Vigolium CLI

Role Definition

Command Decision Tree

Reference Guide

Scanning Strategies

Scan Phases

Input Formats

Output and Results

Workflow Recipes

1. Quick Single-URL Scan

2. Full Pipeline Scan (Discovery + Spidering + KnownIssueScan + Audit)

3. OpenAPI Spec Scan

With explicit base URL

Using servers from spec

With auth header

4. Burp/HAR Import and Scan

5. Raw HTTP Request Scan

From file

From stdin

With custom method and body

6. Extensions-Only Phase

Run only JS extension modules against DB records

With a specific extension script

With a custom extensions directory

Run via the run command (recommended for single extensions)

Run via the run command alias

7. Discovery-Only Phase

or

8. Targeted Modules

Run only specific modules by ID

Filter modules by tag (OR condition — matches any tag)

Combine -m and --module-tag (union of both)

List available modules first

9. Server Mode

Basic server

Custom host/port with no auth

With transparent proxy for recording traffic

10. Scan-on-Receive (Ingest + Auto-Scan)

Server mode: auto-scan every ingested request

Local ingest + scan

11. AI Agent Code Review (agent query)

Security code review (SDK protocol by default — full tool access)

Endpoint discovery from source

List available templates / backends (parent command helpers)

Custom prompt with inline text

Pipe a prompt from stdin

Custom prompt file with a specific backend

With custom instruction appended to the rendered template

Dry-run to preview the rendered prompt

Save output to a file

12. AI Agent Autopilot (Autonomous Scanning)

Basic autonomous scan (balanced by default)

Natural-language prompt — target, source, focus are auto-extracted

With source code context (triggers the audit harness automatically)

Specific files + custom instruction

Intensity presets

Override a specific setting within a preset

Scan only a PR diff or recent commits

Cap the wall-clock budget (explicit override)

Pipe a curl command (target auto-derived)

Browser-based auth preflight

Disable the audit harness when source is provided

Choose a specific vigolium-audit mode

Force piolium as the audit harness (auto-disables vigolium-audit for this run)

Run an AI triage pass over findings after the scan

Skip the prompt-safety classifier on the natural-language prompt (only when refusing a known-good prompt)

Upload results to cloud storage after completion

Preview rendered system prompt without launching the agent

Override the olium provider for a single run

Drive autopilot through anthropic-vertex (Claude on Vertex; requires a claude-* model)

13. AI Agent Swarm (Targeted or Full-Scope)

Target a URL for deep analysis

Natural-language prompt — target, source, focus auto-extracted

Full-scope scan with discovery

Analyze a curl command

Pipe raw HTTP request from stdin (auto-detected)

Scan a record from the database

Focus on a specific vulnerability type

Source-aware swarm (route extraction + code audit + SAST + scanning)

Full-scope source-aware scan

Source-aware with specific files

Source analysis only (extract routes, no scan)

Intensity presets

Override a specific setting within a preset

Run a background vigolium-audit in parallel (requires --source). Bare --audit = lite.

Or run piolium as the background audit harness (Pi runtime; requires --source)

Pull HTTP records from the active project as input

Force the extension agent to run even when the planner picks built-in modules

Tune master-agent batching and probing

Scan only changed code

Skip SAST tools during source analysis

Disable code audit (still runs source analysis + SAST)

Enable triage and rescan loop

Browser automation + auth capture

Upload results to cloud storage

Custom instructions to guide the agent

Instructions from a file

Resume from a specific phase

Specify modules explicitly

Control scanning phases

Custom overall duration

Preview master agent prompt (no execution)

Show rendered prompts during execution

13b. AI Agent Audit — vigolium-audit harness (Foreground Whitebox Audit)

Deep audit of a local repo

Fast lite audit of a remote repo (clones automatically)

Balanced audit

Second pass on a prior audit tree (revisit with new context)

PoC construction for previously confirmed findings

Chain modes back-to-back (audit runs them natively as one row)

