{"id":51147363,"url":"https://github.com/vigolium/vigolium","last_synced_at":"2026-07-12T02:00:38.934Z","repository":{"id":359944040,"uuid":"1176032914","full_name":"vigolium/vigolium","owner":"vigolium","description":"Vigolium - High-fidelity vulnerability scanner fusing agentic AI with native speed, modularity, and precision","archived":false,"fork":false,"pushed_at":"2026-07-10T17:44:53.000Z","size":22130,"stargazers_count":770,"open_issues_count":5,"forks_count":120,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-07-10T19:15:07.802Z","etag":null,"topics":["bug-bounty","dast","security","security-audit","security-scanner","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://www.vigolium.com/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vigolium.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-03-08T14:25:35.000Z","updated_at":"2026-07-10T17:45:02.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/vigolium/vigolium","commit_stats":null,"previous_names":["vigolium/vigolium"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/vigolium/vigolium","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vigolium%2Fvigolium","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vigolium%2Fvigolium/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vigolium%2Fvigolium/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vigolium%2Fvigolium/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vigolium","download_url":"https://codeload.github.com/vigolium/vigolium/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vigolium%2Fvigolium/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35379591,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-12T02:00:06.386Z","response_time":87,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","dast","security","security-audit","security-scanner","vulnerability-scanner"],"created_at":"2026-06-26T04:00:27.549Z","updated_at":"2026-07-12T02:00:38.926Z","avatar_url":"https://github.com/vigolium.png","language":"Go","funding_links":[],"categories":["Tools","Miscellaneous"],"sub_categories":["Scanning","Vulnerability Scanners"],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"Vigolium\" src=\"https://avatars.githubusercontent.com/u/266502139?s=200\u0026v=4\" height=\"140\" /\u003e\n  \u003cbr /\u003e\n  \u003cstrong\u003eVigolium - High-fidelity vulnerability scanner fusing agentic AI with native speed, modularity, and precision\u003c/strong\u003e\n\n  \u003cp align=\"center\"\u003e\n  \u003ca href=\"https://console.vigolium.com/\"\u003e\u003cimg src=\"https://img.shields.io/badge/Vigolium-Cloud-0078D4?style=flat\u0026logo=google-cloud\u0026logoColor=ffb86c\u0026labelColor=black\u0026color=black\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://docs.vigolium.com/\"\u003e\u003cimg src=\"https://img.shields.io/badge/Documentation-0078D4?style=flat\u0026logo=GitBook\u0026logoColor=8be9fd\u0026labelColor=black\u0026color=black\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://twitter.com/Vigolium\"\u003e\u003cimg src=\"https://img.shields.io/badge/Vigolium-0078D4?style=flat\u0026logo=X\u0026logoColor=f8f8f2\u0026labelColor=black\u0026color=black\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://discord.gg/aHFypbAu6Y\"\u003e\u003cimg src=\"https://img.shields.io/badge/Discord%20Server-0078D4?style=flat\u0026logo=Discord\u0026logoColor=bd93f9\u0026labelColor=black\u0026color=black\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.linkedin.com/company/vigolium\"\u003e\u003cimg src=\"https://custom-icon-badges.demolab.com/badge/LinkedIn-black?logo=linkedin-white\u0026logoColor=39ff14\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.linkedin.com/company/vigolium\"\u003e\u003cimg src=\"https://img.shields.io/npm/v/@vigolium/vigolium.svg?style=flat\u0026logo=npm\u0026logoColor=50fa7b\u0026labelColor=black\u0026color=black\"\u003e\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/p\u003e\n\n***\n\nVigolium provides two complementary scanning modes:\n\n- **Native Scan** (`vigolium scan`): **Fast, powerful, and flexible.