Every command here works against the open-source binary.
vigolium <command> -h prints the full flag list for any subcommand.1. Mirror ingested traffic + findings to a live filesystem tree
Run the ingestion server with--mirror-fs to write every saved HTTP record and finding to a flat, browsable directory tree as it is persisted, in addition to the database. This pairs perfectly with the Vigolium Burp extension: as you browse, requests/responses and findings land on disk where your coding agent can read them with plain ls / grep / jq.
output-dir/:
| Path | Contents |
|---|---|
traffic/<host>/<id>.req | Raw request (leading @target <scheme>://<authority> line, then the request verbatim, replayable by stripping line 1) |
traffic/<host>/<id>.resp.headers | Status line + response headers |
traffic/<host>/<id>.resp.body | Response body (gzip-decoded so it greps clean) |
traffic/<host>/index.jsonl | Append-only, jq-friendly map of ids → method/url/status/content-type |
findings/<host>/<id>.md | Each finding, cross-linked to its .req file |
Mirroring never blocks the database save path (it runs on a background writer) and resumes per-host id numbering across server restarts. Config equivalent:
server.mirror_fs_path. Add -S/--scan-on-receive to also scan the traffic as it arrives (see section 3).2. Replay ALL stored traffic through Burp Suite
Re-send stored records through an intercepting proxy so you can inspect and manipulate them manually in Burp. Keep concurrency low (-c) so you don’t overwhelm the proxy.
--all lifts the default -n/--limit cap (100). You can narrow the bulk set instead of --all with --host, --method, --status, --path, --source, --search, or --body. -S/--stateless reads records from a .jsonl export or a standalone .sqlite with project scoping off, it never writes to your project DB.3. Passive / secret scan on forwarded traffic
When you forward traffic into Vigolium from another source (the Burp extension, a proxy, or thevigolium ingest client), start the server in scan-on-receive mode. Use --passive-only to run passive modules only, no active scan traffic is sent, and secret detection is included.
| Flag | Behavior |
|---|---|
-S / --scan-on-receive | Continuously scans new records with the dynamic-assessment phase (active + passive modules). |
-S --passive-only | Passive modules only, no active traffic. Includes secret detection, security headers, cookie flags, disclosure, etc. |
-S --full-native-scan-on-receive | Runs the full native pipeline (discovery + spidering + dynamic-assessment) on received records. |
Server mode always enables every passive module.
--passive-only simply zeroes the active modules so the scanner analyzes forwarded request/response pairs without sending any new requests, ideal for scanning traffic you’ve captured elsewhere. Point the Burp extension (or vigolium ingest) at the server’s ingestion endpoint and findings appear as traffic flows in. See Server & Ingestion.4. Import external scan data into the database
Usevigolium import to pull existing data, JSONL exports, audit output folders, and archives, into your database. It auto-detects the input by inspecting the path.
Imported findings are scoped to the active project (
--project / VIGOLIUM_PROJECT). import initializes the schema on a fresh --db path, so it’s safe as the first command against a brand-new database. Supported JSONL types are http_record and finding; other envelope types are counted and skipped.Merging a standalone SQLite database
vigolium import detects a SQLite result database by its magic header (works for .sqlite, .sqlite3, .db, or no extension) and performs a lossless, idempotent SQLite→SQLite merge of the scan-result tables (http_records, findings, scans, agentic_scans, oast_interactions, projects), deduping on natural keys:
-S at a single file with --db, or read across many files at once with --glob-db (they’re merged into one throwaway in-memory DB, so --glob-db implies -S):
Merged rows keep their original
project_uuid, so imported data stays scoped to whatever project it was scanned under. Importing the same database twice adds nothing the second time (dedup on natural keys). Requires a SQLite destination — a Postgres destination returns a clear error. To merge many parallel scans into one shared DB during scanning instead, use --db-isolate (see section 5).5. Scan a large list of targets in parallel
Point Vigolium at a large target list and use-P/--parallel N to scan several hosts at once. Each target runs in its own isolated child process, so there is no cross-contamination between workers, and each child keeps its own --concurrency, meaning real in-flight requests are roughly N × --concurrency.
