Skip to main content
A curated tour of the most common vigolium invocations, grouped by command. For the full flag list of any command, run vigolium <command> --help. For the same examples in your terminal, run vigolium --full-example.

Top-Level Commands

vigolium --help              # All available commands and global flags
vigolium <command> --help    # Flags and help for a specific command
vigolium --full-example      # Curated tour of all common usage
vigolium version             # Build and version info
The global --soft-fail flag forces an exit code of 0 even when a command fails (the error is still printed to stderr). It keeps a failing vigolium call from interrupting the wrapping script or CI pipeline:
vigolium scan -t https://example.com --soft-fail

Scanning

Run the full native pipeline against one or more targets.
# Single target
vigolium scan -t https://example.com

# Multiple targets (-t and -T/--target-file are both repeatable and combine)
vigolium scan -t https://example.com -t https://api.example.com
vigolium scan -T targets.txt
vigolium scan -T prod.txt -T staging.txt

# Scanning profiles and strategies
vigolium scan -t https://example.com --strategy deep
vigolium scan -t https://example.com --scanning-profile quick
vigolium scan -t https://example.com --scanning-profile full

# Phase control
vigolium scan -t https://example.com --only dynamic-assessment
vigolium scan -t https://example.com --skip discovery,spidering

# Module selection
vigolium scan -t https://example.com -m xss-reflected,sqli-error
vigolium scan -t https://example.com --module-tag spring --module-tag injection

# Output and reporting
vigolium scan -t https://example.com --format jsonl -o results.jsonl
vigolium scan -t https://example.com --format html -o report.html
vigolium scan -S -t https://example.com --format sqlite -o scan      # standalone .sqlite (stateless only)
vigolium scan -t https://example.com --format fs -o run             # browsable run-traffic/ + run-findings/ tree

# Print results to stdout after the scan (pairs with -S --silent; also on scan-url/scan-request/run)
vigolium scan-url -S -t https://example.com --silent --print-finding        # findings as Markdown
vigolium scan-url -S -t https://example.com --silent --print-traffic-tree   # traffic as a host/path tree
vigolium scan-url -S -t https://example.com --silent --print-traffic        # raw request/response pairs

# Network controls
vigolium scan -t https://example.com --proxy http://127.0.0.1:8080
vigolium scan -t https://example.com -c 100 --rate-limit 200
vigolium scan -t https://example.com --scanning-max-duration 2h

# CI/agent exit-code gating
vigolium scan -t https://example.com --fail-on high       # exit non-zero on any high+ finding
vigolium scan -t https://example.com --fail-on high --soft-fail   # surface the error but always exit 0

# Custom JS extensions
vigolium scan -t https://example.com --ext custom-check.js
vigolium scan -t https://example.com --ext-dir ./my-extensions
vigolium scan -t https://example.com --only extension --ext custom-check.js

# Project scoping
vigolium scan -t https://example.com --project-name my-project

# OAST and known-issue scanning
vigolium scan -t https://example.com --oast-url https://interact.sh/abc123
vigolium scan -t https://example.com --known-issue-scan-tags cve,misconfig --known-issue-scan-severities critical,high

Parallel & isolated scans

Scan many targets at once, or let several parallel scans share one database without write contention.
# Fan out a target list across N isolated child processes, one per-host output file each
vigolium scan -T targets.txt -P 4 --stateless --split-by-host --format jsonl -o results

# Parallel into one shared DB: each worker scans into a private temp DB, then merges into --db
vigolium scan -T targets.txt -P 4 --db-isolate --db shared.db --format jsonl,html -o report

# Single scan into a private temp DB merged back into --db (no write contention)
vigolium scan -t https://example.com --db-isolate --db shared.db

# Resume an interrupted stateless fan-out (skips targets that already completed)
vigolium scan -T targets.txt -P 4 --stateless --split-by-host --format jsonl -o results --resume
vigolium scan --resume                                              # auto-discover *.progress.json in cwd
  • -P, --parallel N — scan up to N targets concurrently as isolated child processes. Requires either -S --split-by-host (per-host outputs) or --db-isolate (merge into one --db). Real in-flight requests ≈ N × --concurrency.
  • --db-isolate — scan into a private temporary SQLite DB and merge results into --db at the end (SQLite only; not combinable with --stateless).
  • --split-by-host — in stateless multi-target mode, write a separate base-<host>.<ext> output file per target.
  • --resume — resume a prior -S -T --split-by-host -P run from its <output>.progress.json manifest, scanning only the targets that didn’t finish. Run bare (no other flags) to auto-discover the manifest in the current directory and relaunch the saved run.