** Deterministic, multi-phase scanning with 250+ modules across content discovery, browser/SPA spidering, and active/passive audit, covering injection, access control, file/path, API/protocol, framework-specific, cloud/infra, and out-of-band (OAST) vulnerability classes.\n\n- **Agentic Scan** (`vigolium agent`): **Thoroughly audits your codebase.** AI-driven scanning that autonomously plans attacks, selects modules, generates custom extensions, and triages results, combining [deep source-code audit](https://github.com/vigolium/vigolium-audit) with autonomous and targeted vulnerability scanning.\n\n\n## Installation\n\n### Quick Install (Recommended)\n\n```bash\ncurl -fsSL https://vigolium.com/install.sh | bash\n```\n\n### [npm](https://www.npmjs.com/package/@vigolium/vigolium)\n\n```bash\nnpm install -g @vigolium/vigolium\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eOther method like Docker or Build from source\u003c/summary\u003e\n\n### Docker\n\n```bash\ndocker pull j3ssie/vigolium:latest\ndocker run --rm j3ssie/vigolium:latest scan -h\n```\n\n### Build from Source\n\n```bash\ngit clone https://github.com/vigolium/vigolium.git\ncd vigolium\nmake build         # build and install to $GOPATH/bin\n```\n\nRequires **Go 1.26+** and **bun 1.3.11+**. See [HACKING.md](HACKING.md#build-and-run) for prerequisites and build details.\n\n\u003c/details\u003e\n\n\n| UI Dashboard | Traffic Dashboard |\n|:---:|:---:|\n| ![Dashboard 1](https://github.com/vigolium/docs/blob/main/images/vigolium-main-workbench.png?raw=true) | ![Dashboard 2](https://github.com/vigolium/docs/blob/main/images/vigolium-ui-dashboard-2.png?raw=true) |\n\n| Static Reports | Static Reports |\n|:---:|:---:|\n| ![Static Report 1](https://github.com/vigolium/docs/blob/main/images/vigolium-static-report-1.png?raw=true) | ![Static Report 2](https://github.com/vigolium/docs/blob/main/images/vigolium-static-report-2.png?raw=true) |\n\n| Native scan | Agentic Scan |\n|:---:|:---:|\n| ![Native scan](https://github.com/vigolium/docs/blob/main/images/vigolium-cli-native-scan.png?raw=true) | ![Agentic Scan](https://github.com/vigolium/docs/blob/main/images/vigolium-cli-agent-audit-1.png?raw=true) |\n\n## Key Features\n\n### Native Scan\n\n- **235+ scanner modules**: 144+ active (fuzzing) + 91+ passive (pattern matching), covering OWASP Top 10 and beyond\n- **Out-of-band testing (OAST)**: blind XSS/SSRF/command injection via interactsh callbacks with automatic payload correlation\n- **Value-aware mutation**: classifies parameters by semantic type (integer, UUID, JWT, email) and mutates per intent\n- **Multi-phase pipeline**: external harvesting, content discovery (Deparos), browser/SPA spidering (Spitolas), and audit, controlled by strategy presets and scanning profiles\n- **Flexible inputs**: URLs, OpenAPI/Swagger, Postman, Burp Suite, cURL, Nuclei JSONL\n- **Multi-session authentication**: inline sessions, session files, or full auth configs with login flows, token extraction, and IDOR/BOLA testing\n- **JavaScript extensions**: custom modules and hooks via embedded JS engine with session-aware HTTP APIs\n- **Scalable \u0026 reportable**: concurrent worker pool with per-host rate limiting, hybrid in-memory/disk/Redis queue, and self-contained HTML reports\n\n### Agentic Scan\n\n- **In-process olium runtime**: every agent mode runs on the native Go `pkg/olium` engine: turn-based loop, built-in tool registry, skills support, and pluggable provider drivers (no subprocess SDK pools)\n- **Autopilot**: agent autonomously discovers endpoints, runs scans, and triages findings, with optional multi-specialist pipeline and session resume\n- **Swarm**: master agent selects modules, generates custom JS attack extensions, runs code audit + SAST, executes scans, and triages results; targeted or full-scope (`--discover`), with `--diff`/`--last-commits` for change-focused runs\n- **Source-audit drivers**: `audit`, `piolium`, and the unified `audit` dispatcher run foreground source-code audits sharing one finding schema and DB tagging\n- **Query mode**: single-shot prompts for code review, endpoint discovery, and secret detection\n- **Pluggable providers**: `openai-codex-oauth` (default), `anthropic-api-key`, `anthropic-oauth`, `openai-api-key`, `anthropic-cli`, `google-vertex`. Same modes exposed over the REST API with SSE streaming and an OpenAI-compatible chat endpoint\n\n## Quick Start: Native Scan\n\n```bash\n# Scan a single target (default: balanced strategy)\nvigolium scan -t https://example.com\n\n# Scan with a strategy preset\nvigolium scan -t https://example.com --strategy deep\n\n# Scan specific modules only\nvigolium scan -t https://example.com -m xss-reflected,sqli-error\n\n# Scan from an OpenAPI spec\nvigolium scan -T openapi.yaml -I openapi\n\n# Pipe URLs from stdin\ncat urls.txt | vigolium scan\n\n# Run a single phase directly\nvigolium run discovery -t https://example.com\n\n# Generate an HTML report\nvigolium scan -t https://example.com --only discovery --format html -o report.html\n```\n\nSee the [architecture overview](https://docs.vigolium.com/architecture/overview) for the full pipeline and the [strategies guide](https://docs.vigolium.com/native-scan/strategies) for strategies, profiles, and pace configuration. For a quick command reference, see [docs.vigolium.com/getting-started/cheat-sheet](https://docs.vigolium.com/getting-started/cheat-sheet).\n\n## Server Mode\n\n```bash\n# Start API server with authentication\nvigolium server -k my-secret-key\n\n# Enable transparent HTTP proxy for traffic recording\nvigolium server -k my-key --ingest-proxy-port 9003\n\n# Auto-scan ingested traffic\nvigolium server -k my-key --scan-on-receive\n```\n\n```bash\n# Ingest traffic to a running server\ncat urls.txt | vigolium ingest -s http://localhost:9002\n\n# Ingest an OpenAPI spec\nvigolium ingest -s http://localhost:9002 -i api.yaml -I openapi\n```\n\nSee [running the server](https://docs.vigolium.com/server-mode/running-the-server) for server setup, [ingestion](https://docs.vigolium.com/server-mode/ingestion) for ingestion workflows, and the [API overview](https://docs.vigolium.com/api-overview) for the full REST API reference.\n\n\u003e **Burp Suite integration**: forward live Burp Suite traffic to a running Vigolium server with the [burp-vigolium](https://github.com/vigolium/burp-vigolium) extension.\n\n## Authenticated Scanning\n\nVigolium supports multi-session authenticated scanning for IDOR/BOLA testing and privilege escalation checks:\n\n```bash\n# Inline session via CLI flag (name:Header:value)\nvigolium scan -t https://example.com \\\n  --auth \"admin:Cookie:session_id=abc123\" \\\n  --auth \"user:Cookie:session_id=xyz789\"\n\n# Load session(s) from a YAML/JSON file\nvigolium scan -t https://example.com --auth-file ./admin-session.yaml\n\n# Auth file with an automated login flow (token extraction, etc.)\nvigolium scan -t https://example.com --auth-file ./login-flow.yaml\n\n# Add custom headers (works with sessions)\nvigolium scan -t https://example.com -H \"Authorization: Bearer token123\"\n```\n\nAuth files support static headers, bearer tokens, and automated login flows with token extraction from cookies, JSON responses, or headers. Preset examples are available in `public/presets/sessions/`. See the [authentication guide](https://docs.vigolium.com/native-scan/authentication) for the full guide.\n\n\u003e The `--auth` / `--auth-file` flags were previously named `--session` / `--session-file`. The old names still work as deprecated aliases.\n\n## Agentic Scan\n\nAI-driven scanning where agents autonomously plan, execute, and triage vulnerability assessments with the native scan engine underneath:\n\n```bash\n# Autopilot: autonomous AI-driven scanning (in-process olium engine)\nvigolium agent autopilot -t https://example.com\nvigolium agent autopilot -t https://example.com --source ./src --focus \"auth bypass\"\nvigolium agent autopilot -t https://example.com --diff main...feature/auth   # diff-focused\nvigolium agent autopilot -t https://example.com --intensity deep             # preset bundle\n\n# Swarm: AI-guided targeted or full-scope vulnerability scanning\nvigolium agent swarm -t https://example.com/api/users --vuln-type sqli\nvigolium agent swarm -t https://example.com --discover                       # full-scope\nvigolium agent swarm -t