← Back to Docs

Quick Start

Prerequisites

  • Python 3.12 or higher
  • pip (included with Python)
  • git (optional, required for --changed-only)

Installation

From PyPI

pip install vigil-ai-cli

From source (development)

git clone https://github.com/org/vigil.git
cd vigil
python3.12 -m venv .venv
source .venv/bin/activate    # Linux/macOS
# .venv\Scripts\activate     # Windows
pip install -e ".[dev]"

Verify the installation

vigil --version
# vigil, version 0.5.0

First scan

Run vigil on your project directory:

vigil scan src/

Example output when there are no issues:

  vigil v0.5.0 — scanned 42 files

  No findings.

  -------------------------------------------------
  42 files scanned in 0.5s
  0 findings

Example output with findings:

  vigil v0.5.0 — scanned 42 files

  X CRITICAL  DEP-001  requirements.txt:14
    Package 'python-jwt-utils' does not exist in pypi.
    This is likely a hallucinated dependency from an AI agent.
    -> Suggestion: Remove 'python-jwt-utils' and find the correct package name.

  X HIGH      AUTH-005  src/main.py:8
    CORS configured with '*' allowing requests from any origin.
    -> Suggestion: Restrict CORS to specific trusted origins.

  -------------------------------------------------
  42 files scanned in 1.2s
  2 findings: 1 critical, 1 high
  analyzers: dependency, auth

Basic concepts

What is a finding

A finding is a security issue detected by vigil. Each finding has:

  • rule_id: Unique identifier for the rule (e.g., DEP-001, AUTH-005)
  • severity: Severity level (critical, high, medium, low, info)
  • message: Description of the problem found
  • location: File and line where it was detected
  • suggestion: Concrete recommendation to fix it

Severity levels

LevelMeaningExit code
criticalMust be fixed before merge. Immediate security risk.1
highShould be fixed before merge. Significant risk.1
mediumShould be fixed, not necessarily before merge.0*
lowInformational, good practice.0*
infoInformational only, not a problem.0*

*By default, vigil fails (exit code 1) on high or higher findings. This can be changed with --fail-on.

Categories

vigil organizes its rules into categories:

CategoryPrefixWhat it detects
Dependency HallucinationDEP-Packages that don’t exist, typosquatting, suspiciously new packages
Auth & PermissionAUTH-Endpoints without auth, open CORS, insecure JWT, cookies without flags
Secrets & CredentialsSEC-Secret placeholders, hardcoded credentials, connection strings
Test QualityTEST-Tests without asserts, trivial asserts, tests skipped without reason

Exit codes

CodeMeaning
0No findings above the threshold
1Findings found above the threshold
2Execution error (invalid config, network error, etc.)

What is currently active

In the current version (v0.5.0), all four analyzers are fully functional:

Dependency Analyzer (DEP-001 through DEP-007)

  • Detects packages that don’t exist in PyPI/npm (slopsquatting)
  • Detects names similar to popular packages (typosquatting)
  • Verifies that pinned versions exist
  • Detects suspiciously new packages and packages without a source repository

Auth Analyzer (AUTH-001 through AUTH-007)

  • Detects endpoints without authentication middleware
  • Detects CORS configured with *
  • Detects JWT with excessive lifetime or hardcoded secret
  • Detects cookies without security flags
  • Detects non timing-safe password comparison

Secrets Analyzer (SEC-001 through SEC-006)

  • Detects placeholders copied from documentation or .env.example
  • Detects secrets with low entropy (generated by AI)
  • Detects connection strings with embedded credentials
  • Detects environment variables with sensitive defaults

Test Quality Analyzer (TEST-001 through TEST-006)

  • Detects tests without assertions (test theater)
  • Detects trivial assertions (assert True, toBeTruthy())
  • Detects catch-all exceptions in tests
  • Detects skipped tests without justification
  • Detects API tests without status code verification
  • Detects mock mirrors (test only verifies that the mock works)
# Full scan (deps + auth + secrets + tests)
vigil scan src/

# Dependencies only
vigil deps

# Test quality only
vigil tests tests/

# Static checks only (no HTTP)
vigil scan src/ --offline

Next steps

  • Generate a configuration file: vigil init
  • Explore all rules: vigil rules
  • Analyze dependencies only: vigil deps --verify
  • Analyze test quality only: vigil tests tests/
  • Integrate vigil in your CI/CD: see CI/CD Integration
  • Check the active analyzers: see Analyzers
  • Check the complete CLI reference: see CLI Reference