Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.vigolium.com/llms.txt

Use this file to discover all available pages before exploring further.

Vigolium Workbench showing scan overview with severity breakdown and individual finding details
Vigolium is a high-fidelity web vulnerability scanner that fuses agentic AI with native speed, modularity, and precision. It combines deterministic multi-phase scanning with AI-driven autonomous analysis to deliver comprehensive security coverage — from injection flaws and access control issues to framework-specific vulnerabilities and blind out-of-band attacks. The platform is built around three key components that work together to provide a complete vulnerability scanning solution.

Key Components

Vigolium CLI

The core scanning engine. Handles all scanning logic, module execution, and heavy lifting — from content discovery and browser-based spidering to active fuzzing and agentic AI scanning.

Vigolium Workbench

A self-hosted dashboard for visualizing scan results, managing projects, and tracking findings across your infrastructure. Deploy it on your own servers for full control over your data.

Vigolium Console

A cloud-based solution that provides managed scanning, team collaboration, and centralized reporting without the overhead of self-hosting.

Scanning Mode

Agentic Scan

Agentic scanning uses AI agents to drive or augment the scanning process. Invoked via vigolium agent <mode>. All AI dispatch is routed through the in-process olium engine, which supports five providers: codex-oauth, anthropic-api-key, claude-oauth, openai-api-key, and claude-code-cli.
ModeCommandDescription
Queryvigolium agent querySingle-shot prompt execution. Good for code review, endpoint discovery, secret detection. No network scanning.
Autopilotvigolium agent autopilotAutonomous AI-driven pentest. The olium engine drives bash, file ops, and the vigolium CLI until it calls halt_scan.
Swarmvigolium agent swarm10-phase pipeline where native Go handles heavy lifting and AI intervenes at checkpoints — planning attacks, triaging results, generating custom JS scanner extensions.
Archonvigolium agent archonMulti-phase whitebox security audit (lite / balanced / deep). Runs as a foreground audit driver or in the background alongside swarm/autopilot.
Oliumvigolium olium / vigolium olInteractive TUI chat or one-shot non-interactive prompt — the underlying agent runtime.
All scan-oriented modes support --source for source-aware analysis and store session artifacts (plans, extensions, output) under ~/.vigolium/agent-sessions/.

Native Scan

Deterministic, multi-phase vulnerability scanning via vigolium scan. Fast, modular, and repeatable — runs content discovery, browser spidering, SPA crawling, and active/passive dynamic-assessment phases with 235 scanner modules (144 active, 91 passive).
CategoryCoverage
InjectionXSS (reflected, DOM-based, SSR hydration), SQL injection (error-based, boolean/time-blind), NoSQL injection, SSTI/CSTI, CRLF injection, command injection, XXE/SAML, prototype pollution
Access ControlCSRF, IDOR, authorization bypass, mass assignment, forbidden bypass, HTTP method tampering
File & PathLFI, path traversal, file upload flaws, directory listing, backup/sensitive file discovery, path normalization bypass
API & ProtocolGraphQL introspection, SSRF (direct & blind), open redirect, HTTP request smuggling, JWT vulnerabilities, JSONP callback, WebSocket security, race conditions
Framework-SpecificSpring Boot, Django, Laravel, Rails, Express, Next.js, Nuxt, Remix, ASP.NET/Blazor, Flask, FastAPI
CMSWordPress (XML-RPC, user enum, AJAX exposure), Drupal, Joomla, CMS installer exposure
Cloud & InfraFirebase (RTDB, storage, auth, functions), cloud storage listing/takeover, default credentials, web cache poisoning, CORS misconfiguration
Out-of-BandBlind vulnerabilities via OAST callbacks (blind SSRF, blind SSTI, OAST probes)

Vigolium CLI

The CLI is the heart of Vigolium, powering all scanning operations with two complementary modes:

CLI Highlights

  • Value-aware mutation — classify parameter values by semantic type and generate intelligent mutations
  • Multi-phase pipeline — external harvesting, content discovery, SPA crawling, and audit controlled by strategy presets
  • Scanning profiles — bundle strategy, pace, scope, and module config into a single YAML file
  • Multiple input formats — URLs, OpenAPI/Swagger, Postman, Burp Suite, cURL, Nuclei JSONL
  • Browser-based spider — Chromium-driven crawler with SPA support, form filling, and JS analysis
  • Multi-session authentication — inline sessions, session files, or full auth configs with login flows and token extraction
  • JavaScript extensions — custom modules and hooks via embedded JS engine
  • Source-aware agentic scan — pair --source with swarm, autopilot, or archon for code-context-aware AI scanning and audit
  • Concurrent architecture — configurable worker pool with per-host rate limiting and hybrid queue
  • HTML reports — self-contained HTML reports with sortable/filterable tables
  • API server mode — REST API with Swagger UI, multi-format ingestion, transparent HTTP proxy

Vigolium Workbench

A self-hosted web dashboard that provides a visual interface for managing and analyzing your scan data. Deploy Workbench on your own infrastructure to maintain complete control over your vulnerability data while giving your team an intuitive way to:
  • Browse and filter scan findings with severity breakdown per project
  • Track vulnerability trends across repositories and scan history
  • Manage multiple projects with multi-tenancy support
  • View detailed request/response evidence for each finding
Workbench project overview showing scan summary and severity counts
Workbench findings list with severity filters and search
Workbench detailed finding view showing HTTP request and response evidence
Workbench scan history view with vulnerability trend tracking
Self-contained HTML report showing vulnerability summary with severity chart
Self-contained HTML report with sortable and filterable findings table

Vigolium Console

A cloud-based solution for teams that want the power of Vigolium without managing infrastructure. Console provides managed scanning, centralized reporting, and team collaboration out of the box — so you can focus on fixing vulnerabilities instead of maintaining tooling.
Interested in Vigolium Console? Request a Demo to see it in action.
Vigolium Console native scan view
Vigolium Console agentic scan view
Open-source audit project list
Open-source audit findings detail

Where to Go Next

I want to…Start here
Get up and running quicklyGetting Started
Understand how native scanning worksHow It Works
Pick the right scanning strategyStrategies
Dive into individual scan phasesPhases — discovery, spidering, audit, extension, SPA
Try agentic scanningAgent Mode
Let AI drive scans autonomouslyAutopilot
Run multi-phase AI + native pipelinesSwarm
Audit source code in depthArchon Audit
Chat with the agent runtimeOlium
Run Vigolium as an API serverServer Mode
Tweak scan settingsConfiguration
Export and format resultsOutput & Reporting
Write custom JS extensionsWriting Extensions
Browse the REST APIAPI References
For any inquiries, feel free to contact us at [email protected].