https://example.com --source ./src --discover        # source-aware full-scope\nvigolium agent swarm --input \"curl -X POST https://example.com/api/login -d '{\\\"user\\\":\\\"admin\\\"}'\"\n\n# Source-audit drivers (separate harness, do not route through olium)\nvigolium agent audit --source ./src --mode deep                            # claude harness only (anthropic-*)\nvigolium agent audit --driver=piolium --source ./src --mode balanced        # Pi-native (pi extension)\nvigolium agent audit --source ./src --mode balanced                         # both audit + piolium back-to-back\nvigolium agent audit --source ./src --driver piolium --fallback             # piolium with audit fallback\n\n# Direct olium access (TUI or headless)\nvigolium ol                             # launch the olium TUI\nvigolium ol --prompt \"...\"              # one-shot prompt (-p implies headless)\n```\n\nAgentic scan modes:\n- **Autopilot**: autonomous scanning. CLI calls `pkg/olium/autopilot.Run` directly; the server adds vigolium-audit prep, auth setup, and a frozen context bundle around the same loop\n- **Swarm**: AI-guided vulnerability scanning supporting targeted single-request and full-scope (`--discover`). Master agent analyzes inputs, selects modules, generates custom JS extensions, runs code audit and SAST, executes scans, and triages results\n- **Audit**: source-code audit via `vigolium agent audit` — a unified dispatcher that runs the embedded **vigolium-audit** (claude/codex) and/or **piolium** (Pi-native) harnesses, selected with `--driver {auto|both|audit|piolium}`. Separate harnesses; **do not** route through olium. Per-driver child rows under one parent AgenticScan with post-pass findings dedup. There is no standalone `agent piolium` subcommand — piolium runs via `--driver=piolium`\n\n\u003e **Standalone audit CLIs**: the agentic security audit also ships as standalone CLIs you can run independently of Vigolium: [vigolium-audit](https://github.com/vigolium/vigolium-audit) (the harness behind `vigolium agent audit`) and [piolium](https://github.com/vigolium/piolium) (the Pi-native driver behind `vigolium agent audit --driver=piolium`).\n\nSee the [agent mode guide](https://docs.vigolium.com/agentic-scan/agent-mode) for the full guide.\n\n## ⚡ Vigolium Cloud Console\n\nA cloud-based solution for teams that want the power of Vigolium without managing infrastructure. Console is the **upgraded, fully-featured version of Vigolium**: managed scanning, centralized reporting, team collaboration, and extra features layered on top of the open-source core, so you can focus on fixing vulnerabilities instead of maintaining tooling.\n\n\u003e Check out the Cloud Console at [console.vigolium.com](https://console.vigolium.com/).\n\n## Native Scan Layers\n\nThe native scan pipeline is composed of modular layers, each documented separately:\n\n| Layer | Description | Docs |\n|-------|-------------|------|\n| **Content Discovery (Deparos)** | Adaptive directory/file enumeration with fingerprint-based soft-404 detection | [docs.vigolium.com/native-scan/phases/discovery](https://docs.vigolium.com/native-scan/phases/discovery) |\n| **Browser Spider (Spitolas)** | Chromium-driven state-machine crawler with CDP traffic capture | [docs.vigolium.com/native-scan/phases/spidering](https://docs.vigolium.com/native-scan/phases/spidering) |\n| **Audit** | Active/passive vulnerability scanning with insertion point extraction and DiffScan framework | [docs.vigolium.com/native-scan/phases/audit](https://docs.vigolium.com/native-scan/phases/audit) |\n| **Scanner Modules** | 154 active and 97 passive modules covering OWASP Top 10 and beyond | [docs.vigolium.com/native-scan/modules-reference](https://docs.vigolium.com/native-scan/modules-reference) |\n\n## Documentation\n\nFull documentation lives at [docs.vigolium.com](https://docs.vigolium.com/). Release notes and version history are in the [CHANGELOG](CHANGELOG.md). Quick links:\n\n| Topic | Link |\n|-------|------|\n| Setup Agents | [docs.vigolium.com/getting-started/setup-agent](https://docs.vigolium.com/getting-started/setup-agent) |\n| Start a Native Scan | [docs.vigolium.com/getting-started/native-scan](https://docs.vigolium.com/getting-started/native-scan) |\n| Start an Agentic Scan | [docs.vigolium.com/getting-started/agentic-scan](https://docs.vigolium.com/getting-started/agentic-scan) |\n| Start an Agentic Audit | [docs.vigolium.com/getting-started/agentic-security-audit](https://docs.vigolium.com/getting-started/agentic-security-audit) |\n| Quickstart | [docs.vigolium.com/getting-started/quickstart](https://docs.vigolium.com/getting-started/quickstart) |\n| Cheat Sheet | [docs.vigolium.com/getting-started/cheat-sheet](https://docs.vigolium.com/getting-started/cheat-sheet) |\n| Server \u0026 Ingestion | [docs.vigolium.com/getting-started/server-and-ingestion](https://docs.vigolium.com/getting-started/server-and-ingestion) |\n| Writing Extensions | [docs.vigolium.com/customization/writing-extensions](https://docs.vigolium.com/customization/writing-extensions) |\n\n## JavaScript Engine\n\nRun JavaScript/TypeScript code directly or write custom scan modules and hooks without recompiling:\n\n```bash\n# Execute inline JavaScript\nvigolium js --code 'let r = vigolium.http.get(TARGET); console.log(r.status)' -t https://example.com\n\n# Run a JS file with timeout\nvigolium js --code-file ./my-script.js -t https://example.com --timeout 60s\n\n# Manage extensions\nvigolium ext ls                # list loaded extensions\nvigolium ext docs --example    # browse API with code examples\nvigolium ext preset            # install starter scripts\n```\n\nThe JS engine exposes session-aware HTTP APIs for authenticated testing:\n\n```javascript\n// Create a persistent session with shared cookie jar.\n// post() takes a string body — serialize objects yourself.\nlet session = vigolium.http.session();\nsession.post(\n  \"https://app.example.com/login\",\n  JSON.stringify({ user: \"admin\", pass: \"secret\" }),\n  { headers: { \"Content-Type\": \"application/json\" } }\n);\nsession.get(\"https://app.example.com/dashboard\"); // cookies auto-sent\n\n// Automated login flow with token extraction\nlet authed = vigolium.http.login({\n  url: \"https://app.example.com/api/auth\",\n  method: \"POST\",\n  body: JSON.stringify({ username: \"admin\", password: \"pass\" }),\n  extract: [{ source: \"json\", path: \"$.token\", apply_as: \"Authorization: Bearer {value}\" }]\n});\n\n// IDOR/BOLA testing across multiple sessions\nlet results = vigolium.http.authTest({\n  sessions: { admin: adminSession, user: userSession },\n  requests: [{ method: \"GET\", url: \"https://app.example.com/api/users/1\" }]\n});\n\n// Multi-step authentication sequences\nlet result = vigolium.http.sequence([\n  { url: \"/csrf\", extract: [{ source: \"cookie\", name: \"csrf_token\", as: \"token\" }] },\n  { url: \"/login\", method: \"POST\", body: \"csrf={token}\u0026user=admin\" }\n]);\n\n// Parallel request batching (race conditions, IDOR)\nlet responses = vigolium.http.batch([req1, req2, req3], { concurrency: 10 });\n\n// CSRF token extraction\nlet csrf = vigolium.http.csrf(\"https://app.example.com/form\");\n\n// HTTP request replay with variations\nlet varied = vigolium.http.replay(rawRequest, [\n  { headers: { \"Authorization\": \"Bearer admin_token\" } },\n  { headers: { \"Authorization\": \"Bearer user_token\" } }\n]);\n```\n\nSee [writing extensions](https://docs.vigolium.com/customization/writing-extensions) for the extension authoring guide and `pkg/jsext/vigolium.d.ts` for the full TypeScript API definitions.\n\n## CLI Reference\n\n\u003cdetails\u003e\n\u003csummary\u003eExpand the full commands \u0026 flags reference\u003c/summary\u003e\n\n### Commands\n\n```\nScanning:\n  vigolium scan                Run a native scan (deterministic multi-phase vulnerability scanning)\n  vigolium run \u003cphase\u003e         Run a single native scan phase (alias for scan --only \u003cphase\u003e)\n  vigolium scan-url \u003curl\u003e      Quick native scan of a single URL\n  vigolium scan-request        Native scan from a raw HTTP request\n\nAgentic scan (in-process olium engine):\n  vigolium agent autopilot     Autonomous AI-driven vulnerability scanning\n  vigolium agent swarm         