vigil Documentation
Welcome to the documentation for vigil, the security scanner for AI-generated code.
Table of Contents
| Document | Description |
|---|---|
| Quick Start | Installation, first scan, and basic concepts |
| CLI Reference | All commands, flags, and options available |
| Configuration | .vigil.yaml file, strategies, overrides, and config merge |
| Rules | Complete catalog of all 26 rules with vulnerable code examples |
| Output Formats | Human, JSON, JUnit XML, and SARIF 2.1.0 |
| CI/CD Integration | GitHub Actions, GitLab CI, pre-commit hooks, and quality gates |
| Docker | Container usage, reference Dockerfile, and best practices |
| Security | Threat model, what vigil detects, OWASP alignment, and limitations |
| Analyzers | Technical reference for implemented analyzers (DependencyAnalyzer) |
| Architecture | Internal structure, engine flow, analyzer protocol |
| Best Practices | Recommendations for teams using AI agents to generate code |
| Contributing | Guide to contributing to the project, development setup, and testing |
Project Status
vigil is in active development. The current version (v0.2.0) includes:
- Full CLI with 5 subcommands (
scan,deps,tests,init,rules) - Analysis engine with support for multiple analyzers
- Dependency Analyzer active — detects hallucinated packages, typosquatting, nonexistent versions (DEP-001, DEP-002, DEP-003, DEP-005, DEP-007)
- 26 rules defined across 4 categories
- 4 output formats (human, JSON, JUnit XML, SARIF 2.1.0)
- Configuration system with YAML, presets, and CLI overrides
- 632 unit tests (~94% coverage)
The remaining analyzers (Auth, Secrets, Test Quality) are being implemented progressively.