Vigolium is a high-fidelity vulnerability scanner merging a fast, modular native engine with an AI-driven agentic mode for deep codebase auditing. It targets security engineers and researchers, offering both broad coverage and intelligent, autonomous vulnerability discovery to enhance security assessment efficiency and depth.

How It Works

Vigolium provides two modes: "Native Scan" uses a deterministic, multi-phase pipeline with over 250 modules for comprehensive discovery, spidering, and active/passive auditing. "Agentic Scan" employs AI to autonomously plan attacks, select modules, generate extensions, and triage findings by analyzing codebases and planning targeted assessments. This dual approach enables rapid, broad scanning alongside in-depth, code-aware analysis.

Quick Start & Requirements

• Installation: Recommended: curl -fsSL https://vigolium.com/install.sh | bash. Alternatives include npm (npm install -g @vigolium/vigolium) and Docker (docker pull j3ssie/vigolium:latest).
• Build from Source: Requires Go 1.26+ and bun 1.3.11+. Refer to HACKING.md for build details.
• Documentation: Full documentation available at docs.vigolium.com.

Highlighted Details

• Native Scan: Features 235+ modules (144+ active, 91+ passive), Out-of-Band Application Security Testing (OAST), value-aware parameter mutation, and a multi-phase pipeline (discovery, spidering, audit).
• Agentic Scan: Utilizes an in-process olium runtime for autonomous planning and triage, supporting source-code auditing drivers and pluggable LLM providers (OpenAI, Anthropic, Google Vertex).
• JavaScript Extensions: Enables custom modules and hooks via an embedded JS engine with session-aware HTTP APIs for dynamic testing.
• Scalability: Supports concurrent workers, rate limiting, hybrid queues, and self-contained HTML reports.

Maintenance & Community

The project is primarily maintained by @j3ssie, with @theblackturtle as a core initial contributor. No specific community channels or roadmap links were detailed in the provided README.

Licensing & Compatibility

Released under the GNU Affero General Public License v3.0 (AGPL-3.0). Derivative works must remain open source under the same terms, imposing strong copyleft requirements that may restrict integration into closed-source commercial products.

Limitations & Caveats

Agent mode runs with no sandbox, granting the LLM full host access (shell, file, network). Extensions can also execute arbitrary commands. Users must run agent mode in a disposable container/VM and treat untrusted extensions with extreme caution, as detailed in SECURITY.md.