AI-guided targeted or full-scope vulnerability scanning\n  vigolium agent query         Single-shot prompt (code review, endpoint discovery)\n  vigolium agent olium         Direct olium TUI (or one-shot non-interactive via -p)\n  vigolium agent audit         Unified driver dispatcher (vigolium-audit and/or piolium, --driver=auto|both|audit|piolium)\n  vigolium agent session       Browse/replay agent session artifacts\n  vigolium olium | vigolium ol Top-level alias for `vigolium agent olium`\n\nServer \u0026 ingestion:\n  vigolium server              Start the API server with traffic ingestion\n  vigolium ingest              Ingest traffic to a running server\n  vigolium storage             Interact with cloud object storage (uploads, downloads)\n\nData \u0026 projects:\n  vigolium db                  Database operations (list, stats, export, clean, seed)\n  vigolium finding             Browse and manage findings (load, tui)\n  vigolium traffic             Browse and replay HTTP records (tui, replay)\n  vigolium replay              Mutate a stored/supplied HTTP request and diff baseline vs replay\n  vigolium project             Manage projects (create, list, use, config)\n  vigolium scope               Manage scope rules\n  vigolium import              Import findings/data from external sources\n  vigolium export              Export scan results\n\nExtensions \u0026 auth:\n  vigolium js                  Execute JavaScript/TypeScript code\n  vigolium ext                 Manage JavaScript extensions (eval, lint)\n  vigolium auth                Manage authentication sessions (list, load, lint, totp)\n\nSetup \u0026 introspection:\n  vigolium init                Initialize a Vigolium workspace\n  vigolium config              Manage configuration (ls, set, path, clean)\n  vigolium strategy            Inspect scanning strategies and phases\n  vigolium module              Inspect/enable scanner modules\n  vigolium doctor              Diagnose environment \u0026 dependencies\n  vigolium version             Show version info\n```\n\n### Flags\n\n```\nNative Scan (vigolium scan / run):\n  -t, --target           Target URL\n  -T, --target-file      File containing target URLs\n  -i, --input            Input file path (- for stdin)\n  -I, --input-mode       Input format: urls, openapi, nuclei, burpxml, curl, postman\n  -m, --modules          Modules to run (comma-separated or 'all')\n      --strategy         Strategy preset: lite, balanced, deep\n      --scanning-profile Scanning profile name or YAML path\n      --only             Single phase: ingestion, discover (deparos), spidering (spitolas),\n                         external-harvest, spa, audit\n\nAuthentication:\n      --auth              Inline session definition (name:Header:value, repeatable)\n      --auth-file         Session YAML/JSON file path, supports login flows (repeatable)\n  -H, --header           Custom HTTP header (repeatable)\n\nPerformance:\n  -c, --concurrency      Concurrent workers (default: 50)\n  -r, --rate-limit       Max requests/sec (default: 0 = unlimited)\n      --max-per-host     Per-host concurrency cap (default: 2)\n      --proxy            HTTP/SOCKS5 proxy URL\n      --timeout          HTTP request timeout (default: 15s)\n\nAgentic Scan (vigolium agent autopilot / swarm / query):\n      --source             Path to source code for source-aware scanning\n      --files              Specific files to include relative to --source\n      --source-label       Label for source code ingestion\n      --provider           Olium provider: openai-codex-oauth, anthropic-api-key,\n                           anthropic-oauth, openai-api-key, anthropic-cli,\n                           google-vertex\n      --model              Model ID override\n      --oauth-token        OAuth bearer token (anthropic-oauth)\n      --oauth-cred         OAuth/SA file path (openai-codex-oauth, google-vertex)\n      --llm-api-key        API key (anthropic-api-key, openai-api-key)\n      --vuln-type          Vulnerability type focus (sqli, xss, ssrf, ...)