-P requires one of two output strategies so results never collide:
--stateless --split-by-host— each target runs against its own temporary database and writes a separate per-host output file (base-<host>.<ext>). Nothing is persisted. Best for stateless, fire-and-forget batches.--db-isolate— each worker scans into a private temporary SQLite database, then merges its results into the shared--db(or the default DB) at the end. This lets many parallel scans share one database without write contention, and you export one unified report from the merged DB afterward.
--db-isolate is SQLite-only and cannot be combined with --stateless (they are two different ways to avoid write contention). Pressing Ctrl-C during a -P batch is treated as an operator stop: un-started and cut-short targets are reported as “not scanned” rather than failures.6. Resume a large parallel scan
A stateless parallel fan-out (-S -T --split-by-host -P) writes a tiny line-cursor manifest, <output>.progress.json, tracking the targets that completed cleanly. If the batch is interrupted (Ctrl-C, a crash, a CI timeout), re-run it with --resume to skip the finished targets and scan only the remainder, Vigolium also prints a copy-pasteable resume command on Ctrl-C/failure:
vigolium scan --resume bare, with no other flags, and it auto-discovers the *.progress.json in the current directory and relaunches the saved run from it (pass -o <prefix> to disambiguate when several manifests exist).
--resume currently applies only to the parallel fan-out (-S -T --split-by-host -P > 1). Resuming a plain sequential scan re-runs it in full.7. Scan from an OpenAPI / Swagger / Postman / Burp / HAR input
Feed a spec or capture with-i <file> and select the format with -I <format>. Auto-discovery/crawling is skipped, Vigolium scans exactly the endpoints defined in the input.
Format aliases:
openapi/swagger, postman, burpxml/burp/burp-xml, burpraw/raw, har/http-archive, nuclei/nuclei-output. Run vigolium scan --list-input-mode for the full list. Use -t/--target to supply the base URL when a spec carries only paths.8. Scan a single request, no crawling or discovery
scan-request runs scanner modules against exactly one raw HTTP request, keeping all its parameters, cookies, and headers, with no crawling or discovery.
Piping from stdin
Bothscan-url and scan-request auto-detect the stdin format, plain URL, curl command, or raw HTTP request:
9. Target one vulnerability class or technology
Every scan command (scan, scan-url, scan-request, run, ingest) accepts two module filters. Use -m/--modules to enable a subset by fuzzy match on module ID/name, or --module-tag to select by tag (repeatable, OR-combined). Both default to “all” when omitted; when you pass both, the results are merged (union).
By default a module only fires when the target’s detected tech stack matches it (so the GraphQL, AEM, and IIS modules stay dormant on unrelated hosts). If auto-detection misses the stack, add
--no-tech-filter to run the selected modules regardless (this is auto-enabled by --intensity=deep). -m matches loosely (-m xss selects every XSS module); pass a full ID like -m xss-light-url-params to pin exactly one. See Modules.10. Run only specific phases (or skip some)
Use--only to run a subset of phases, or --skip to exclude phases from an otherwise-full scan. Both accept comma-separated phase names and aliases.
| Phase | Aliases |
|---|---|
discovery | deparos, discover |
spidering | spitolas |
known-issue-scan | cve, kis, known-issues |
dynamic-assessment | audit, dast, assessment |
extension | ext |
external-harvest, ingestion | — |
dynamic-assessment is the canonical name for the module-based vulnerability-scanning phase (formerly audit). The same phase names work as the argument to vigolium run <phase>, e.g. vigolium run cve.11. Run a JavaScript extension only
Load one or more custom JS extensions with--ext (repeatable) and restrict the run to the extension phase with --only extension, no built-in modules, just your script.
--ext is a global flag, so it works on any scan command. Drop --only extension to run your extension alongside the built-in modules. See Writing Extensions for the vigolium.* API.12. Content discovery only
Run only the discovery/fuzzing phase, no crawling, no vulnerability modules. The most direct way isvigolium run discover, the phase runner: it executes a single named phase and nothing else. Point it at a wordlist with --fuzz-wordlist.