Running a Single Phase

vigolium run <phase> is an alias for scan --only <phase>, useful when you want one specific stage of the pipeline.
vigolium run discover -t https://example.com
vigolium run spidering -t https://example.com
vigolium run dynamic-assessment -t https://example.com
vigolium run dynamic-assessment -t https://example.com --module-tag spring
vigolium run external-harvest -t https://example.com
vigolium run known-issue-scan -t https://example.com
vigolium run known-issue-scan -t https://example.com --known-issue-scan-tags cve --known-issue-scan-severities critical,high
vigolium run extension -t https://example.com --ext custom-check.js
vigolium run deparos -t https://example.com
vigolium run dast -t https://example.com

Input Modes

Feed traffic into a scan from OpenAPI, Burp, curl, HAR, or stdin.
vigolium scan -I openapi -i openapi.yaml -t https://api.example.com
vigolium scan -I burp    -i burp-export.xml -t https://example.com
vigolium scan -I curl    -i requests.txt
vigolium scan -I har     -i traffic.har
cat urls.txt | vigolium scan -i -
Run vigolium --list-input-mode to see every supported input format with examples.

Ingestion

Push HTTP traffic into the database without running a scan, useful for building a project corpus before scanning, or for sending traffic to a remote server.
vigolium ingest -t https://example.com -I openapi -i spec.yaml
vigolium ingest -t https://example.com -I burp    -i export.xml
cat urls.txt | vigolium ingest -i -

# Send to a remote Vigolium server
vigolium ingest -s http://server:9002 -i api.yaml -I openapi

Server

Start the REST API and ingest proxy.
vigolium server                                              # Default host/port from config
vigolium server --host 0.0.0.0 --service-port 8443
vigolium server --no-auth                                    # Local use only — disables bearer auth
vigolium server -t https://example.com --scan-on-receive     # Auto-scan ingested traffic (-S is shorthand for --scan-on-receive)
vigolium server -S --passive-only                            # Passive modules only — no active traffic; includes secret detection
vigolium server --mirror-fs ./mirror                         # Live-mirror ingested traffic + findings to a filesystem tree

# Transparent ingest proxy (records traffic flowing through it)
vigolium server --ingest-proxy-port 9003

# Intercept HTTPS too via a generated MITM CA (trust the CA printed at startup)
vigolium server --ingest-proxy-port 9003 --proxy-mitm -S
vigolium server --ingest-proxy-port 9003 --proxy-mitm --proxy-insecure   # skip upstream TLS verification

# Export the MITM CA certificate and exit (generates it if needed)
vigolium server --export-ca ./vigolium-ca.pem
See Transparent Proxy for the full MITM workflow. --passive-only (with --scan-on-receive) restricts scanning to passive modules only — no active scan traffic is sent, and secret detection is included. It’s the safest way to analyze forwarded Burp/proxy traffic in place. Combining it with --full-native-scan-on-receive still crawls (discovery + spidering send requests); for zero active traffic, use --scan-on-receive without the full-native flag.

Database & Results

Browse, export, and prune scan data.
# Browse
vigolium db ls
vigolium db ls --table findings
vigolium db stats
vigolium db stats --detailed
vigolium traffic                  # Alias for `db ls --table http_records`
vigolium traffic login            # Filter to login-related records
vigolium finding                  # Fuzzy-search findings
vigolium finding xss --markdown   # Render matches as Markdown (evidence + http blocks) to stdout
vigolium finding --min-severity high --confidence certain,firm   # Filter by severity floor + confidence

# Read a standalone export directly (project scoping off, never writes to your DB)
vigolium finding -S --db ./scan.jsonl --min-severity high
vigolium traffic -S --db ./scan.sqlite --status 500 -n 20

# Export
vigolium export --format jsonl -o full-export.jsonl
vigolium export --format jsonl --only findings
vigolium export --format jsonl --only findings,http
vigolium export --format html -o report.html
vigolium export --format fs -o run            # browsable run-traffic/ + run-findings/ tree (also on `db export`)

# Cleanup
vigolium db clean --scan-uuid my-scan
finding/traffic accept -S/--stateless + --db <file> to read a --format jsonl export or a standalone .sqlite directly, and --markdown to print the matched items as Markdown (under -S, add --compact to window long responses around the match).

