vigolium server starts the Vigolium server: one process that serves the built-in Web UI, backs the Burp Suite extension, and exposes a full REST API. It’s the hub every non-CLI surface talks to — the UI, Burp, and any script you write all read and write the same local database.
http://localhost:9002. Open that URL in your browser to use the dashboard.

Ways to run the server
The server takes flags for authentication, binding, ingestion, and passive-only analysis. Common setups:-A / --no-auth runs the server with no authentication. Every /api/* route — including endpoints that trigger scans and read stored findings and traffic — becomes callable by anyone who can reach the port. Only use -A on localhost for local development, and never expose an -A server to the internet or an untrusted network. For shared, remote, or production use, always start with VIGOLIUM_API_KEY (or server.auth_api_key in config) set and bind to a trusted interface.0.0.0.0, so if you must reach the server from another machine, keep authentication on and prefer restricting the bind with --host plus a firewall or reverse proxy. Retrieve the active key at any time:
What you can do in the Web UI
The Web UI gives you a visual workspace for the data Vigolium stores in its local database. Use it when you want to explore results, tune scans, or work across projects without staying in the terminal.- View project-level scan summaries and severity breakdowns.
- Browse, search, and filter findings.
- Open finding details with request, response, payload, and evidence context.
- Review HTTP records collected from CLI scans, API ingestion, or proxy ingestion — filter them by source (scan, ingestion, proxy) with the records source dropdown, and copy any request as a ready-to-run
curlcommand. - See available scanner modules, including active and passive modules.
- Start new scans and monitor scan progress.
- Modify scope and scanner configuration from the server-backed config surface.


Start scans from the dashboard
Use the scan controls to launch a background scan against a URL, imported traffic, or records already stored in the project. The Web UI sends the request to the same server API that powersvigolium scan, so the scan output lands in the same database and appears in the findings views as soon as results are written.
When starting a scan, you can tune common options such as:
- Target URL or stored HTTP records.
- Scan strategy and intensity.
- Specific modules or module tags.
- Scope settings.
- Active/passive module behavior.

Use it with the Burp Suite extension
vigolium server is also the local backend for the Vigolium Burp extension — running the server is the setup step for using Burp with Vigolium. The extension connects to your running server, forwards traffic through /api/ingest-http, and launches native and agentic scans from Burp’s context menus, so findings appear in both Burp and the Web UI because everything is stored in the same database.
http://127.0.0.1:9002) and paste in the API key — then browse, forward proxy traffic, and dispatch scans straight from Burp.
Using Vigolium with Burp Suite
Install the extension, forward proxy traffic, dispatch native and agentic scans, and use the bidirectional live bridge — see the dedicated guide.
REST API for results and scans
Everything the Web UI and the Burp extension do is backed by a documented REST API, so you can drive Vigolium from scripts, CI, or a coding agent. All/api/* routes require Authorization: Bearer <API_KEY> unless the server was started with -A.
View results:
http://localhost:9002/swagger/ while the server runs.
Review available modules
The dashboard exposes the module registry so you can see what Vigolium can test before launching a scan. Use module search and filters to find checks by vulnerability class, technology, resource cost, or module type. For CLI parity, you can list modules from the terminal too:Adjust configuration
Configuration changes made through the Web UI use the same server configuration model described in the CLI docs. Use the UI when you want to adjust scan behavior interactively, then keep durable settings in~/.vigolium/vigolium-configs.yaml.
Common configuration tasks include:
- Updating scope rules.
- Changing concurrency, rate limits, and per-host limits.
- Enabling or disabling module groups.
- Adjusting CORS or server behavior.
- Reviewing project-level data separation.