FUZZ marker works anywhere in the target path: put it where you want the wordlist injected. With no marker, vigolium fuzzes off the target’s directory (equivalent to appending /FUZZ). You can get the same discovery-only behavior on the full scan command with --only discovery --discover:
vigolium run <phase> runs one phase in isolation (discover is an alias for discovery; see section 10 for the full phase/alias list). -S/--stateless keeps it throwaway (nothing written to your project DB); combine with --format fs or -o to persist the discovered surface for later scans. --fuzz-wordlist enables on-the-fly fuzzing; the FUZZ marker pins the exact insertion point. See Discovery phase.13. Add custom HTTP headers
Inject headers, such as auth tokens or cookies, with-H/--header (repeatable). Works on scan, scan-url, and scan-request.
For richer authenticated scans (login flows, token refresh, multi-step sessions), use an auth session file instead, see Authentication and the
vigolium auth command.14. Control scan speed & duration
Cap the wall-clock time with--scanning-max-duration, and tune throughput with -c/--concurrency, -r/--rate-limit, and --max-per-host.
| Flag | Default | Effect |
|---|---|---|
--scanning-max-duration | 0 (use config) | Hard cap on total scan wall-clock time (e.g. 30m, 1h, 2h) |
-c / --concurrency | 50 | Number of concurrent scan workers |
-r / --rate-limit | 100 | Maximum HTTP requests per second (global) |
--max-per-host | 50 | Maximum concurrent requests to any single host |
Lower
--rate-limit and --max-per-host to stay gentle on fragile targets; raise -c and --rate-limit to go faster against robust infrastructure. Under -P/--parallel, each child keeps its own --concurrency, so real in-flight requests are roughly P × --concurrency.15. Inspect & change any config value
Vigolium settings live in~/.vigolium/vigolium-configs.yaml. Read them with vigolium config view (alias for config ls) and write them with vigolium config set <key> <value> using dot-notation — no need to hand-edit the YAML.
config view output:
config view sorts keys and prints the active config file path at the bottom. Sensitive values show as [redacted] unless you pass -F/--force. config set validates the key and writes it back to the same file. Reset everything to clean defaults with vigolium config clean. See Configuration for the full key reference.16. Set a custom OAST domain
Out-of-band callback detection (SSRF, blind RCE, OOB SQLi, etc.) uses an interactsh server,oast.pro by default. Point Vigolium at your own server with the oast.server_url / oast.token config keys:
~/.vigolium/vigolium-configs.yaml:
${VAR} / ${VAR:-default} expansion, so you can keep the domain and token in environment variables instead of writing them into the file:
OAST is enabled by default (
oast.enabled: true). The token is optional (only needed by servers that require auth). See the full field list, poll interval, grace period, and blind-XSS payload source, in Configuration → oast.17. Generate a static HTML report
Add--format html with -o/--output to render a self-contained, ag-grid HTML report. You can produce it during a scan, or after the fact from data already stored or imported.
export / import:
HTML requires
-o/--output. Other report formats: report, pdf (rendered via headless Chrome), and markdown (alias md). The output path accepts gs://<project>/<key> URLs and a {ts} timestamp placeholder. See Output & Reporting → HTML.18. Notify (webhook) when a scan completes
Thewebhook notify provider fires one POST per scan when it reaches a terminal state (completed or failed), regardless of severity, perfect for CI pipelines and dashboards.
~/.vigolium/vigolium-configs.yaml:
webhook fires once per scan regardless of severity; telegram and discord instead fire per finding, gated by notify.severities. Telegram/Discord also honor env-var fallbacks (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, DISCORD_WEBHOOK_URL), so you can keep tokens out of the config file. See Configuration → notify.19. Update Vigolium
vigolium update re-runs the official installer to fetch the latest release binary, then refreshes the local nuclei-templates checkout used by the known-issue scan.
vigolium update runs the same installer as curl -fsSL https://vigolium.com/install.sh | bash, installing to ~/.local/bin/vigolium (checksum-verified). Homebrew, npm, and Docker installs upgrade through their own tooling instead: brew upgrade vigolium, npm update -g @vigolium/vigolium, or docker pull j3ssie/vigolium:latest. Vigolium also checks for a newer release on startup (at most once/day); silence it with VIGOLIUM_DISABLE_UPDATE_CHECK=1, or auto-apply and re-exec with VIGOLIUM_AUTO_UPDATE=1.20. Install the Vigolium Burp extension
The Burp extension forwards traffic you browse/proxy in Burp Suite into a running Vigolium server, so it lands in the database (and, with--mirror-fs, on disk) for scanning and agent triage.
