Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.vigolium.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Vigolium can be integrated into CI/CD pipelines to automatically scan applications for vulnerabilities on every deployment or pull request. This guide covers common patterns for running scans in automated environments.

Basic CI Scan

A minimal CI scan using the lite strategy for speed and JSONL output for machine parsing: 
vigolium scan -t $TARGET_URL --strategy lite --format jsonl -o results.jsonl
The lite strategy skips browser spidering and heavy discovery, making it suitable for time-constrained CI environments. JSONL output produces one JSON object per line, which is straightforward to parse in scripts.

Exit Codes

Check Vigolium’s exit code to determine whether findings were reported. A non-zero exit code can be used to fail a CI pipeline gate when vulnerabilities are detected. Consult vigolium scan --help for the exact exit code semantics in your version.

JSONL Output for Parsing

Use jq to filter findings by severity: 
# Fail the build only on high/critical findings
HIGH_COUNT=$(jq -s '[.[] | select(.severity == "high" or .severity == "critical")] | length' results.jsonl)

if [ "$HIGH_COUNT" -gt 0 ]; then
  echo "Found $HIGH_COUNT high/critical severity findings"
  jq 'select(.severity == "high" or .severity == "critical")' results.jsonl
  exit 1
fi
Extract a summary of findings: 
jq '{name: .name, severity: .severity, url: .url}' results.jsonl

With Source Code (Agent Mode)

Source-aware analysis lives in agent mode now. When the source code is available in the CI workspace, run an AI-driven swarm with --source for route extraction and AI-generated extensions: 
vigolium agent swarm -t $TARGET_URL --source . --intensity quick \
  --format jsonl -o results.jsonl
This is particularly effective in CI because the source code is always present in the checkout directory.

Agent Mode in CI

Code Review (Query)

Run an AI-powered security code review on the current source tree — single LLM call, predictable runtime: 
vigolium agent query --prompt-template security-code-review --source . --json
This produces structured JSON output with findings that can be parsed and posted as PR comments.

Diff-Focused Review (Autopilot)

Focus on changed code only — perfect for PR gates: 
# GitHub PR diff (auto-fetches changed files via REST API)
vigolium agent autopilot -t $TARGET_URL --source . \
  --diff "https://github.com/$GITHUB_REPOSITORY/pull/$PR_NUMBER" \
  --intensity quick --token-budget 200000

# Last N commits
vigolium agent autopilot -t $TARGET_URL --source . --last-commits 5 --intensity quick

Full-Scope Swarm with Discovery

For a more thorough AI-driven scan with automatic endpoint discovery: 
vigolium agent swarm -t $TARGET_URL --discover --intensity balanced --max-duration 20m
The --max-duration flag ensures the scan does not run indefinitely in CI. Swarm coordinates planning, native scanning, and optional triage with --triage.

Docker

Run a scan in a container: 
docker run --rm vigolium scan -t $TARGET_URL --strategy lite --format jsonl
For scans that require source code access, mount the workspace: 
docker run --rm -v $(pwd):/workspace vigolium scan -t $TARGET_URL --source /workspace --format jsonl

Tips

  • Keep scans fast: Use --strategy lite and --skip spidering in CI to avoid long-running browser-based crawling. Save deep scans for staging or nightly runs.
  • Set timeouts: Always use --timeout in CI to prevent scans from blocking the pipeline indefinitely.
  • Cache the binary: Download and cache the Vigolium binary in your CI cache (e.g., GitHub Actions cache, GitLab CI cache) to avoid re-downloading on every run.
  • Use projects: Create a dedicated project for CI scans with vigolium project create ci-scans to keep findings organized and track trends across builds.
  • Incremental scanning: When scanning the same target repeatedly, previous scan data in the project can help Vigolium avoid redundant checks.
  • Secrets management: Pass API keys and authentication tokens via environment variables rather than hardcoding them in CI config files. Use --header "Authorization: Bearer $API_TOKEN" at runtime.