← Back to Docs

Quick Start

Prerequisites

  • Python 3.12 or higher
  • pip (included with Python)
  • git (optional, required for --changed-only)

Installation

From PyPI

pip install vigil-ai-cli

From source (development)

git clone https://github.com/org/vigil.git
cd vigil
python3.12 -m venv .venv
source .venv/bin/activate    # Linux/macOS
# .venv\Scripts\activate     # Windows
pip install -e ".[dev]"

Verify the installation

vigil --version
# vigil, version 0.4.0

First scan

Run vigil on your project directory:

vigil scan src/

Example output when there are no issues:

  vigil v0.4.0 — scanned 42 files

  No findings.

  -------------------------------------------------
  42 files scanned in 0.5s
  0 findings

Example output with findings:

  vigil v0.4.0 — scanned 42 files

  X CRITICAL  DEP-001  requirements.txt:14
    Package 'python-jwt-utils' does not exist in pypi.
    This is likely a hallucinated dependency from an AI agent.
    -> Suggestion: Remove 'python-jwt-utils' and find the correct package name.

  X HIGH      AUTH-005  src/main.py:8
    CORS configured with '*' allowing requests from any origin.
    -> Suggestion: Restrict CORS to specific trusted origins.

  -------------------------------------------------
  42 files scanned in 1.2s
  2 findings: 1 critical, 1 high
  analyzers: dependency, auth

Basic concepts

What is a finding

A finding is a security issue detected by vigil. Each finding has:

  • rule_id: Unique identifier of the rule (e.g. DEP-001, AUTH-005)
  • severity: Severity level (critical, high, medium, low, info)
  • message: Description of the problem found
  • location: File and line where it was detected
  • suggestion: Concrete recommendation to fix it

Severity levels

LevelMeaningExit code
criticalMust be fixed before merge. Immediate security risk.1
highShould be fixed before merge. Significant risk.1
mediumShould be fixed, not necessarily before merge.0*
lowInformational, good practice.0*
infoInformational only, not a problem.0*

*By default, vigil fails (exit code 1) on high or higher findings. This can be changed with --fail-on.

Categories

vigil organizes its rules into categories:

CategoryPrefixWhat it detects
Dependency HallucinationDEP-Packages that don’t exist, typosquatting, suspiciously new packages
Auth & PermissionAUTH-Endpoints without auth, open CORS, insecure JWT, cookies without flags
Secrets & CredentialsSEC-Placeholder secrets, hardcoded credentials, connection strings
Test QualityTEST-Tests without asserts, trivial asserts, skipped tests without reason

Exit codes

CodeMeaning
0No findings above the threshold
1Findings found above the threshold
2Runtime error (invalid config, network error, etc.)

What is currently active

In the current version (v0.4.0), all four analyzers are fully functional:

Dependency Analyzer (DEP-001 through DEP-007)

  • Detects packages that don’t exist on PyPI/npm (slopsquatting)
  • Detects names similar to popular packages (typosquatting)
  • Verifies that pinned versions exist
  • Detects suspiciously new packages and packages without a source repository

Auth Analyzer (AUTH-001 through AUTH-007)

  • Detects endpoints without authentication middleware
  • Detects CORS configured with *
  • Detects JWT with excessive lifetime or hardcoded secret
  • Detects cookies without security flags
  • Detects non-timing-safe password comparison

Secrets Analyzer (SEC-001 through SEC-006)

  • Detects placeholders copied from documentation or .env.example
  • Detects low-entropy secrets (generated by AI)
  • Detects connection strings with embedded credentials
  • Detects environment variables with sensitive defaults

Test Quality Analyzer (TEST-001 through TEST-006)

  • Detects tests without assertions (test theater)
  • Detects trivial assertions (assert True, toBeTruthy())
  • Detects catch-all exceptions in tests
  • Detects skipped tests without justification
  • Detects API tests without status code verification
  • Detects mock mirrors (test only proves the mock works)
# Scan completo (deps + auth + secrets + tests)
vigil scan src/

# Solo dependencias
vigil deps

# Solo calidad de tests
vigil tests tests/

# Solo checks estaticos (sin HTTP)
vigil scan src/ --offline

Next steps

  • Generate a configuration file: vigil init
  • Explore all rules: vigil rules
  • Analyze dependencies only: vigil deps --verify
  • Analyze test quality only: vigil tests tests/
  • Integrate vigil into your CI/CD: see CI/CD Integration
  • Check active analyzers: see Analyzers
  • See the full CLI reference: see CLI Reference