What is Vigolium? A complete guide to the open source vulnerability scanner

Posted on by
Contents show
What is Vigolium? A complete guide to the open source vulnerability scanner
What is Vigolium? A complete guide to the open source vulnerability scanner

What is Vigolium? A complete guide to the open source vulnerability scanner

Security teams have a problem most vendors won't admit out loud: their scanners lie. Not deliberately, but structurally. They flood reports with noise, miss the things that matter, and operate like black boxes that nobody fully trusts. Vigolium, an open source vulnerability scanner that fuses deterministic scanning with an in-process AI agent runtime, is a direct answer to that problem.

It launched its initial open source release in May 2026 and already carries 477 stars on GitHub. More than 235 scanner modules ship out of the box. But the module count alone understates what makes this tool different.

The two scanning modes that define it

Vigolium does not ask you to choose between speed and intelligence. It gives you both, through two distinct but complementary approaches.

The first is its native, deterministic scanning pipeline. This covers content discovery, browser-based spidering of single-page applications, active fuzzing, and passive pattern matching, all across 251 modules at the time of writing. The scope spans injection attacks, access control weaknesses, file and path traversal, API and protocol flaws, framework-specific issues, cloud and infrastructure misconfigurations, and out-of-band vulnerabilities using OAST callbacks. Think of it as a methodical machine that runs the same rigorous process every time, without drift.

The second mode is vigolium agent. This is where an LLM takes the wheel. The agent autonomously plans its attack approach, selects the modules it needs, generates custom JavaScript extensions to fill gaps, runs source code audits alongside dynamic scans, and triages its own findings before surfacing them to you. The AI component runs through an in-process engine called olium, which means there are no subprocess pools, no external SDK calls creating latency, and no context switching between the native scanner and the AI layer.

Both modes share one finding schema and one database. That matters more than it sounds.

How the agentic engine actually works

The olium engine is a turn-based loop with a built-in tool registry, skills support, and pluggable provider drivers. It connects to your LLM provider, whether that is Anthropic Claude via API key or OAuth, OpenAI, or Google Vertex AI, and runs autonomously within whatever budget constraints you set.

The agent has three primary operating modes:

Autopilot handles end-to-end autonomous scanning. Point it at a target and it discovers endpoints, plans the attack surface, runs scans, and triages the output without intervention. You can also feed it source code alongside the live target so it combines static analysis with dynamic testing in a single pass. The –diff flag lets it focus specifically on changes between two Git refs, which is useful for reviewing a pull request before it merges.

Swarm is more surgical. It handles AI-guided targeted testing, where you can direct it at a specific URL and vulnerability class. vigolium agent swarm -t https://example.com/api/users –vuln-type sqli is a single command that focuses the full intelligence of the agent on SQL injection at that endpoint. The –discover flag tells it to first enumerate the full scope before targeting.

Query mode enables single-shot prompts for tasks like code review, endpoint discovery, or secret detection. No scan loop, just a direct answer.

The agents also include a unified dispatcher called vigolium agent audit, which runs either the vigolium-audit harness, the piolium harness, or both back-to-back, with –driver=auto|both|audit|piolium controlling the selection. Post-pass deduplication collapses results into a unified finding set.

Budget caps and why they matter

Autonomous tools that can consume unbounded compute are a liability. Vigolium exposes four independent caps on agent behavior: token budget, tool call count, triage iteration count, and wall-clock duration.

Jessie Ho, the author, described the philosophy to Help Net Security: time-boxed penetration tests and CI runs should lean on wall-clock and iteration caps so the scan always finishes on schedule. For a deep dive on a single target, loosen the token budget and let the agent re-plan. For broad sweeps across many targets, keep per-target budgets tight, or one target that hits a rabbit hole will consume everything allocated for the whole batch.

The failure modes at both extremes are real. Too little budget and the agent gets cut mid-lead, producing a low-confidence stub that takes more work to evaluate than it saves. Too much and it wanders, burns money, and adds noise. The recommendation from the author is to start tight and open the caps only when genuine work is being cut short.

This kind of explicit budget exposure is rare in security tooling. Most agentic systems either hide the cost from the operator or make it hard to tune. Vigolium surfaces it as first-class configuration.

Triage as a separate phase, not an afterthought

One persistent failure mode in LLM-assisted security tooling is the plausible-sounding finding that does not reproduce. The AI confidently reports a vulnerability that turns out to be noise, and a human has to spend time proving a negative.

