← Back to Docs

Quick Start

Prerequisites

  • Python 3.12 or higher
  • pip (included with Python)
  • git (optional, required for --changed-only)

Installation

From PyPI

pip install vigil-ai-cli

From source (development)

git clone https://github.com/org/vigil.git
cd vigil
python3.12 -m venv .venv
source .venv/bin/activate    # Linux/macOS
# .venv\Scripts\activate     # Windows
pip install -e ".[dev]"

Verify installation

vigil --version
# vigil, version 0.2.0

First scan

Run vigil on your project directory:

vigil scan src/

Example output when no issues are found:

  vigil v0.2.0 — scanned 42 files

  No findings.

  -------------------------------------------------
  42 files scanned in 0.5s
  0 findings

Example output with findings:

  vigil v0.2.0 — scanned 42 files

  X CRITICAL  DEP-001  requirements.txt:14
    Package 'python-jwt-utils' does not exist in pypi.
    This is likely a hallucinated dependency from an AI agent.
    -> Suggestion: Remove 'python-jwt-utils' and find the correct package name.

  X HIGH      AUTH-005  src/main.py:8
    CORS configured with '*' allowing requests from any origin.
    -> Suggestion: Restrict CORS to specific trusted origins.

  -------------------------------------------------
  42 files scanned in 1.2s
  2 findings: 1 critical, 1 high
  analyzers: dependency, auth

Basic concepts

What is a finding

A finding is a security issue detected by vigil. Each finding has:

  • rule_id: Unique rule identifier (e.g. DEP-001, AUTH-005)
  • severity: Severity level (critical, high, medium, low, info)
  • message: Description of the problem found
  • location: File and line where it was detected
  • suggestion: Concrete recommendation to fix it

Severity levels

LevelMeaningExit code
criticalMust be fixed before merge. Immediate security risk.1
highShould be fixed before merge. Significant risk.1
mediumShould be fixed, not necessarily before merge.0*
lowInformational, good practice.0*
infoInformational only, not a problem.0*

*By default, vigil fails (exit code 1) with high or above findings. This can be changed with --fail-on.

Categories

vigil organizes its rules into categories:

CategoryPrefixWhat it detects
Dependency HallucinationDEP-Non-existent packages, typosquatting, suspiciously new packages
Auth & PermissionAUTH-Endpoints without auth, open CORS, insecure JWT, cookies without flags
Secrets & CredentialsSEC-Placeholder secrets, hardcoded credentials, connection strings
Test QualityTEST-Tests without asserts, trivial asserts, skipped tests without reason

Exit codes

CodeMeaning
0No findings above the threshold
1Findings found above the threshold
2Execution error (invalid config, network error, etc.)

What is active now

In the current version (v0.2.0), the Dependency Analyzer is fully functional:

  • Detects packages that don’t exist on PyPI/npm (slopsquatting)
  • Detects names similar to popular packages (typosquatting)
  • Verifies that pinned versions exist
  • Detects suspiciously new packages
  • Detects packages without source repository
# Verify project dependencies
vigil deps

# Static checks only (no HTTP)
vigil deps --offline

The Auth, Secrets, and Test Quality analyzers are being implemented and will be available in future versions.

Next steps

  • Generate a configuration file: vigil init
  • Explore all rules: vigil rules
  • Analyze dependencies only: vigil deps --verify
  • Analyze test quality only: vigil tests tests/
  • Integrate vigil in your CI/CD: see CI/CD Integration
  • Check active analyzers: see Analyzers
  • Check the full CLI reference: see CLI Reference