Read-only progress check (no agent launched)

Pick the coding agent (claude or codex) — provider implies one, --agent overrides

Drive the audit yourself interactively, then import the on-disk results

List the audit mode graph (phases, time estimates) and exit

13c. AI Agent Piolium (Pi-Native Foreground Audit)

Balanced 9-phase audit of a local repo

Quick lite audit of a remote git URL (auto-clones)

Hail-mary file-by-file vulnerability hunt over Python+Go files only

Use a specific Pi provider/model for this run (overrides ~/.pi defaults)

Full clone history (commit archaeology) via intensity preset

Cap commit-history scan to last 60 days

Resume / re-audit an existing tree (anti-anchored second pass)

Read-only progress check on an in-progress run

Skip the pre-audit pi roundtrip check (auth + model availability)

13d. AI Agent Audit (Unified Driver Dispatcher)

Default: run vigolium-audit, fall back to piolium only if claude/codex CLI is missing

Run both drivers back-to-back, unconditionally

Force a single driver

Driver-specific modes are only allowed when --driver is forced to that driver

Audit from a gs:// archive (downloaded + extracted once, shared by both drivers)

Skip the post-pass project-wide findings dedup

Pin the audit leg's agent + provider (anthropic-* → claude, openai-* → codex)

BYOK auth for the run (literal, $ENV_NAME, or @path)

Override piolium's Pi defaults

Pass piolium-only knobs through (ignored on the audit leg)

14. Results Inspection

Browse HTTP traffic

JSONL output for agent / CI consumption (one JSON object per line)

Browse findings

Database stats

Watch mode (auto-refresh)

14b. External-Agent Confirm Chain (Claude Code / Cursor / Pi)

16. Export and Reports

Full JSONL export

Export only findings

HTML report

Multiple output formats at once

Database-level export

17. Whitebox Scanning (Source-Aware)

Link source code and scan

Clone from git URL and scan

Or link first, then scan

SAST-only phase

SAST from git URL (clones automatically)

18. Configuration Tuning

View all config

View specific section

Set values

Speed tuning

Scope tuning

Scanning profile

18b. Cloud Storage (

vigolium storage

)

List all objects under the active project

Upload a single file

Download an object (streams to stdout by default)

Download a scan's result bundle (tries native-scans/ then agentic-scans/)

Generate a presigned GET or PUT URL for direct upload/download

Delete one or more objects (prompts unless -F)

19. Project Management

Create a project

List projects

Use a project (sets default for subsequent commands)

Scope CLI operations to a project

Project-scoped database access

20. Writing and Running Custom Extensions

Install preset examples

View API reference

Quick-test JS code inline

Run a custom extension against a target

Run during a full scan (extensions run alongside built-in modules)

Run only extensions, skip built-in modules

21. JavaScript Execution (vigolium js)

Execute inline JS with full vigolium.* API access

Execute JS from a file

TypeScript auto-transpilation

From stdin (ideal for agent/pipe workflows)

With target context (accessible as TARGET variable)

Custom timeout and text output format

Complex scripting: ingest, query, and annotate

22. Session Logs (vigolium log)

List all native + agentic sessions with log status

View a session's runtime.log (auto-follows if the session is still running)

Tail last N lines

Show the full log

Follow live output (tail -f)

Strip ANSI color codes (useful when piping to a file)

Interactive TUI picker

23. Data Import (vigolium import)

Import an audit output folder (contains audit-state.json + findings-draft/)

Import a JSONL export (supports http_record and finding envelopes)

24. Initialization & Reset

Create ~/.vigolium with defaults (config, DB schema, profiles, prompts, extensions, SAST rules)

Regenerate the API key and re-extract all preset data

Wipe ~/.vigolium entirely and reinitialize (prompts for confirmation; use -F/--force to skip)

Diagnose installation health (binaries, paths, permissions)

Key Global Flags