Vigolium addresses this structurally. After scanning, a separate triage pass re-checks each candidate finding against its evidence. The scanner finds candidates, then the dedicated triage pass re-evaluates each one. On deduplication, the design leans toward merging over deletion. It collapses duplicate reports of the same issue but never makes keep-or-kill decisions on borderline findings. Anything the agent is uncertain about gets downgraded and shown, never quietly dropped.

This distinction matters operationally. A system that quietly drops borderline findings is a system you cannot trust with high-severity assessments. Vigolium's approach means the output is conservative in the right direction: you may see more findings than strictly necessary, but you will not miss something that got silently filtered.

The scanning pipeline in depth

The native scan pipeline breaks into modular layers, each separately documented at docs.vigolium.com.

Discovery uses adaptive directory and file enumeration with fingerprint-based soft-404 detection. This handles the common problem where a server returns 200 OK for every missing path, which breaks naive directory bruting. Vigolium's approach detects the pattern and adjusts.

Spidering is Chromium-driven via the Chrome DevTools Protocol. It captures traffic as it runs, including requests generated by JavaScript-heavy applications, and feeds that traffic directly into the audit phase. The spidering component, called Spitolas internally, handles state machines in SPAs rather than treating every URL as a static page.

The audit phase runs 154 active modules and 97 passive modules at current count. Active modules fuzz inputs with generated payloads. Passive modules analyze responses without modifying requests, which matters when you need to avoid disrupting a production environment. The DiffScan framework compares baseline and modified responses to reduce false positives in the active modules.

OAST support handles blind vulnerabilities through interactsh callbacks. Blind XSS, blind SSRF, and blind command injection all require out-of-band channels to confirm exploitation, and this is built in with automatic payload correlation so findings link back to the specific injection point that triggered the callback.

Input formats and authentication

The scanner accepts target input in multiple formats: plain URLs, OpenAPI and Swagger specifications, Postman collections, Burp Suite XML exports, raw cURL commands, and Nuclei JSONL. If you have an existing API specification, you can hand it directly to Vigolium and it will build its target list from the defined endpoints rather than requiring discovery.

Authentication support goes deeper than a simple header injection. Vigolium supports three approaches: inline session definition via CLI flag (name:Header:value), session files in YAML or JSON, and full auth configs that describe automated login flows with token extraction from cookies, JSON responses, or headers. The login flow config handles multi-step authentication sequences, which is necessary for any modern application using OAuth or session-based auth with CSRF tokens.

Multi-session scanning for IDOR and BOLA testing is a first-class feature. You can define an admin session and a regular user session, then let the scanner probe endpoints with each to check whether the lower-privileged account can access data or actions it should not.

JavaScript extensions without recompiling

One of the more practical capabilities in Vigolium is its embedded JavaScript engine for writing custom scan modules and hooks. You can run arbitrary JavaScript against a target, with access to session-aware HTTP APIs, without recompiling the tool from source.

A basic example:

let r = vigolium.http.get(TARGET);

console.log(r.status);

More sophisticated extensions can create persistent sessions with shared cookie jars, automate login flows, and run IDOR tests across multiple authenticated sessions in parallel. Race condition testing, HTTP request replay with variations, and multi-step authentication sequences are all achievable through the extension API.

The extension system comes with an important security caveat that deserves emphasis: extensions run arbitrary code with no sandbox. The author made this explicit and it is documented in the security warning section of the docs. Treat untrusted extensions the same way you would treat untrusted executables.

MCP server integration for agentic workflows

Vigolium's agent architecture opens interesting possibilities when combined with MCP (Model Context Protocol) servers. Teams using the Anthropic API as their provider can connect Vigolium's agent to external tooling through the MCP ecosystem, enabling workflows where scan findings flow directly into issue trackers, Slack channels, or CI/CD pipelines.

For example, connecting the agent to the GitHub MCP server lets it read source code from repositories, understand diff context, and run targeted scans on changed files. The Atlassian Jira MCP server can receive findings automatically and create tickets with full evidence attached. The Slack MCP server enables real-time scan alerts to security channels without any custom integration work.

This composability is a direct consequence of building the agent on a pluggable provider architecture with a built-in tool registry. The agent's olium engine supports skills, and the combination of MCP servers with those skills means the agent can be given access to whatever external context the engagement needs.