Download the extension JAR
Grab the latest
.jar from the releases page: github.com/vigolium/burp-vigolium/releasesLoad it into Burp Suite
In Burp, go to Extensions → Installed → Add. Set Extension type: Java, then Select file… and choose the downloaded
.jar. Click Next — a Vigolium tab appears.Point it at your Vigolium server
Start an ingestion server and enter its URL (and API key, if set) in the extension’s Vigolium tab:
Pairs naturally with section 1 (live filesystem mirror) and section 3 (passive/secret scan on forwarded traffic): run
vigolium server -S --passive-only --mirror-fs output-dir -A and the extension feeds it while findings and readable request/response files appear in real time.21. Triage findings with a coding agent (Claude, Codex)
Vigolium is built to be shelled out to by an LLM/coding agent. Thefinding and traffic read commands emit compact, token-aware output under -j/--json (headers kept, bodies bounded to ~1–2 KB with body_size/body_sha256/body_truncated, binary bodies stubbed, findings windowed to a response_evidence snippet), so an agent can survey dozens of findings without blowing its context window and pull full detail only for the ones worth confirming.
Teach your agent to drive Vigolium by installing the vigolium-scanner skill. The copy embedded in your binary always matches the CLI version, so prefer the native installer:
finding / traffic / db ls:
| Flag | Effect |
|---|---|
-j/--json | machine-readable compact output (the entry point) |
--compact | metadata only, drop bodies — cheapest survey pass |
--fields a,b,c | project to just these top-level keys, cuts tokens hard |
--with-records | (finding) embed the linked HTTP records → self-contained triage bundle |
--full-body | complete decoded bodies (use when writing an exploit — see section 22); also un-compacts --markdown response bodies |
--markdown | render the finding with request/response in fenced http blocks (response bodies compacted to a preview by default) |
--tree (finding / traffic) | host/path hierarchy view; recurring findings collapse by title + severity into one ×N node |
--pick 2-4 (finding) | narrow to specific 1-based positions after filters + sort (2, 1,3, 2-4); composes with --raw/--burp/--markdown/--json |
--search a --search b | repeatable, AND-combined — each added term further narrows the match |
--min-severity high | filter to the severities that matter |
--agentic-scan <uuid> | only findings from a given agent run (expands to the whole run tree) |
Under
--json, bodies are always bounded regardless of -S. As of v0.2.1, --markdown also compacts response bodies by default — the response renders as a window around the finding’s matched_at/evidence (or a leading preview) rather than a whole page, regardless of -S/--compact; pass --full-body to render bodies whole. The request is always shown whole (it carries the payload). On an interactive terminal the Markdown is syntax-highlighted; piped/redirected output stays plain, greppable Markdown. An agent run (agent autopilot|swarm|audit) under --json even prints a ready-made follow-up command in its summary: vigolium finding --agentic-scan <uuid> --json --with-records. Full guide: Using Vigolium in your agent.22. Show how to exploit a finding
Once a finding is confirmed, pull the exact request that triggered it, then re-fire it (mutating the payload) to build a reproducible proof-of-concept. Start by fetching the finding with full, decoded bodies so you have the complete request to work from:vigolium replay --finding-id re-sends the request behind a finding, and -m/--mutate lets you change one insertion point at a time to prove exploitability:
--format fs, each <id>.req file is directly replayable: its leading @target <scheme>://<authority> line names the destination, so strip line 1 to get raw HTTP you can hand to curl, an agent, or feed back into vigolium replay --raw-request-file <file> (pass the target from that first line with -t).