Import

Pull external scan data back into a database. The input type is auto-detected from the path.
# JSONL export (http_record + finding envelopes, e.g. from `vigolium export --format jsonl`)
vigolium import full-export.jsonl

# Audit output folder (contains audit-state.json + findings-draft/)
vigolium import ./audit-output/

# Merge another vigolium SQLite scan DB into your default database
vigolium import other-vigolium-scan.sqlite

# Merge into an explicit destination (--db is the target)
vigolium import --db team.sqlite other-vigolium-scan.sqlite

# Combine many standalone scan DBs into one (idempotent — re-runs are no-ops)
for f in scans/*.sqlite; do vigolium import --db combined.sqlite "$f"; done

# Compressed archive (.tar.gz / .tgz / .zip) or a cloud-storage object
vigolium import ./scan-bundle.tar.gz
vigolium import gs://<project-uuid>/imports/scan.tar.gz
A SQLite database input (detected by its magic header, any extension) is a lossless, idempotent SQLite→SQLite merge: HTTP records, findings, scans, agentic scans, OAST interactions, and projects are deduped on their natural keys, and each row keeps its original project. Re-importing the same database adds nothing the second time. The destination is the --db target (or the configured default database when --db is omitted). Add -j/--json to print a per-table merge summary (rows inserted vs. skipped). This pairs with scan -S --format sqlite: fan out per-host .sqlite files, then merge them back into one queryable DB.

Replay

Re-send stored traffic — with or without a mutation — to confirm a finding, fuzz a parameter, or push a whole corpus back through a proxy. The banner is suppressed so bulk output stays pipe-clean.
# Confirm a stored record with a SQLi payload (baseline vs. mutated diff)
vigolium replay --record-uuid abc12345 -m 'name=id,payload=1 OR 1=1'

# Replay a finding's stored evidence with an XSS payload
vigolium replay --finding-id 42 -m 'name=q,payload=<svg/onload=alert(1)>'

# Replay a curl command verbatim (auto-baseline by re-sending)
vigolium replay -i "curl -X POST https://example.com/api/login -d 'u=admin'"

# Multi-step auth via a persistent cookie jar
vigolium replay --session-id login -i curl-login.sh
vigolium replay --session-id login --record-uuid <action-uuid>

# Confirm against a different environment than the baseline
vigolium replay --record-uuid abc12345 --target https://staging.example.com \
                 -m 'name=user,payload=admin' -H 'X-Forwarded-For: 127.0.0.1'

# Merge headers from a saved auth session (from `vigolium auth list`)
vigolium replay --record-uuid abc12345 --target https://staging.example.com \
                 --auth-session my-session

Bulk replay

Pass --all (or any of --host / --method / --status / --path / --source / --search / --body) to replay every matching stored record through the mutation/diff engine, streaming one JSONL object per record with per-record error isolation.
# Replay ALL stored traffic through Burp (JSONL out, 5 at a time)
vigolium replay --all --proxy http://127.0.0.1:8080 -c 5

# Replay every record from a standalone export (project scoping off)
vigolium replay -S --db scan.sqlite --all --proxy http://127.0.0.1:8080 -c 5

# Fuzz an 'id' param across every matching GET record
vigolium replay --method GET --host api.example.com -m 'name=id,payload=1 OR 1=1'
  • --all lifts the default -n/--limit cap (100); narrow the set with the filter flags instead. Without -m/--mutate, each record is re-sent verbatim.
  • Throttle with -c/--concurrency (default 10); cap the set with -n/--limit (default 100, lifted by --all).
  • -S/--stateless --db <file> reads baselines from a standalone .sqlite/.jsonl export with project scoping off — it never writes to your project DB.

