← Back to Docs

CLI Reference

vigil runs from the command line. All subcommands, options, and examples are documented below.

General usage

vigil [OPTIONS] COMMAND [ARGS]

Global options

OptionDescription
--versionShows the vigil version
--helpShows the general help

vigil scan

Main command. Scans code for security issues specific to AI-generated code.

Syntax

vigil scan [PATHS...] [OPTIONS]

If no paths are specified, scans the current directory (.).

Options

OptionShort formTypeDefaultDescription
--config-cPATHAuto-detectPath to the .vigil.yaml file
--format-fhuman|json|junit|sarifhumanOutput format
--output-oPATHstdoutFile to write the report to
--fail-oncritical|high|medium|lowhighMinimum severity to fail (exit 1)
--category-CmultipleallOnly run specific categories
--rule-rmultipleallOnly run specific rules
--exclude-rule-RmultiplenoneExclude specific rules
--language-lpython|javascriptallOnly scan specific languages
--offlineflagfalseDo not make HTTP requests to registries
--changed-onlyflagfalseOnly scan files changed since the last commit
--verbose-vflagfalseDetailed output with debug logs
--quiet-qflagfalseOnly show findings, no summary

Examples

# Basic scan
vigil scan src/

# Scan multiple directories
vigil scan src/ lib/ app/

# Dependencies and secrets only
vigil scan src/ -C dependency -C secrets

# Only a specific rule
vigil scan src/ -r DEP-001

# Exclude rules that don't apply to your project
vigil scan src/ -R AUTH-003 -R TEST-004

# Python only
vigil scan src/ -l python

# Generate SARIF report for GitHub Code Scanning
vigil scan src/ -f sarif -o vigil.sarif

# Generate JSON report
vigil scan src/ -f json -o report.json

# Generate JUnit report for CI dashboards
vigil scan src/ -f junit -o report.xml

# Fail only on critical findings
vigil scan src/ --fail-on critical

# Fail from medium and above
vigil scan src/ --fail-on medium

# No HTTP requests (static checks only)
vigil scan src/ --offline

# Only changed files (ideal for pre-commit)
vigil scan --changed-only

# With a custom config file
vigil scan src/ -c my-vigil.yaml

# Detailed output for debugging
vigil scan src/ -v

# Save report to file AND display in terminal (human format only)
vigil scan src/ -o report.txt

Output behavior

  • human format: If --output is specified, the report is written to the file AND displayed in the terminal.
  • json, junit, sarif formats: If --output is specified, the report is only written to the file. Otherwise, it is displayed on stdout.
  • --verbose: Debug logs go to stderr. Findings go to stdout. They are never mixed.

vigil deps

Specialized subcommand for analyzing dependencies. Runs only the rules from the dependency category.

Syntax

vigil deps [PATH] [OPTIONS]

Options

OptionShort formTypeDefaultDescription
--verify / --no-verifyflag--verifyVerify package existence in the registry
--format-fhuman|jsonhumanOutput format
--offlineflagfalseDo not make HTTP requests
--verbose-vflagfalseDetailed output

Examples

# Verify dependencies of the current project
vigil deps

# Verify a specific project
vigil deps /path/to/project

# Static checks only, without verifying registries
vigil deps --no-verify

# JSON output
vigil deps -f json

What files it analyzes

vigil automatically detects the following dependency files:

FileEcosystem
requirements.txtPyPI (Python)
requirements-dev.txtPyPI (Python)
requirements-test.txtPyPI (Python)
pyproject.tomlPyPI (Python)
setup.pyPyPI (Python)
setup.cfgPyPI (Python)
package.jsonnpm (JavaScript)

vigil tests

Specialized subcommand for analyzing test quality. Runs only the rules from the test-quality category.

Syntax

vigil tests [TEST_PATHS...] [OPTIONS]

If no paths are specified, analyzes the tests/ directory.

Options

OptionShort formTypeDefaultDescription
--format-fhuman|jsonhumanOutput format
--min-assertionsint1Minimum assertions per test
--verbose-vflagfalseDetailed output

Examples

# Analyze the default tests directory
vigil tests

# Analyze a specific directory
vigil tests tests/ spec/

# Require at least 2 assertions per test
vigil tests --min-assertions 2

# JSON output
vigil tests -f json

vigil init

Generates a .vigil.yaml configuration file with sensible defaults.

Syntax

vigil init [PATH] [OPTIONS]

Options

OptionTypeDefaultDescription
--strategystrict|standard|relaxedstandardConfiguration preset
--forceflagfalseOverwrite existing file

Strategies

Strategyfail_onmin_age_daysmax_token_lifetime_hoursRecommended use
strictmedium601Environments with high compliance requirements
standardhigh3024Most projects
relaxedcritical772Prototypes or early-stage projects

Examples

# Generate config with defaults
vigil init

# Generate strict config
vigil init --strategy strict

# Generate config in another directory
vigil init /path/to/project

# Overwrite existing config
vigil init --force

vigil rules

Lists all available rules with their descriptions, severities, and references to security standards.

Syntax

vigil rules

Example output

  DEPENDENCY
  ----------------------------------------
  DEP-001    CRITICAL  Hallucinated dependency
                       Package declared as dependency does not exist in the public registry.
                       [OWASP: LLM03, CWE-829]
  DEP-002    HIGH      Suspiciously new dependency
                       Package exists but was published less than 30 days ago.
                       [OWASP: LLM03]
  ...

  AUTH
  ----------------------------------------
  AUTH-001   HIGH      Unprotected sensitive endpoint
                       Endpoint handling sensitive data without authentication middleware.
                       [OWASP: LLM06, CWE-306]
  ...

Exit codes

All scan subcommands (scan, deps, tests) use the same exit codes:

CodeConstantMeaning
0SUCCESSNo findings above the configured threshold
1FINDINGSFindings found above the threshold
2ERRORExecution error

Usage in scripts

# Use in a CI script
vigil scan src/ --fail-on high
if [ $? -eq 1 ]; then
    echo "vigil found security issues"
    exit 1
fi

# Use with logical operators
vigil scan src/ && echo "Clean" || echo "Findings detected"

Alternative invocation

vigil can also be run as a Python module:

python -m vigil scan src/
python -m vigil --help

This is useful when vigil is not in the PATH or when working with multiple virtual environments.