← Back to Docs

CLI Reference

vigil runs from the command line. All subcommands, options, and examples are documented below.

General usage

vigil [OPTIONS] COMMAND [ARGS]

Global options

OptionDescription
--versionShow the vigil version
--helpShow general help

vigil scan

Main command. Scans code for security issues specific to AI-generated code.

Syntax

vigil scan [PATHS...] [OPTIONS]

If no paths are specified, scans the current directory (.).

Options

OptionShort formTypeDefaultDescription
--config-cPATHAuto-detectPath to the .vigil.yaml file
--format-fhuman|json|junit|sarifhumanOutput format
--output-oPATHstdoutFile to write the report to
--fail-oncritical|high|medium|lowhighMinimum severity to fail (exit 1)
--category-CmultipleallOnly run specific categories
--rule-rmultipleallOnly run specific rules
--exclude-rule-RmultiplenoneExclude specific rules
--language-lpython|javascriptallOnly scan specific languages
--offlineflagfalseDo not make HTTP requests to registries
--changed-onlyflagfalseOnly scan files changed since the last commit
--verbose-vflagfalseDetailed output with debug logs
--quiet-qflagfalseOnly show findings, no summary

Examples

# Basic scan
vigil scan src/

# Scan multiple directories
vigil scan src/ lib/ app/

# Dependencies and secrets only
vigil scan src/ -C dependency -C secrets

# Only a specific rule
vigil scan src/ -r DEP-001

# Exclude rules that don't apply to your project
vigil scan src/ -R AUTH-003 -R TEST-004

# Python only
vigil scan src/ -l python

# Generate SARIF report for GitHub Code Scanning
vigil scan src/ -f sarif -o vigil.sarif

# Generate JSON report
vigil scan src/ -f json -o report.json

# Generate JUnit report for CI dashboards
vigil scan src/ -f junit -o report.xml

# Fail only with critical findings
vigil scan src/ --fail-on critical

# Fail from medium and above
vigil scan src/ --fail-on medium

# No HTTP requests (static checks only)
vigil scan src/ --offline

# Changed files only (ideal for pre-commit)
vigil scan --changed-only

# With a custom config file
vigil scan src/ -c my-vigil.yaml

# Detailed output for debugging
vigil scan src/ -v

# Save report to file AND display in terminal (human format only)
vigil scan src/ -o report.txt

Output behavior

  • human format: If --output is specified, the report is written to the file AND displayed in the terminal.
  • json, junit, sarif formats: If --output is specified, the report is only written to the file. If not, it is displayed on stdout.
  • --verbose: Debug logs go to stderr. Findings go to stdout. They are never mixed.

vigil deps

Specialized subcommand for analyzing dependencies. Only runs rules from the dependency category.

Syntax

vigil deps [PATH] [OPTIONS]

Options

OptionShort formTypeDefaultDescription
--verify / --no-verifyflag--verifyVerify package existence in the registry
--format-fhuman|jsonhumanOutput format
--offlineflagfalseDo not make HTTP requests
--verbose-vflagfalseDetailed output

Examples

# Verify dependencies of the current project
vigil deps

# Verify a specific project
vigil deps /path/to/project

# Static checks only, without verifying registries
vigil deps --no-verify

# JSON output
vigil deps -f json

Files analyzed

vigil automatically detects the following dependency files:

FileEcosystem
requirements.txtPyPI (Python)
requirements-dev.txtPyPI (Python)
requirements-test.txtPyPI (Python)
pyproject.tomlPyPI (Python)
setup.pyPyPI (Python)
setup.cfgPyPI (Python)
package.jsonnpm (JavaScript)

vigil tests

Specialized subcommand for analyzing test quality. Only runs rules from the test-quality category.

Syntax

vigil tests [TEST_PATHS...] [OPTIONS]

If no paths are specified, analyzes the tests/ directory.

Options

OptionShort formTypeDefaultDescription
--format-fhuman|jsonhumanOutput format
--min-assertionsint1Minimum assertions per test
--verbose-vflagfalseDetailed output

Examples

# Analyze the default tests directory
vigil tests

# Analyze a specific directory
vigil tests tests/ spec/

# Require at least 2 assertions per test
vigil tests --min-assertions 2

# JSON output
vigil tests -f json

vigil init

Generates a .vigil.yaml configuration file with sensible defaults.

Syntax

vigil init [PATH] [OPTIONS]

Options

OptionTypeDefaultDescription
--strategystrict|standard|relaxedstandardConfiguration preset
--forceflagfalseOverwrite existing file

Strategies

Strategyfail_onmin_age_daysmax_token_lifetime_hoursRecommended use
strictmedium601Environments with high compliance requirements
standardhigh3024Most projects
relaxedcritical772Prototypes or early-stage projects

Examples

# Generate config with defaults
vigil init

# Generate strict config
vigil init --strategy strict

# Generate config in another directory
vigil init /path/to/project

# Overwrite existing config
vigil init --force

vigil rules

Lists all available rules with their descriptions, severities, and standard references.

Syntax

vigil rules

Example output

  DEPENDENCY
  ----------------------------------------
  DEP-001    CRITICAL  Hallucinated dependency
                       Package declared as dependency does not exist in the public registry.
                       [OWASP: LLM03, CWE-829]
  DEP-002    HIGH      Suspiciously new dependency
                       Package exists but was published less than 30 days ago.
                       [OWASP: LLM03]
  ...

  AUTH
  ----------------------------------------
  AUTH-001   HIGH      Unprotected sensitive endpoint
                       Endpoint handling sensitive data without authentication middleware.
                       [OWASP: LLM06, CWE-306]
  ...

Exit codes

All scan subcommands (scan, deps, tests) use the same exit codes:

CodeConstantMeaning
0SUCCESSNo findings above the configured threshold
1FINDINGSFindings found above the threshold
2ERRORRuntime error

Usage in scripts

# Use in a CI script
vigil scan src/ --fail-on high
if [ $? -eq 1 ]; then
    echo "vigil found security issues"
    exit 1
fi

# Use with logical operators
vigil scan src/ && echo "Clean" || echo "Findings found"

Alternative invocation

vigil can also be run as a Python module:

python -m vigil scan src/
python -m vigil --help

This is useful when vigil is not in the PATH or when working with multiple virtual environments.