Strategies & Phases

Inspect scanning strategy presets and the phases that make up a scan.
vigolium strategy
vigolium strategy ls
vigolium phase

Modules

Manage the active and passive scanner modules.
vigolium module ls
vigolium module ls xss             # Search by keyword
vigolium module enable xss
vigolium module disable sqli
vigolium scan -M                   # List all modules from the scan command

Skills

Install the coding-agent skill bundles shipped inside the binary (so they always match your CLI version) into a coding agent’s skills directory. See Using Vigolium in your agent.
vigolium skills                                   # List bundled skills (alias: vigolium skills list)
vigolium skills get vigolium-scanner              # Print a bundle without installing it
vigolium skills install                           # Install vigolium-scanner for Claude into the current project
vigolium skills install --agent codex --scope global   # --agent claude|codex|agents, --scope project|global
vigolium skills install --all                     # Install every bundled skill
vigolium skills install --dir ./.claude/skills    # Override the destination directory

Extensions

Run and manage JavaScript extensions that hook into the scanner.
vigolium ext ls
vigolium ext docs
vigolium ext preset
vigolium ext example                       # Print every example extension (all supported formats)
vigolium ext example --list                # Just the catalog index (keys + titles)
vigolium ext example js-active-insertion   # Print a single example by its catalog key
vigolium ext example --lang yaml           # Restrict to one language
vigolium ext eval 'vigolium.log("hello")'
vigolium ext eval --ext-file script.js

Scope

Control what’s in-scope. Source code is attached per scan via the --source flag on vigolium agent <subcommand> (autopilot, swarm, query, audit).
vigolium scope view
vigolium scope set host.include '*.example.com'

Agent (AI)

Run agentic and source-audit modes. See Agent Mode for the full list of subcommands.

agent query: single-shot prompts

vigolium agent query --source ./src --prompt-template security-code-review
vigolium agent query --source ./src --prompt-template endpoint-discovery
vigolium agent query 'review this code for vulnerabilities'
vigolium agent query --agent-label code-review --prompt-file custom-prompt.md
vigolium agent --list-templates

agent swarm: AI-guided multi-phase scan

vigolium agent swarm -t https://example.com --discover
vigolium agent swarm -t https://example.com --discover --focus 'API injection'

# Skill control (force-load attack-vector skills, bypass planner selection)
vigolium agent swarm -t https://example.com --discover --skill-tag xss,idor
vigolium agent swarm -t https://example.com --discover --no-skill-filter

agent autopilot: autonomous agentic scan

# Natural-language prompt — target, source, and focus auto-extracted
vigolium agent autopilot "scan VAmPI source at ~/src/VAmPI on localhost:3005"
vigolium agent autopilot "test auth bypass on https://app.example.com"

# Plain target
vigolium agent autopilot -t https://example.com/api

# Source-aware (auto-runs vigolium-audit first to build context)
vigolium agent autopilot -t https://example.com --source ./src
vigolium agent autopilot -t https://example.com --source ./src --audit=off   # disable vigolium-audit

# Pipe a curl command or raw HTTP request via stdin
curl -s https://example.com/api/users | vigolium agent autopilot
cat request.txt | vigolium agent autopilot -t https://example.com

# Pass curl/raw HTTP as input
vigolium agent autopilot --input "curl -X POST -H 'Content-Type: application/json' \
  -d '{\"user\":\"admin\"}' https://example.com/api/login"

# Focus the agent on specific vulnerability classes
vigolium agent autopilot -t https://example.com --focus "auth bypass and IDOR"

# Skill control — force-load skills by name or tag, or skip pre-flight selection
vigolium agent autopilot -t https://example.com --skill idor-blast-radius
vigolium agent autopilot -t https://example.com --skill-tag xss,idor
vigolium agent autopilot -t https://example.com --no-skill-filter

# Intensity presets — quick (CI/PR), balanced (default), deep (pentest)
vigolium agent autopilot -t https://example.com --intensity deep
vigolium agent autopilot -t https://example.com --source ./src --intensity quick

# Narrow source scope
vigolium agent autopilot -t https://example.com --source ./src \
  --files "routes/api.js,controllers/auth.js" \
  --instruction "Focus on the new payment endpoint"

# PR / diff-aware scan
vigolium agent autopilot -t https://example.com --source ./src --diff "main...feature-branch"
vigolium agent autopilot -t https://example.com --source ./src --last-commits 3

