Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.vigolium.com/llms.txt

Use this file to discover all available pages before exploring further.

Step 1: Install Vigolium Open Source

If ~/.local/bin was not already on your PATH, activate it without restarting your shell: 
export PATH="$HOME/.local/bin:$PATH"

Step 2: Validate the installation

vigolium version
vigolium doctor
doctor reports any missing optional dependencies (a browser for SPA spidering, nuclei templates for the known-issue scan, bun/pi for agent drivers) and confirms your config is valid. Let it auto-install anything missing: 
vigolium doctor --fix                          # auto-install/fix every failing check
--only accepts any of: nuclei, chrome, bun, claude, agent-browser, pi, piolium.
Everything Vigolium stores lives under ~/.vigolium/ (override with VIGOLIUM_HOME): config at vigolium-configs.yaml, scan DB at database-vgnm.sqlite, agent artifacts under agent-sessions/. Run vigolium init to create the workspace explicitly.

Step 3: Run a full scan

vigolium scan runs the full multi-phase pipeline (discovery → spidering → dynamic-assessment) using the balanced strategy by default: 
vigolium scan -t https://example.com
Tune the depth/speed trade-off with a strategy preset: 
vigolium scan -t https://example.com --strategy lite       # fast, dynamic-assessment only
vigolium scan -t https://example.com --strategy balanced
vigolium scan -t https://example.com --strategy deep       # thorough, more modules
--intensity quick|balanced|deep is a higher-level alias that also tunes the scanning profile. Not sure which mode to use? See Choosing a Scan Mode.

Step 4: One-shot stateless scan

For CI/CD pipelines, scripting, or quick ad-hoc checks where you don’t want anything left behind on disk, add --stateless and export results with -o. Vigolium spins up a temporary SQLite database, runs the requested phases, writes the output, then deletes the database on exit. 
# Full pipeline, JSONL out, nothing persisted
vigolium scan --stateless -t https://example.com --format jsonl -o findings

# JSONL + HTML report, with content discovery
vigolium scan --stateless -t https://example.com --discover --format jsonl,html -o scan

# Single endpoint, no DB at all
vigolium scan-url https://example.com/api/users?id=1 -j
Multiple targets each get an isolated temp database and a per-host filename suffix so results don’t overwrite: 
vigolium scan --stateless -T targets.txt --format jsonl -o results
# -> results-example.com.jsonl, results-test.example.com.jsonl, …
--stateless and --db are mutually exclusive. See Native Scan & Stateless Scanning for the full recipe book.

Step 5: Choose what to scan

# A file of targets, one URL per line
vigolium scan -T targets.txt

# From an OpenAPI / Swagger spec
vigolium scan -i api.yaml -I openapi -t https://api.example.com

# Pipe URLs from stdin
cat urls.txt | vigolium scan

# A raw HTTP request or curl command (auto-detected)
echo "curl -X POST -d 'user=admin' https://example.com/login" | vigolium scan-request
Supported input modes (-I): urls, openapi, swagger, postman, curl, burpxml, nuclei, har.

Step 6: Pick specific modules (optional)

# Only run XSS and SQLi modules (fuzzy match on module ID/name)
vigolium scan -t https://example.com -m xss -m sqli

# Filter by tag instead
vigolium scan -t https://example.com --module-tag injection

# List everything available
vigolium -M

Step 7: Get results out

By default findings stream to the console. For files or machine-readable output, use --format with -o: 
# JSONL for scripting / CI
vigolium scan -t https://example.com --format jsonl -o results

# Self-contained HTML report
vigolium scan -t https://example.com --format html -o report

# Several formats at once
vigolium scan -t https://example.com --format jsonl,html -o scan
FlagEffect
--format consoleHuman-readable terminal output (default)
--format jsonl / -jOne JSON object per line
--format htmlInteractive ag-grid report (requires -o)
-o, --outputOutput file path (base name; extension added per format)
--ci-output-formatJSONL only, no banners or color, ideal for CI
--silentSuppress everything except findings

Step 8: Run a single phase

Use run <phase> (an alias for scan --only <phase>) when you only want one stage of the pipeline: 
vigolium run discovery -t https://example.com    # content discovery only
vigolium run spidering -t https://example.com    # browser crawl only
vigolium run dynamic-assessment -t https://example.com
Phases: ingestion, discovery, external-harvest, spidering, known-issue-scan, dynamic-assessment, extension.

A note on persistence

vigolium scan writes results to a persistent SQLite database at ~/.vigolium/database-vgnm.sqlite, so you can browse them afterward: 
vigolium traffic list      # ingested HTTP records
vigolium finding list      # discovered vulnerabilities
For one-shot runs that leave nothing behind (CI, ad-hoc checks), add --stateless and export with -o. See Native Scan & Stateless Scanning for the full set of recipes.

Updating & uninstalling

vigolium update                  # update binary + nuclei templates
vigolium update --skip-templates # only reinstall the binary
vigolium update -F               # skip the confirmation prompt
npm and Docker installs are upgraded through their own tooling (npm update -g @vigolium/vigolium / docker pull), not vigolium update.

Next steps