跳转至

Getting Started with Vigolium

This guide walks you through installing Vigolium, running your first scan, and understanding the results.

Prerequisites

  • Go 1.26+
  • git
  • make

No C dependencies are required (CGO_ENABLED=0).

Installation

From Source

git clone https://github.com/vigolium/vigolium.git
cd vigolium
make deps
make build

The binary is output to bin/vigolium. Never use go build directly -- make build injects version metadata and ensures a clean build.

Install to $GOPATH/bin

make install

This places the vigolium binary on your $PATH (assuming $GOPATH/bin is in your $PATH).

Verify the installation:

vigolium --version

Your First Scan

Quick Single-URL Scan

The fastest way to scan a single URL:

vigolium scan-url https://example.com

Full Balanced Scan

Run a complete scan with discovery, spidering, and dynamic-assessment phases:

vigolium scan -t https://example.com

Fast Dynamic-Assessment-Only Scan

Skip discovery and spidering for a faster, dynamic-assessment-only scan:

vigolium scan -t https://example.com --strategy lite

Understanding Output

By default, Vigolium prints findings to the console. Each finding includes:

  • Severity -- Critical, High, Medium, Low, or Info
  • Confidence -- Certain, Firm, or Tentative

Machine-Readable Output

Use JSONL format for scripting and CI/CD integration:

vigolium scan -t https://example.com --format jsonl

HTML Reports

Generate a self-contained HTML report:

vigolium scan -t https://example.com --format html -o report.html

Scanning from Different Input Sources

From a File of URLs

Create a file with one target 每 line and pass it with -T:

vigolium scan -T targets.txt

From an OpenAPI Spec

Import endpoints from an OpenAPI/Swagger definition:

vigolium scan --input api.yaml -I openapi -t https://api.example.com

From a curl Command

Pipe a curl command directly into Vigolium:

echo 'curl -X POST https://api.example.com/login -d "user=admin&pass=test"' | vigolium scan --input - -I curl -t https://api.example.com

Common Options

Flag Description
-t, --target Target URL (base URL for scope)
-T, --targets-file File containing target URLs (one 每 line)
--strategy Scanning strategy (e.g., lite for dynamic-assessment-only)
--only Run only specific phases (e.g., --only discovery,dynamic-assessment)
--skip Skip specific phases (e.g., --skip spidering)
-m, --modules Run only specific modules by ID
--module-tag Filter modules by tag (e.g., xss, spring, light)
--format Output format: console (default), jsonl, html
-o, --output Output file path (required for html format)
--profile, --scanning-profile Use a named scanning profile
-c, --concurrency Number of concurrent scan workers (default 50)
-r, --rate-limit Maximum HTTP requests 每 second (default 100)

Configuration

Vigolium reads its configuration from ~/.vigolium/vigolium-configs.yaml. Use vigolium config set <key> <value> to update individual settings, or edit the config file directly.

Next Steps