For teams running Vigolium in CI pipelines, pairing it with the GitHub Actions MCP server gives the agent visibility into the build context, which lets it scope scans to the specific features being deployed rather than rescanning an entire application on every commit.

Server mode and traffic ingestion

Vigolium runs as a persistent API server with SSE streaming and an OpenAI-compatible chat endpoint. This opens several operational patterns beyond the standard command-line scan.

The ingest proxy records HTTP traffic transparently. Pointing your browser or API client through the proxy while performing manual testing populates the scanner's traffic database, which can then be rescanned, replayed with mutations, or fed to the agent for analysis. If you have existing Burp Suite sessions, those export directly as input.

The –scan-on-receive flag triggers an automated scan pass every time new traffic arrives, which is useful in continuous testing environments where you want findings as soon as new endpoints are discovered.

The REST API exposes scan control, finding management, traffic replay, and project management, all with authentication and SSE streaming for long-running operations. The server documentation covers the full reference.

A Burp Suite plugin forwards live traffic directly to a running Vigolium server, which means existing manual testing workflows can feed the scanner without exporting files.

Open source core, commercial operations layer

Vigolium ships under the GNU Affero General Public License v3.0. Derivative works must remain open under the same terms. The commercial product, Cloud Console, sits on top of the open core and handles managed scanning, centralized reporting, team collaboration, and scheduling.

The author drew the boundary in explicit terms: anything that finds bugs stays in the AGPL repository. The Cloud Console handles operations, hosting, and scale. The trust model rests on a commitment that new detection capability lands in the open repository first, not behind the commercial tier.

For teams evaluating whether to build on Vigolium, this split matters. The scanner itself, including all its detection modules and agent capabilities, is auditable and modifiable. You are not dependent on a vendor's undisclosed logic for your vulnerability findings.

The full source is at github.com/vigolium/vigolium. Installation is straightforward:

curl -fsSL https://vigolium.com/install.sh | sh

# or via npm

npm install -g @vigolium/vigolium

# or via Docker

docker pull j3ssie/vigolium:latest

A note on the extension registry question

When asked whether a community module registry might emerge, the author gave a measured answer that reflects the real risks of such a system. Extensions run arbitrary code with no sandbox, so a registry is essentially distributing executables. Code signing only identifies the author; it does not establish that the code is safe.

Any sharing mechanism that earns trust would need provenance tracking, signing, an untrusted-by-default posture with explicit user opt-in, and active curation rather than open submission. The principle from the author: a small vetted set is more useful than a large unvetted marketplace.

This is an honest position that most open source projects avoid stating clearly because it limits adoption. The fact that it is stated up front reflects a project that prioritizes operational safety over growth metrics.

What this tool is not

Vigolium is an offensive security tool. The agent mode runs with full shell, file, and network access on the host. Running it against targets you do not have written permission to test is illegal in most jurisdictions, and running it in agent mode on a shared or production machine without isolation is a security risk to the host environment.

The security warning documentation should be read before any engagement. The recommended posture is to run agent mode in a disposable container or VM scoped to the specific engagement, and to treat every untrusted extension as untrusted code.

Vulnerabilities in Vigolium itself should be reported privately, not as public GitHub issues.

Where it sits in the landscape

The open source security tooling space has good point solutions. Nuclei from ProjectDiscovery runs template-based detection at scale. OWASP ZAP provides a capable proxy and scanner with a long track record. Burp Suite Community Edition remains the standard for manual testing. Semgrep handles static analysis across many languages.

What Vigolium attempts is the fusion of all of these into a single tool with an AI layer that can reason about the findings, not just report them. Whether the approach holds up at scale and across the full variety of real-world targets is something the project will prove over time through its benchmarking against intentionally vulnerable applications and its track record in bug bounty programs, both of which the author cites as active parts of the testing process.

The initial release already handles enough of the vulnerability surface that teams can run it as a primary scanner for web application assessments. The agent capabilities are the part worth watching closely, not because AI in security is new, but because the execution here, building the agent runtime in-process, exposing budget controls, running triage as a dedicated phase, and keeping the LLM honest by backing it with a deterministic scan engine, addresses the specific failure modes that have made earlier attempts at agentic security tooling hard to trust.

The project page is at vigolium.com, and the documentation lives at docs.vigolium.com.

More Posts:
Subscription Form