Status: Pre-Release v1.0

Your AI writes code fast.
Also vulnerabilities.

Vigil is the first deterministic security scanner designed for AI-generated code. It detects slopsquatting, hallucinations, and fake tests in seconds.

$ pip install vigil-ai-cli

Github

✓ No telemetry. No API costs. Open Source.

Terminal — vigil scan

user@host:~$ vigil scan src/ --format human
◇ Vigil V1.0 - Scanning 42 files...
==================================================
[CRITICAL] DEP-001: Dependency Hallucination
› File: requirements.txt:14
› Package: 'fastapi-auth-middleware' DOES NOT EXIST on PyPI.
› Risk: High potential for Slopsquatting (Arbitrary code execution).
[ALERT] TEST-001: Test Theater Detected
› File: tests/test_auth.py:22
› Function: 'test_verify_token' passes but contains no valid asserts.
==================================================
✗ Scan failed: 2 issues found in 1.2s

The Gap Semgrep Doesn't Cover

Traditional tools look for CVEs in human code. AI agents introduce a new 0-day attack vector that current scanners ignore.

20%

Fake Dependencies

Of packages recommended by LLMs don't exist in any registry. They're hallucinations waiting to be hijacked by an attacker.

45%

Vulnerable Code

Of AI-generated code contains security flaws like over-permission, disabled CORS, or empty asserts in tests.

100%

Slopsquatting Risk

Hallucinated names are repeatable. Attackers register those packages on npm or PyPI to inject malware directly into your machine.

◇

Linter Capabilities

CAT-01

Dependency Hallucination

Verifies real existence of dependencies. Blocks the Slopsquatting attack vector by checking npm, PyPI, and crates.io repositories in real time.

✓ Detects non-existent packages
✓ Alerts on packages < 30 days old
✓ Prevents advanced typosquatting

CAT-06

"Test Theater" Detection

LLMs often generate tests that increase coverage but test nothing. Vigil reads the semantic meaning of the test.

✓ Identifies test functions without asserts
✓ Detects mocks that replicate implementation
✓ Alerts on useless assertions (e.g. is_not_None)

CAT-02

Over-Permission & Auth Gaps

AIs prioritize making code "work" over making it secure, opening endpoints and disabling CORS to avoid errors.

✓ Sensitive endpoints without Auth middleware
✓ Permissively configured CORS (*)
✓ Files with 777 permissions

CAT-03

Secrets & Placeholders

Prevents hardcoded secrets or example values (copied from .env.example) from reaching your production environment.

✓ Values like "sk-your-key-here" or "TODO"
✓ Weak or default JWT Secrets
✓ Static credentials with low entropy

Frictionless Integration

Vigil is a pure CLI. It integrates into your existing pipeline in minutes and generates reports in standard formats.

 Pre-commit Hook     

repos:
  - repo: https://github.com/Diego303/vigil-cli
    rev: v1.0.0
    hooks:
      - id: vigil
        args: [scan, --changed-only]

 CI/CD (SARIF Export)     

- name: Scan AI Code
  run: vigil scan src/ \
       --format sarif \
       --output report.sarif
- uses: github/codeql-action/upload-sarif
  with:
    sarif_file: report.sarif

 Architect Quality Gate     

# En tu .architect.yaml
guardrails:
  quality_gates:
    - name: vigil
      command: "vigil scan src/"
      required: true

Attack Vector: Slopsquatting

LLMs hallucinate package names that don't exist. An attacker registers that name with malware. Vigil intercepts it before it reaches your machine.

Hallucination

AI Generates Code

import fastapi-auth-utils

The Attack

Attacker Registers

The attacker uploads malware to PyPI with that repeatable fake name.

◇

Interception

Vigil Scan

[DEP-001] CRITICAL Package does not exist or is too new. > ACTION: Blocked.

Prevented

Local Installation

The developer or CI/CD avoids running malicious pip install.

Secure your code today

Install ruff for style. Install Semgrep for CVEs.
Install Vigil for AI hallucinations.