/getting-started/choosing-a-mode.md): Vigolium ships several scan modes, native, native-via-Burp, audit agent, autopilot, and swarm. This page helps you pick the right one for the job, plus the intensity preset (quick / balanced / deep) that controls how far it goes. - [Configuration Reference](https://docs.vigolium.com/getting-started/configuration.md): Vigolium uses a layered configuration system that merges settings from multiple sources. This document covers the config file format, environment variables, and every configurable section. - [Native Scan & Stateless Scanning](https://docs.vigolium.com/getting-started/native-scan.md): The native scan is Vigolium's deterministic, Go-based scanning pipeline, fast, modular, and AI-free. This page is a hands-on tour of running native scans from the CLI, with a focus on stateless scanning. - [Output and Reporting](https://docs.vigolium.com/getting-started/output-and-reporting.md): Vigolium supports multiple output formats for scan results, discovery data, and spidering output. This guide covers the available formats, result structures, and how to query stored findings. - [Vigolium Overview](https://docs.vigolium.com/getting-started/overview.md): Vigolium is a high-fidelity web vulnerability scanner written in Go. It combines deterministic, module-based scanning with AI-driven agentic analysis to provide broad and deep coverage of web application security issues. - [Installation & QuickStart](https://docs.vigolium.com/getting-started/quickstart.md): Get up and running with Vigolium in a few minutes, install, verify, and run your first scan. - [Server Mode: Ingesting Data via the API](https://docs.vigolium.com/getting-started/server-and-ingestion.md): This guide covers how to start Vigolium in server mode and ingest HTTP traffic into the database using the REST API and CLI. - [Setting Up the Agent](https://docs.vigolium.com/getting-started/setup-agent.md): Vigolium's AI features (autopilot, swarm, source-code audit, query) all run through one in-process runtime called olium. This page walks you through wiring each piece up, pick the section that matches your setup. - [Web UI](https://docs.vigolium.com/getting-started/web-ui.md): Start Vigolium's built-in web UI with vigolium server, then visualize scan data, inspect findings, choose modules, launch scans, and adjust configuration. - [Authenticated Scanning](https://docs.vigolium.com/native-scan/authentication.md): Configure multi-session authenticated scanning with login flows, IDOR/BOLA testing, and token refresh. - [Anatomy of a Scan](https://docs.vigolium.com/native-scan/how-it-works.md): Traces the complete lifecycle of an HTTP request through a Vigolium scan, from CLI invocation to vulnerability finding. - [Scanner Modules Reference](https://docs.vigolium.com/native-scan/modules-reference.md): Reference for Vigolium's 313 scanner modules, 198 active and 115 passive, covering the OWASP Top 10 and beyond. - [Dynamic-Assessment, Active Vulnerability Scanning](https://docs.vigolium.com/native-scan/phases/audit.md): The core scanning phase that injects payloads at every insertion point to detect vulnerabilities in web applications. - [Deparos - Modern Adaptive Content Discovery](https://docs.vigolium.com/native-scan/phases/discovery.md): Intelligent content discovery engine that adapts its strategy dynamically using fingerprint-based soft-404 detection. - [Extension Scanning](https://docs.vigolium.com/native-scan/phases/extension.md): Run custom JavaScript or YAML extension modules against targets, alongside or instead of built-in scanner modules. - [KnownIssueScan - Known Vulnerability and Secret Detection](https://docs.vigolium.com/native-scan/phases/known-issue-scan.md): Checks targets for known CVEs, common misconfigurations, and exposed secrets using Nuclei templates and the Kingfisher secret detection engine - [Spitolas - Browser-Based Web Crawler](https://docs.vigolium.com/native-scan/phases/spidering.md): State-machine-driven web crawler using real Chromium for discovering application states through user-like interactions. - [Scan Scope - How Modules Are Dispatched](https://docs.vigolium.com/native-scan/scan-scope.md): Understand how scanner modules are dispatched at insertion-point, request, and host granularity. - [Scanning Modes Overview](https://docs.vigolium.com/native-scan/scanning-modes-overview.md): Pick the right scanning mode based on what you have: a URL, source code, an AI agent, or all of the above. - [Blackbox Scanning](https://docs.vigolium.com/native-scan/strategies.md): Test web applications from the outside without source code using crafted HTTP requests and response analysis. - [API References](https://docs.vigolium.com/others/api-references.md): Complete index of all Vigolium API reference pages, endpoints for scanning, findings, ingestion, agent control, and more. - [Open-Source Audit Showcases](https://docs.vigolium.com/others/audit-report.md): Real vulnerability scan reports from popular open-source projects, powered by Vigolium's agentic scanning engine - [Changelog](https://docs.vigolium.com/others/changelog.md): Release notes and version history for Vigolium - [CLI References](https://docs.vigolium.com/others/cli-references.md): Common usage examples for the vigolium CLI, scanning, agentic runs, ingestion, server, database, and more. - [FAQ](https://docs.vigolium.com/others/faq.md): Frequently asked questions about Vigolium, operating modes, scanning paradigms, AI providers, the database, multi-tenancy, storage, and troubleshooting. - [Projects & Multi-Tenancy](https://docs.vigolium.com/others/projects.md): Isolate scan data per engagement with projects. Every scan, finding, HTTP record, scope rule, and OAST interaction is tagged with a project UUID so multiple engagements can share one database without leaking across boundaries. - [Security Warning](https://docs.vigolium.com/others/security-warning.md): Important security considerations when running Vigolium: agent mode is intentionally unsandboxed and extensions can execute arbitrary commands. - [Ingesting HTTP Traffic](https://docs.vigolium.com/server-mode/ingestion.md): Get HTTP requests into Vigolium's database via API, CLI, or transparent proxy for vulnerability scanning. - [Transparent Proxy](https://docs.vigolium.com/server-mode/proxy.md): Use Vigolium's built-in HTTP proxy to passively record traffic for scanning, including HTTPS via optional MITM interception. - [Running the Server](https://docs.vigolium.com/server-mode/running-the-server.md): Run Vigolium as a persistent REST API server for traffic ingestion, scan triggers, and agent runs. ## OpenAPI Specs - [openapi](https://docs.vigolium.com/api-reference/openapi.json) ## Optional - [Schedule A Demo](https://www.vigolium.com/request-demo) - [Vigolium Cloud Console](https://console.vigolium.com/)