Troubleshooting¶
Common issues encountered when using Vigolium and their solutions.
WAF/Rate Limiting Blocking Scans¶
Symptoms: Many requests return 403/429 status codes, scan results are incomplete, or the target becomes unresponsive.
Solutions:
Reduce concurrency to slow down request volume:
Apply a rate limit (requests 每 second):
Use the lite strategy, which uses fewer payloads and a less aggressive scanning profile:
You can combine these options for heavily protected targets:
Browser Not Found (Spidering)¶
Symptoms: Spidering phase fails with errors about missing Chromium or browser binary.
Solutions:
Chromium is automatically downloaded on first use to ~/.cache/spitolas/chromium-<version>/. If this download is blocked by network restrictions:
- Use
make deps-chrometo build with an embedded Chromium binary. - Alternatively, skip the spidering phase entirely:
Scope Mismatch (No Results)¶
Symptoms: 扫描 completes but produces zero findings or skips all requests.
Solutions:
Verify the target URL matches 配置的 scope. The scanner only tests URLs that fall within the defined scope.
Check 当前 scope configuration:
Explicitly set the scope to include your target by updating the config:
Ensure the target URL scheme (http vs https) and hostname match what the scope expects. Subdomains are not included 默认情况下 unless a wildcard pattern is used.
OAST Not Working¶
Symptoms: No out-of-band findings are reported, even for vulnerabilities that typically produce OAST(带外交互) interactions (e.g., blind SSRF, blind XXE).
Solutions:
OAST(带外交互) requires outbound DNS and HTTP connectivity from the target application to the OAST(带外交互) callback server. 检查:
- The scanned application can make outbound DNS queries.
- The scanned application can make outbound HTTP requests.
- No firewall rules block these outbound connections.
OAST(带外交互) is optional. The scanner still produces findings without it using in-band detection methods. OAST(带外交互) adds an extra layer of detection for blind/out-of-band vulnerabilities, but its absence does not prevent the scanner from working.
High Memory Usage on Large Targets¶
Symptoms: The scanner process consumes excessive memory, the system becomes slow, or the process is killed by the OS.
Solutions:
Use the lite strategy to reduce the number of payloads and checks:
Run only the dynamic-assessment phase to skip discovery and spidering, which can generate large numbers of URLs:
Reduce concurrency to limit the number of in-flight requests and queued items:
Skip discovery to avoid large wordlist-based scans that produce many URLs:
Scan Takes Too Long¶
Symptoms: 扫描 runs for hours without completing, or appears stuck in a particular phase.
Solutions:
Use the lite strategy for faster scans with fewer checks:
Limit discovery time to prevent long-running content discovery:
Limit spidering time:
Run only the dynamic-assessment phase if you already have traffic recorded:
Combine options for the fastest possible scan:
Database Issues¶
Symptoms: Errors related to database access, corrupted data, or migration failures.
Solutions:
The default database is SQLite, stored at ~/.vigolium/vigolium.db.
To switch to a different database location:
要重置 the database and start fresh:
For production deployments, consider using PostgreSQL 而不是 SQLite. Configure the database connection in vigolium-configs.yaml or 通过 the --db flag with a PostgreSQL connection string.
Agent Mode Not Working¶
Symptoms: vigolium agent commands fail with errors about missing backends, connection issues, or authentication failures.
Solutions:
- Check backend configuration. Agent backends are configured in the
agentsection ofvigolium-configs.yaml. The default backend (claude) uses the SDK protocol and requires theclaudeCLI in PATH:
- Ensure the coding agent CLI is installed. The default
claudebackend requires the Claude Code CLI. Other backends require their respective CLIs:
-
Check API keys. Ensure the required API keys are set as environment variables (e.g.,
ANTHROPIC_API_KEYfor Claude,OPENAI_API_KEYfor Codex). -
Verify session directory permissions. Agent sessions are stored under
~/.vigolium/agent-sessions/默认情况下 (configurable 通过agent.sessions_dirinvigolium-configs.yaml). Ensure this directory is writable.
Permission Denied on Build¶
Symptoms: make build or make install fails with permission errors when writing to $GOPATH/bin.
Solutions:
Ensure $GOPATH/bin exists and is writable:
Always use make build 而不是 go build. Direct go build bypasses version injection and may produce incorrect binaries:
The make build command outputs the binary to bin/vigolium and installs it to $GOPATH/bin. If you only need the binary locally without installation, the built binary is available at bin/vigolium after running make build.