Skip to main content
vigolium server starts the Vigolium server: one process that serves the built-in Web UI, backs the Burp Suite extension, and exposes a full REST API. It’s the hub every non-CLI surface talks to — the UI, Burp, and any script you write all read and write the same local database.
vigolium server
By default, the server listens on http://localhost:9002. Open that URL in your browser to use the dashboard.
Vigolium Web UI dashboard with project summary, scan data, and severity breakdown

Ways to run the server

The server takes flags for authentication, binding, ingestion, and passive-only analysis. Common setups:
# Recommended: start with API-key authentication
export VIGOLIUM_API_KEY=my-secret-key
vigolium server

# Bind to a specific host and port
vigolium server --host 127.0.0.1 --service-port 9002

# Back the Burp extension and also mirror ingested traffic to disk as files
vigolium server --mirror-fs ./mirror

# Passive-only ingestion — analyze browsed traffic without sending active requests
vigolium server --scan-on-receive --passive-only

# Merge live Burp Proxy history over the loopback bridge
vigolium server --burp-bridge-url http://127.0.0.1:9009

# Local development only — DISABLE authentication (see warning below)
vigolium server -A
-A / --no-auth runs the server with no authentication. Every /api/* route — including endpoints that trigger scans and read stored findings and traffic — becomes callable by anyone who can reach the port. Only use -A on localhost for local development, and never expose an -A server to the internet or an untrusted network. For shared, remote, or production use, always start with VIGOLIUM_API_KEY (or server.auth_api_key in config) set and bind to a trusted interface.
The default bind address is 0.0.0.0, so if you must reach the server from another machine, keep authentication on and prefer restricting the bind with --host plus a firewall or reverse proxy. Retrieve the active key at any time:
vigolium config ls server.auth_api_key --force

What you can do in the Web UI

The Web UI gives you a visual workspace for the data Vigolium stores in its local database. Use it when you want to explore results, tune scans, or work across projects without staying in the terminal.
  • View project-level scan summaries and severity breakdowns.
  • Browse, search, and filter findings.
  • Open finding details with request, response, payload, and evidence context.
  • Review HTTP records collected from CLI scans, API ingestion, or proxy ingestion — filter them by source (scan, ingestion, proxy) with the records source dropdown, and copy any request as a ready-to-run curl command.
  • See available scanner modules, including active and passive modules.
  • Start new scans and monitor scan progress.
  • Modify scope and scanner configuration from the server-backed config surface.
Vigolium Web UI findings list with filters, severity labels, and searchable results
Vigolium Web UI finding detail with request and response evidence

Start scans from the dashboard

Use the scan controls to launch a background scan against a URL, imported traffic, or records already stored in the project. The Web UI sends the request to the same server API that powers vigolium scan, so the scan output lands in the same database and appears in the findings views as soon as results are written. When starting a scan, you can tune common options such as:
  • Target URL or stored HTTP records.
  • Scan strategy and intensity.
  • Specific modules or module tags.
  • Scope settings.
  • Active/passive module behavior.
Vigolium Web UI scan history and progress view

Use it with the Burp Suite extension

vigolium server is also the local backend for the Vigolium Burp extension — running the server is the setup step for using Burp with Vigolium. The extension connects to your running server, forwards traffic through /api/ingest-http, and launches native and agentic scans from Burp’s context menus, so findings appear in both Burp and the Web UI because everything is stored in the same database.
# Start a server for the Burp extension to connect to
export VIGOLIUM_API_KEY=my-secret-key
vigolium server
Point the extension at the Server URL (http://127.0.0.1:9002) and paste in the API key — then browse, forward proxy traffic, and dispatch scans straight from Burp.

Using Vigolium with Burp Suite

Install the extension, forward proxy traffic, dispatch native and agentic scans, and use the bidirectional live bridge — see the dedicated guide.

REST API for results and scans

Everything the Web UI and the Burp extension do is backed by a documented REST API, so you can drive Vigolium from scripts, CI, or a coding agent. All /api/* routes require Authorization: Bearer <API_KEY> unless the server was started with -A. View results:
# List findings (filter by severity, project, scan, and more)
curl -s http://localhost:9002/api/findings \
  -H "Authorization: Bearer my-secret-key" | jq .

# Inspect stored HTTP records (traffic)
curl -s http://localhost:9002/api/http-records \
  -H "Authorization: Bearer my-secret-key" | jq .

# Project-level statistics and severity counts
curl -s http://localhost:9002/api/stats \
  -H "Authorization: Bearer my-secret-key" | jq .
Trigger scans:
# Native scan of a single URL
curl -s -X POST http://localhost:9002/api/scan-url \
  -H "Authorization: Bearer my-secret-key" \
  -H "Content-Type: application/json" \
  -d '{ "url": "https://example.com/api/users?id=1" }'

# Native scan of one or more targets (equivalent to vigolium scan -t <url>)
curl -s -X POST http://localhost:9002/api/scans/run \
  -H "Authorization: Bearer my-secret-key" \
  -H "Content-Type: application/json" \
  -d '{ "targets": ["https://example.com"] }'

# Agentic (AI-guided) scan of stored or supplied traffic
curl -s -X POST http://localhost:9002/api/agent/run/swarm \
  -H "Authorization: Bearer my-secret-key" \
  -H "Content-Type: application/json" \
  -d '{ "target": "https://example.com" }'
The API also covers ingestion, scope, projects, modules, config, OAST interactions, and scan status/history. See the API overview for the full surface, and the Scan, Findings, and HTTP Records references for request/response fields. A live Swagger UI is served at http://localhost:9002/swagger/ while the server runs.

Review available modules

The dashboard exposes the module registry so you can see what Vigolium can test before launching a scan. Use module search and filters to find checks by vulnerability class, technology, resource cost, or module type. For CLI parity, you can list modules from the terminal too:
vigolium module ls
vigolium module ls --tag xss
vigolium module ls --type active
You can also query modules through the server API:
curl -s http://localhost:9002/api/modules \
  -H "Authorization: Bearer my-secret-key" | jq .
See Modules reference for scanner module concepts and Modules API for API fields.

Adjust configuration

Configuration changes made through the Web UI use the same server configuration model described in the CLI docs. Use the UI when you want to adjust scan behavior interactively, then keep durable settings in ~/.vigolium/vigolium-configs.yaml. Common configuration tasks include:
  • Updating scope rules.
  • Changing concurrency, rate limits, and per-host limits.
  • Enabling or disabling module groups.
  • Adjusting CORS or server behavior.
  • Reviewing project-level data separation.
For complete configuration details, see Configuration and Running the Server.