Running the Server - Vigolium Documentation

What is Server Mode

Vigolium can run as a persistent REST API server, accepting traffic ingestion, scan triggers, and agent runs via HTTP endpoints. Server mode is useful for team workflows where multiple users share a scanning backend, CI/CD integration where automated pipelines submit traffic and retrieve findings, and building custom tooling on top of Vigolium’s API.

Starting the Server

# Start with an API key
export VIGOLIUM_API_KEY=my-secret-key
vigolium server

# Custom host and port
export VIGOLIUM_API_KEY=my-secret-key
vigolium server --host 127.0.0.1 --service-port 9002

# With an upstream proxy for outgoing scanner traffic
export VIGOLIUM_API_KEY=my-secret-key
vigolium server --proxy http://corporate-proxy:8080

# Without authentication (development only)
vigolium server -A

The server listens on 0.0.0.0:9002 by default.

Authentication

All API requests except the public meta endpoints (/, /health, /metrics, /server-info, /swagger/*, and POST /api/auth/login) require a Bearer token:

Authorization: Bearer my-secret-key

API key resolution order: VIGOLIUM_API_KEY env var > server.auth_api_key in config file (~/.vigolium/vigolium-configs.yaml).

CORS Configuration

The server’s CORS behavior is controlled by cors_allowed_origins in ~/.vigolium/vigolium-configs.yaml:

server:
  cors_allowed_origins: reflect-origin

Value	Behavior
`reflect-origin` (default)	Echoes the requesting `Origin` header back. Allows credentials.
`*`	Allows all origins without credentials (standard wildcard).
(empty string)	Disables CORS middleware entirely.
`https://app.example.com, https://admin.example.com`	Comma-separated allowlist. Allows credentials.

Project Scoping

All server operations are scoped to a project via the X-Project-UUID request header. If omitted, the default project is used.

curl -X POST http://localhost:9002/api/ingest-http \
  -H "Authorization: Bearer my-secret-key" \
  -H "X-Project-UUID: a1b2c3d4-..." \
  -H "Content-Type: application/json" \
  -d '{"input_mode": "url", "content": "https://example.com"}'

All queries (findings, HTTP records, stats, scans) return data scoped to the project specified in the header. See Projects for the full multi-tenancy reference.

API Endpoint Overview

A condensed view — see the API References index for the full surface.

Method	Path	Description
GET	`/`	Static UI (no auth required)
GET	`/health`	Health check (no auth required)
GET	`/metrics`	Prometheus metrics (no auth required)
GET	`/swagger/*`	Swagger UI and OpenAPI spec (no auth required)
GET	`/server-info`	Server status (no auth required)
POST	`/api/auth/login`	File-based login → bearer token
GET	`/api/info`	App info / build metadata
GET	`/api/user/info`	Current user
GET	`/api/projects`	List projects
GET	`/api/modules`	List available scanner modules
GET	`/api/http-records`	Query stored HTTP records
GET	`/api/findings`	Query scan findings
PATCH	`/api/findings/:id/status`	Update finding status (open/triaged/closed)
POST	`/api/ingest-http`	Ingest HTTP traffic into the database
POST	`/api/import`	Bulk import scans/records/findings
GET	`/api/stats`	Aggregated scan statistics
GET	`/api/oast-interactions`	List OAST callbacks
GET, POST	`/api/scope`	View/update scope configuration
GET, POST	`/api/config`	View/update server configuration
POST	`/api/scans/run`	Trigger a background scan
POST	`/api/scan-url`	Scan a single URL
POST	`/api/scan-request`	Scan a single raw request
POST	`/api/scan-records`	Scan specific record UUIDs
POST	`/api/scan-all-records`	Scan filtered records
GET	`/api/scans`	List scans
GET	`/api/scans/:uuid`	Scan status
GET	`/api/scans/:uuid/logs`	Scan logs (SSE supported)
POST	`/api/scans/:uuid/stop`	Cancel a running scan
POST	`/api/scans/:uuid/pause`	Pause a scan
POST	`/api/scans/:uuid/resume`	Resume a scan
POST	`/api/scans/:uuid/update`	Adjust scan parameters mid-run
GET	`/api/scan/status`	Latest scan status (legacy/global)
POST	`/api/agent/run/query`	Single-shot agent prompt execution
POST	`/api/agent/run/autopilot`	Autonomous AI-driven scanning session
POST	`/api/agent/run/swarm`	AI-guided multi-phase vulnerability scan
POST	`/api/agent/run/audit`	Audit/piolium driver dispatcher (`driver: auto\|both\|audit\|piolium`)
GET	`/api/agent/status/list`	List agent runs
GET	`/api/agent/status/:id`	Get agent run status (includes full result when completed)
GET	`/api/agent/sessions`	Paginated session history
GET	`/api/agent/sessions/:id/logs`	Tail or read `runtime.log` (SSE supported)
GET	`/api/agent/sessions/:id/artifacts[/:filename]`	Browse / fetch agent session artifacts
POST	`/api/agent/chat/completions`	OpenAI-compatible chat completions
POST	`/api/storage/upload-source`	Upload source archive to cloud storage
POST	`/api/storage/presign`	Pre-signed upload/download URLs
GET	`/api/storage/source/:key`	Download a stored source archive
GET	`/api/diagnostics`	System readiness check
GET	`/api/db/tables`	List database tables
GET, POST	`/api/db/tables/:name/records`	Generic table browser (read / queries)
GET	`/api/extensions`	List loaded extensions
PUT, POST	`/api/extensions/:name`	Upload / enable extension

Scan Management via API

After ingesting HTTP records, trigger a vulnerability scan via the API.

Trigger a Scan

curl -s -X POST http://localhost:9002/api/scans/run \
  -H "Authorization: Bearer my-secret-key" \
  -H "Content-Type: application/json" \
  -d '{}' | jq .

Force re-scan with specific modules:

curl -s -X POST http://localhost:9002/api/scans/run \
  -H "Authorization: Bearer my-secret-key" \
  -H "Content-Type: application/json" \
  -d '{
    "force": true,
    "enable_modules": ["xss-scanner", "sqli-error-based"]
  }' | jq .

Returns 202 Accepted with a scan_uuid on success, 409 Conflict if a scan is already running.

Check Scan Status

# Latest scan, legacy/global endpoint
curl -s http://localhost:9002/api/scan/status \
  -H "Authorization: Bearer my-secret-key" | jq .

# Specific scan
curl -s http://localhost:9002/api/scans/SCAN-UUID \
  -H "Authorization: Bearer my-secret-key" | jq .

Cancel a Running Scan

curl -s -X POST http://localhost:9002/api/scans/SCAN-UUID/stop \
  -H "Authorization: Bearer my-secret-key" | jq .

See the API Reference for full request/response details.

Running AI Agents via API

The server exposes agent endpoints that mirror the vigolium agent CLI subcommands (query, autopilot, swarm, audit). The audit dispatcher accepts driver: "auto"|"both"|"audit"|"piolium" to drive the embedded vigolium-audit harness and/or piolium. Concurrency is bounded by a global heavy/light semaphore plus a per-project heavy cap; new heavy runs return 409 Conflict when the cap is reached. Set "stream": true for real-time SSE output (multi-driver audit streams add a driver field per chunk). For full details on agent modes, prompt templates, and API request/response schemas, see the Agent Mode documentation and the Agent API Reference.

​What is Server Mode

​Starting the Server

​Authentication

​CORS Configuration

​Project Scoping

​API Endpoint Overview

​Scan Management via API

​Trigger a Scan

​Check Scan Status

​Cancel a Running Scan

​Running AI Agents via API