# Backend / browser / auth
vigolium agent autopilot -t https://example.com --provider anthropic-api-key
vigolium agent autopilot -t https://example.com --browser --credentials "admin/admin123"

# Limits and previews
vigolium agent autopilot -t https://example.com --intensity deep --max-duration 4h
vigolium agent autopilot -t https://example.com --intensity quick --triage
vigolium agent autopilot -t https://example.com --source ./src --dry-run
vigolium agent autopilot -t https://example.com --source ./src --show-prompt

agent audit: unified source audit (vigolium-audit + piolium)

Runs the vigolium-audit harness and/or piolium against a single source tree under one AgenticScan, with per-driver session subdirs and a post-pass findings dedup. vigolium-audit is the embedded harness name; the CLI driver value is audit.
# Default driver is "auto": run audit; fall back to piolium only if the
# claude/codex CLI required by audit is missing. Balanced mode.
vigolium agent audit --source .

# Run both drivers back-to-back, unconditionally
vigolium agent audit --driver both --source ./backend

# Single driver — piolium only (no audit, no fallback)
vigolium agent audit --driver piolium --source ./backend --mode lite
vigolium agent audit --driver audit   --source ./backend --agent claude

# Multi-driver, deep intensity, against a remote git URL
vigolium agent audit --driver both --source git@github.com:org/repo.git --intensity deep
vigolium agent audit --driver both --source https://github.com/org/repo.git --commit-depth 0   # full history

# Override pi's provider/model for the piolium leg
vigolium agent audit --driver both --source ./backend \
  --pi-provider vertex-anthropic --pi-model claude-opus-4-6

# Driver-specific modes (piolium=longshot/smoke, audit=mock)
vigolium agent audit --driver piolium --source ./mono-repo --mode longshot \
  --plm-longshot-langs python,go --plm-longshot-limit 200
vigolium agent audit --driver audit --source ./backend --mode mock

# Cap commit-history scan window (piolium only)
vigolium agent audit --driver piolium --source ./backend --plm-scan-since "60 days ago"
vigolium agent audit --driver piolium --source ./backend --plm-scan-limit 500

# Skip post-pass dedup or preflight checks
vigolium agent audit --source ./backend --no-dedup
vigolium agent audit --source ./backend --no-preflight

# Pull source from a cloud-storage archive, upload results when done
vigolium agent audit --source gs://my-bucket/snapshots/repo.tar.gz
vigolium agent audit --source ./backend --upload-results

# Stateless one-shot: run into a throwaway DB and auto-render a self-contained HTML report
vigolium agent audit --source ./backend -S

# Bundle the HTML report + each ran driver's raw vigolium-results/ tree into one folder
vigolium agent audit --driver both --source ./backend -S --output-dir ./audit-bundle
-S/--stateless runs the whole audit into a throwaway temp DB (your main DB is untouched, mirroring scan -S) and, on completion, renders a self-contained HTML report from the run’s findings to vigolium-result/vigolium-audit-report.html (override with -o/--output, which supports gs:// and {ts}). --output-dir <dir> (stateless-only) additionally bundles that report and a copy of each ran driver’s raw vigolium-results/ tree into one folder — a single driver lands flat at <dir>/vigolium-results/, multiple are namespaced under <dir>/<driver>/. -S is rejected with --interactive. --keep-raw is on by default for the CLI (it retains the <source>/vigolium-results/ copy); --clean-raw removes that source copy after the run.

log: replay an agentic session

Every olium agent run (autopilot, swarm, query, olium) writes a Pi-compatible transcript.jsonl. Replay it as a rendered conversation, or dump the raw JSONL:
vigolium log                       # Replay the most recent agentic session
vigolium log <session-id>          # Replay a specific session
vigolium log --raw                 # Print the raw transcript JSONL verbatim instead of the rendered replay

Configuration

vigolium config ls
vigolium config clean
vigolium init                     # Initialize ~/.vigolium with defaults
vigolium doctor                   # Diagnose configuration and tool readiness
vigolium auth                     # Authentication management utilities
vigolium project                  # Manage multi-tenant projects
This page covers the most common invocations. Every command supports --help for the full flag reference, and most commands accept the global flags shown by vigolium --help.