CI/CD Integration - Vigolium Documentation

Overview

Vigolium can be integrated into CI/CD pipelines to automatically scan applications for vulnerabilities on every deployment or pull request. This guide covers common patterns for running scans in automated environments.

Basic CI Scan

A minimal CI scan using the lite strategy for speed and JSONL output for machine parsing:

vigolium scan -t $TARGET_URL --strategy lite --format jsonl -o results.jsonl

The lite strategy skips browser spidering and heavy discovery, making it suitable for time-constrained CI environments. JSONL output produces one JSON object per line, which is straightforward to parse in scripts.

Exit-Code Gating with `--fail-on`

Use --fail-on <severity> to make a scan exit non-zero when it finds anything at or above a severity threshold — the cleanest way to gate a pipeline without post-processing JSONL. It accepts info, low, medium, high, or critical:

# Fail the build if any high or critical finding is present
vigolium scan -t $TARGET_URL --strategy lite --fail-on high --format jsonl -o results.jsonl

Output is always written before the gate is evaluated, so your report and exit status stay consistent.
The gate is scoped to the scan it runs in. Under -P/--parallel, it is evaluated per child process.
It works on scan, scan-url, scan-request, and run.

To keep a wrapping script or CI step from being interrupted while still surfacing the error on stderr, add --soft-fail, which forces exit code 0 even when --fail-on (or any other error) would otherwise fail the command:

# Record findings and never break the pipeline, even on critical findings
vigolium scan -t $TARGET_URL --fail-on critical --soft-fail --format jsonl -o results.jsonl

If you need finer control than a single severity threshold, fall back to parsing JSONL with jq (see below).

JSONL Output for Parsing

Use jq to filter findings by severity:

# Fail the build only on high/critical findings
HIGH_COUNT=$(jq -s '[.[] | select(.severity == "high" or .severity == "critical")] | length' results.jsonl)

if [ "$HIGH_COUNT" -gt 0 ]; then
  echo "Found $HIGH_COUNT high/critical severity findings"
  jq 'select(.severity == "high" or .severity == "critical")' results.jsonl
  exit 1
fi

Extract a summary of findings:

jq '{name: .name, severity: .severity, url: .url}' results.jsonl

With Source Code (Agent Mode)

Source-aware analysis lives in agent mode now. When the source code is available in the CI workspace, run an AI-driven swarm with --source for route extraction and AI-generated extensions:

vigolium agent swarm -t $TARGET_URL --source . --intensity quick \
  --format jsonl -o results.jsonl

This is particularly effective in CI because the source code is always present in the checkout directory.

Agent Mode in CI

Code Review (Query)

Run an AI-powered security code review on the current source tree, single LLM call, predictable runtime:

vigolium agent query --prompt-template security-code-review --source . --json

This produces structured JSON output with findings that can be parsed and posted as PR comments.

Diff-Focused Review (Autopilot)

Focus on changed code only, perfect for PR gates:

# GitHub PR diff (auto-fetches changed files via REST API)
vigolium agent autopilot -t $TARGET_URL --source . \
  --diff "https://github.com/$GITHUB_REPOSITORY/pull/$PR_NUMBER" \
  --intensity quick

# Last N commits
vigolium agent autopilot -t $TARGET_URL --source . --last-commits 5 --intensity quick

Full-Scope Swarm with Discovery

For a more thorough AI-driven scan with automatic endpoint discovery:

vigolium agent swarm -t $TARGET_URL --discover --intensity balanced --max-duration 20m

The --max-duration flag ensures the scan does not run indefinitely in CI. Swarm coordinates planning, native scanning, and optional triage with --triage.

Docker

Run a scan in a container:

docker run --rm vigolium scan -t $TARGET_URL --strategy lite --format jsonl

For scans that require source code access, mount the workspace:

docker run --rm -v $(pwd):/workspace vigolium scan -t $TARGET_URL --source /workspace --format jsonl

Tips

Keep scans fast: Use --strategy lite and --skip spidering in CI to avoid long-running browser-based crawling. Save deep scans for staging or nightly runs.
Set timeouts: Always use --timeout in CI to prevent scans from blocking the pipeline indefinitely.
Cache the binary: Download and cache the Vigolium binary in your CI cache (e.g., GitHub Actions cache, GitLab CI cache) to avoid re-downloading on every run.
Use projects: Create a dedicated project for CI scans with vigolium project create ci-scans to keep findings organized and track trends across builds.
Incremental scanning: When scanning the same target repeatedly, previous scan data in the project can help Vigolium avoid redundant checks.
Secrets management: Pass API keys and authentication tokens via environment variables rather than hardcoding them in CI config files. Use --header "Authorization: Bearer $API_TOKEN" at runtime.

​Overview

​Basic CI Scan

​Exit-Code Gating with --fail-on

​JSONL Output for Parsing

​With Source Code (Agent Mode)

​Agent Mode in CI

​Code Review (Query)

​Diff-Focused Review (Autopilot)

​Full-Scope Swarm with Discovery

​Docker

​Tips