\n      --focus              Focus area for the agentic scan\n      --intensity          Preset bundle: quick, balanced, deep\n      --diff               Diff range / PR URL / HEAD~N for change-focused scans\n      --last-commits       Shorthand for --diff HEAD~N\n      --code-audit         Enable AI code audit (default: on with --source)\n      --discover           Run discovery+spidering before planning (swarm)\n      --audit             Audit mode: lite, balanced, deep, off (autopilot/swarm)\n      --driver             Audit driver: both, audit, piolium (agent audit)\n      --fallback           Fall back to audit when piolium fails (agent audit)\n      --no-preflight       Skip 'claude -p' preflight (agent audit)\n      --max-iterations     Max triage-rescan iterations\n      --max-commands       Cap on agent tool calls\n      --token-budget       Cap on aggregate tokens\n      --max-duration       Max agent wall-clock time (0 = no limit)\n      --only / --skip / --start-from   Phase control (swarm)\n\nJavaScript:\n      --code             Inline JavaScript to execute\n      --code-file        Path to JS/TS file to execute\n      --timeout          Execution timeout (default: 30s)\n\nOutput:\n  -j, --json             JSON output\n      --format           Output format: console, jsonl, html\n  -o, --output           Output file path\n      --silent           Suppress all output except findings\n  -v, --verbose          Verbose logging\n```\n\n\u003c/details\u003e\n\n## Repository Layout\n\nThe `platform/` directory contains external tooling, UI Dashboard and is not part of the core scanner. No changes should be made to it.\n\n## Benchmarks\n\nVigolium is continuously benchmarked against intentionally vulnerable applications and also heavily tested against real-world targets through bug bounty and responsible disclosure programs.\n\n- **Self-hosted (Docker):** [DVWA](https://github.com/digininja/DVWA), [OWASP Juice Shop](https://github.com/juice-shop/juice-shop), [VAmPI](https://github.com/erev0s/VAmPI), [crAPI](https://github.com/OWASP/crAPI), [Vulnerable Java App](https://github.com/DataDog/vulnerable-java-application), [Vulnerable Nginx](https://github.com/detectify/vulnerable-nginx), [OopsSec Store](https://github.com/kOaDT/oss-oopssec-store) (custom Next.js app)\n- **External (hosted):** [Acunetix TestPHP](http://testphp.vulnweb.com), [Gin \u0026 Juice Shop](https://ginandjuice.shop), [Testfire](http://demo.testfire.net)\n- **XSS \u0026 multi-vuln:** [BruteLogic XSS](test/benchmark/xss_scanner/), [XBOW](test/benchmark/definitions/xbow/) (XSS, SQLi, SSTI, LFI, SSRF, XXE, command injection)\n\nRun benchmarks with `make test-canary` (Docker apps) or `make test-integration` (XSS).\n\n## Development\n\n```bash\nmake build          # build and install\nmake test           # run all tests (auto-installs gotestsum)\nmake test-unit      # fast unit tests (-short, no external deps)\nmake test-e2e       # E2E tests (requires Docker)\nmake lint           # run linter\nmake fmt            # format code\n```\n\nSee [HACKING.md](HACKING.md) for the full build guide, codebase map, and module development guide.\n\n## Security\n\nVigolium is an offensive security tool, and two parts of it are intentionally permissive: **agent mode runs with no sandbox** (the LLM has full shell, file, and network access on the host) and **extensions can run arbitrary commands**. Run agent mode in a disposable container/VM scoped to the engagement, and treat untrusted extensions like untrusted code. See [SECURITY.md](SECURITY.md) before you start, and report vulnerabilities in Vigolium itself privately to [contact@vigolium.com](mailto:contact@vigolium.com).\n\n## License\n\nVigolium is released under the [GNU Affero General Public License v3.0](LICENSE). Derivative works must remain open under the same terms.\n\nCrafted with ♥ by [@j3ssie](https://x.com/j3ssie), with [@theblackturtle](https://github.com/theblackturtle) as a core initial contributor.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvigolium%2Fvigolium","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvigolium%2Fvigolium","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvigolium%2Fvigolium/lists"}