Getting Started with Vigolium¶
This guide walks you through installing Vigolium, running your first scan, and understanding the results.
Prerequisites¶
- Go 1.26+
- git
- make
No C dependencies are required (CGO_ENABLED=0).
Installation¶
From Source¶
The binary is output to bin/vigolium. Never use go build directly -- make build injects version metadata and ensures a clean build.
Install to $GOPATH/bin¶
This places the vigolium binary on your $PATH (assuming $GOPATH/bin is in your $PATH).
Verify the installation:
Your First Scan¶
Quick Single-URL Scan¶
The fastest way to scan a single URL:
Full Balanced Scan¶
Run a complete scan with discovery, spidering, and dynamic-assessment phases:
Fast Dynamic-Assessment-Only Scan¶
Skip discovery and spidering for a faster, dynamic-assessment-only scan:
Understanding Output¶
By default, Vigolium prints findings to the console. Each finding includes:
- Severity -- Critical, High, Medium, Low, or Info
- Confidence -- Certain, Firm, or Tentative
Machine-Readable Output¶
Use JSONL format for scripting and CI/CD integration:
HTML Reports¶
Generate a self-contained HTML report:
Scanning from Different Input Sources¶
From a File of URLs¶
Create a file with one target 每 line and pass it with -T:
From an OpenAPI Spec¶
Import endpoints from an OpenAPI/Swagger definition:
From a curl Command¶
Pipe a curl command directly into Vigolium:
echo 'curl -X POST https://api.example.com/login -d "user=admin&pass=test"' | vigolium scan --input - -I curl -t https://api.example.com
Common Options¶
| Flag | Description |
|---|---|
-t, --target |
Target URL (base URL for scope) |
-T, --targets-file |
File containing target URLs (one 每 line) |
--strategy |
Scanning strategy (e.g., lite for dynamic-assessment-only) |
--only |
Run only specific phases (e.g., --only discovery,dynamic-assessment) |
--skip |
Skip specific phases (e.g., --skip spidering) |
-m, --modules |
Run only specific modules by ID |
--module-tag |
Filter modules by tag (e.g., xss, spring, light) |
--format |
Output format: console (default), jsonl, html |
-o, --output |
Output file path (required for html format) |
--profile, --scanning-profile |
Use a named scanning profile |
-c, --concurrency |
Number of concurrent scan workers (default 50) |
-r, --rate-limit |
Maximum HTTP requests 每 second (default 100) |
Configuration¶
Vigolium reads its configuration from ~/.vigolium/vigolium-configs.yaml. Use vigolium config set <key> <value> to update individual settings, or edit the config file directly.
Next Steps¶
- Scanning Strategies -- learn about the available scanning strategies
- Scanning Modes Overview -- compare all scanning modes
- Configuration Reference -- full configuration options
- Agent Mode -- AI-powered scanning with autonomous agents
- Getting Started with Codex OAuth -- zero-config agent setup using your existing
~/.codex/auth.json - Server and Ingestion -- run Vigolium as a REST API server