github.com/vigolium/vigolium, requires Go 1.26+.
Operating Modes
| Mode | Binary | Description |
|---|---|---|
| CLI Scanner | vigolium scan | Run scans directly from the command line against targets, input files (OpenAPI, Postman, Burp, cURL, HAR), or source code paths. |
| Server Mode | vigolium server | Launch a REST API server with Swagger UI. Ingest traffic, trigger scans, query findings, and run agent sessions over HTTP. |
| Ingestor Client | vigolium-ingestor | Lightweight client that captures and forwards HTTP traffic to a running Vigolium server for analysis. |
Scanning Paradigms
Native Scan
The native scan pipeline is fully deterministic -pure Go, no AI involvement. Requests flow through a fixed sequence of phases, each handling a distinct stage of reconnaissance or testing. Phases (in order):| Phase | Purpose |
|---|---|
| Heuristics | Lightweight fingerprinting and technology detection |
| External Harvesting | Wayback Machine and other passive source enumeration |
| Spidering | Active crawling, JS analysis, link and form extraction |
| SAST | Static analysis of source code (when --source is provided) |
| Discovery | Endpoint and content discovery via wordlists |
| KnownIssueScan | Checks for known CVEs and common misconfigurations |
| Audit | Core vulnerability testing -injection, XSS, SSRF, etc. |
| Extension | User-supplied JavaScript scanning extensions |
| Strategy | Behavior |
|---|---|
| Lite | Fast surface-level scan; skips heavy crawling and discovery |
| Balanced | Default. Runs all phases with sensible limits |
| Deep | Exhaustive scanning with higher limits and broader wordlists |
| Whitebox | Source-aware scanning with route extraction and SAST integration |
Agentic Scan
Agentic scanning uses AI agents to drive or augment the scanning process. Invoked viavigolium agent <mode>. Supports Claude, Codex, Gemini, and OpenCode backends.
| Mode | Command | Description |
|---|---|---|
| Query | vigolium agent query | Single-shot prompt execution. Good for code review, endpoint discovery, secret detection. No network scanning. |
| Autopilot | vigolium agent autopilot | The AI agent drives the CLI autonomously through a sandboxed terminal (ACP protocol). It can run scans, inspect results, and iterate. |
| Swarm | vigolium agent swarm | Multi-phase pipeline where native Go handles heavy lifting and AI intervenes at checkpoints -planning attacks, triaging results, and generating custom JS scanner extensions. |
--source for source-aware analysis and store session artifacts (plans, extensions, output) in a configurable sessions directory.
Architecture at a Glance
Reading Guide
| I want to… | Go to |
|---|---|
| Get up and running quickly | getting-started |
| Understand the native scan pipeline | native-scan/how-it-works |
| Choose a scanning strategy | native-scan/strategies |
| Learn about individual scan phases | native-scan/phases/ (discovery, spidering, audit, extension, spa) |
| Explore agentic scanning | agentic-scan/agent-mode |
| Use Autopilot mode | agentic-scan/autopilot |
| Use Swarm mode | agentic-scan/swarm |
| Use Query mode | agentic-scan/query |
| Run Vigolium as a server | server-mode/ |
| Configure scans and settings | configuration |
| Format and export results | output-and-reporting |
| Write custom JS extensions | customization/writing-extensions |
| Build from source | development/building |
| Develop new scanner modules | development/developing-modules |
| Browse the REST API | api-references/ |
| Manage projects (multi-tenancy) | projects |
| Debug issues | troubleshooting |
Gallery