With the
vigolium-scanner skill installed, you can ask your agent in plain language — “confirm finding 42 is exploitable and give me a PoC” — and it will run the finding + replay commands above, mutate the payload, and compare responses for you. -m/--mutate accepts name=…,type=…,payload=… (or name:type:payload) and is repeatable; --raw-request/-i replace the whole request when you need full control. Only test targets you are authorized to assess.23. Run an exact set of modules (passive-only, JS beautify)
Section 9’s-m/--modules is a fuzzy filter that only narrows the active modules (passive modules always stay “all”). When you want to run a precise set — including passive modules on their own — reach for --module-id (exact match against both the active and passive registries, repeatable) and --passive-only.
-m vs --module-id, side by side:
| Flag | Matching | Registries it selects from | Repeatable |
|---|---|---|---|
-m / --modules | fuzzy (substring on id/name) | active only (passive stays “all”) | yes |
--module-id | exact module ID | both active and passive | yes |
--module-id requires an exact id — an unknown value warns (does not match any known module) rather than silently matching nothing, so reach for -m when you want loose matching. Find exact ids with vigolium module ls <term>. --passive-only and --no-passive are mutually exclusive (nothing would run). Available on scan, scan-url, and scan-request. For fuzzy -m / --module-tag filtering, see section 9.24. Scan a URL and print findings to the console
For a quick single-URL scan where you just want the results on screen, add--print-finding. After the scan it renders each finding to stdout as Markdown — description, matched evidence, and the raw request/response in fenced http blocks — exactly like vigolium finding --markdown (section 21), with no follow-up command and nothing persisted. Pair it with -S (throwaway database) and --silent (drop the banner and progress noise) for clean output.
--print-finding works on scan, scan-url, scan-request, and run. It prints nothing when the scan finds nothing, so --silent --print-finding yields either the findings or an empty screen — ideal for a fast triage loop. The Markdown is identical to vigolium finding --markdown (section 21); to save it, redirect stdout (... --print-finding > findings.md). Enabling it routes the scan through the full runner so each finding’s linked request/response is available to render, which is why it pairs naturally with -S. The same commands take --print-traffic-tree (host/path hierarchy, like traffic --tree) and --print-traffic (raw request/response pairs, like traffic --raw) to dump the run’s traffic after it finishes — set both to print the tree first, then the raw pairs.25. View HTTP traffic in the database
Everything Vigolium scans, ingests, or records lands in the database. Browse it withvigolium traffic (aliases tf, and vigolium db ls --table http_records). With no flags it shows the 100 most recent records, newest first; add filters, search, or a display format to narrow and shape the output.
-S at the file (a .jsonl export or a standalone .sqlite), or read across many at once with --glob-db:
All filter flags (
--host, --status, --method, --path, --source, --search, --header, --body, --from/--to) stack, and --sort + --asc control ordering. Add --replay to re-send the matched records instead of listing them (see section 2). The compact -j/--json output is the same agent-friendly serializer described in section 21.26. Set up the AI agent (Codex or Claude CLI)
Vigolium’s AI features (autopilot, swarm, source-code audit, query) all run through one in-process runtime called olium, which talks to a provider. Pick one provider and give it credentials. The two most common setups are below; verify any of them withvigolium ol -p 'what model are you running'.
Method 1 — Codex (cheapest, with a ChatGPT subscription). If you already use OpenAI’s Codex CLI, vigolium reuses the same OAuth credential file, no API key, refresh handled automatically. This is the recommended default.
claude shell-out). Delegate to the claude binary on your $PATH, so olium uses whatever auth claude itself is configured with (plus your personal CLAUDE.md, MCP servers, and installed skills).
vigolium ol returns a model name, every agent command works: vigolium agent autopilot, vigolium agent swarm, vigolium agent query, and vigolium agent audit.
These are two of several providers, olium also supports the Claude Code Agent SDK bridge, Anthropic OAuth/API-key, and any OpenAI-compatible backend (Ollama, OpenRouter, LM Studio, vLLM). For the full provider matrix, credential handling, and the source-code audit drivers, see the setup guide, starting with the recommended Codex path: Set up the agent → Codex.
Oh dear, you actually read to the end. Here’s the secret the config file
kept nudging you toward: by default every Vigolium request announces itself
with a
Vigolium/<version> User-Agent, so a friendly blue team can spot your
authorized scan in their logs in seconds. Go full ninja only when you mean
to be sneaky: