CLI for Virgil — security audits with the triage built in. Real scanners + clustering + LLM priority queue + code-grounded chat. Installs as `virgil` on your PATH.
Project description
virgil
Terminal client for Virgil — security audit with the triage built in. Real scanners + clustering + LLM priority queue + code-grounded chat.
The CLI is a thin shell over the Virgil service. It bundles your working directory, submits a scan, streams progress, and prints the ranked findings with CI-friendly exit codes. Scans run on Virgil's servers and bill against your account's audit credits.
Install
virgil is a CLI tool, so the right installer is pipx — it puts the
binary on your $PATH and isolates the dependencies from your system Python:
pipx install virgilhq
Don't have pipx yet? Either install it once, or fall back to user-mode pip:
# macOS
brew install pipx && pipx ensurepath
# Linux / other
python3 -m pip install --user pipx && pipx ensurepath
# Fallback if you don't want pipx at all:
python3 -m pip install --user virgilhq
The PyPI package is virgilhq (the bare virgil name was already taken).
The command on your $PATH is still just virgil.
Why pipx and not
pip install? Modern Python distributions (Homebrew Python, Debian/Ubuntu's python3, etc.) mark the system interpreter as externally managed per PEP 668 — a barepip installerrors out.pipxquietly handles the venv for you, which is what you want for CLI tools anyway: each one gets its own isolated environment so avirgilupgrade can't break some other tool.
The CLI talks to the hosted service at https://virgilhq.app — no extra
setup. Just virgil login once, then virgil scan . and you're in.
Usage
# Scan and land on triage (counts → ranked clusters → next-steps hint).
virgil scan . # local directory
virgil scan # …also defaults to the cwd
virgil scan github.com/OWASP/NodeGoat # remote, bare host
virgil scan OWASP/NodeGoat # remote, GitHub shorthand
virgil scan https://github.com/OWASP/NodeGoat # remote, full URL
# Land on a different surface after the scan finishes.
virgil scan . --show report # exec narrative
virgil scan . --show surface # languages / frameworks / IaC profile
virgil scan . --show ask_virgil # drop into the chat REPL pre-flighted
# PR mode — only flag findings on lines changed between two SHAs.
virgil scan . --base-sha abc1234 --head-sha def5678
# Don't wait for the scan to finish; print the audit ID and return.
virgil scan . --no-wait
# After a scan, drill in:
virgil clusters <audit-id> # every cluster, sorted by severity
virgil clusters <audit-id> --sev high # filter
virgil cluster <audit-id> <key> # one cluster in detail (prefix match ok)
virgil findings <audit-id> # raw findings table
virgil chat <audit-id> # interactive Q&A grounded in this audit
virgil chat <audit-id> -m "what's the worst finding?" # one-shot
virgil open <audit-id> # launch the web app on the triage tab
virgil open <audit-id> --page chat # …or chat / findings / report / attack-surface
virgil status <audit-id>
# Reports in any supported format.
virgil report <audit-id> --format md
virgil report <audit-id> --format sarif -o findings.sarif
virgil report <audit-id> --format json
virgil report <audit-id> --format pdf
Config
Persistent settings live in ~/.config/virgil/config.json:
virgil config show
virgil config set default_fail_on=high
virgil config set default_post_scan_view=ask_virgil # triage | report | surface | ask_virgil
virgil config unset default_fail_on
virgil config path
Resolution order for each setting: env var → config file → built-in default.
CI integration
virgil scan . --fail-on critical # exits 1 on any Critical
virgil scan . --fail-on high # exits 1 on Critical or High
virgil scan . --fail-on never # always exits 0
Exit codes:
| Code | Meaning |
|---|---|
0 |
scan finished, no findings exceeded --fail-on |
1 |
scan finished, findings exceed the configured threshold |
2 |
the audit itself failed (clone error, scanner crash, etc.) |
3 |
could not reach the Virgil API |
Environment
| Variable | Default | What it does |
|---|---|---|
VIRGIL_TOKEN |
— | API token (overrides the one saved by virgil login). |
VIRGIL_FAIL_ON |
critical |
Default --fail-on threshold for virgil scan. |
VIRGIL_SHOW |
triage |
Default --show surface after virgil scan (triage / report / surface / ask_virgil). |
VIRGIL_CONFIG_DIR |
~/.config/virgil |
Override the config directory. |
What the output looks like
$ virgil scan .
bundle /work/myrepo → zip → submit
┌─ [ virgil ] ───────────────────────────────────────────────────────────────┐
│ audit_id c9b1… │
│ source scan.zip │
│ state succeeded phase=completed │
└────────────────────────────────────────────────────────────────────────────┘
CRIT HIGH MED LOW INFO KEV unreach
2 7 14 6 3 1 19
╭─ [ fix.this_week() · ranked ] ─────────────────────────────────────────────╮
│ #01 [ CRIT ] Hard-coded AWS access key in source ×3 │
│ Critical credential exposure with CISA-KEV-adjacent risk profile… │
│ #02 [ HIGH ] SQL injection via raw query helper ×12 │
│ 12 callsites share src/db/query.py — fix the helper, not callsites. │
╰────────────────────────────────────────────────────────────────────────────╯
License
Apache-2.0.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file virgilhq-0.6.0.tar.gz.
File metadata
- Download URL: virgilhq-0.6.0.tar.gz
- Upload date:
- Size: 22.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bf8d8e06a0a6a33fe1a95784eb07e8758e066b93a462cdbf2b7a500c6c0ab693
|
|
| MD5 |
84c3d0f84d1be836520cbfa709262907
|
|
| BLAKE2b-256 |
870808f60fa460bd80e14e6b4d70439b87ba20ffdb5ebc9087e9a207eac42d1f
|
Provenance
The following attestation bundles were made for virgilhq-0.6.0.tar.gz:
Publisher:
publish-cli.yml on ayaanmaliksgithub/virgil
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
virgilhq-0.6.0.tar.gz -
Subject digest:
bf8d8e06a0a6a33fe1a95784eb07e8758e066b93a462cdbf2b7a500c6c0ab693 - Sigstore transparency entry: 2143103616
- Sigstore integration time:
-
Permalink:
ayaanmaliksgithub/virgil@aef2c6c14a990cbb752a8b340677b2235ba6ab8b -
Branch / Tag:
refs/tags/v0.6.0 - Owner: https://github.com/ayaanmaliksgithub
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-cli.yml@aef2c6c14a990cbb752a8b340677b2235ba6ab8b -
Trigger Event:
release
-
Statement type:
File details
Details for the file virgilhq-0.6.0-py3-none-any.whl.
File metadata
- Download URL: virgilhq-0.6.0-py3-none-any.whl
- Upload date:
- Size: 24.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
208fc59d243358de53bb813f963d4b8aa4acf52dc288f6149633605a27720e28
|
|
| MD5 |
960260b267f8bb268119023a3483c7ac
|
|
| BLAKE2b-256 |
6ac3f9618bc5ade48b0cff7e73ddb4f0a1cdd8a2650c508921b09758e2e54b96
|
Provenance
The following attestation bundles were made for virgilhq-0.6.0-py3-none-any.whl:
Publisher:
publish-cli.yml on ayaanmaliksgithub/virgil
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
virgilhq-0.6.0-py3-none-any.whl -
Subject digest:
208fc59d243358de53bb813f963d4b8aa4acf52dc288f6149633605a27720e28 - Sigstore transparency entry: 2143103634
- Sigstore integration time:
-
Permalink:
ayaanmaliksgithub/virgil@aef2c6c14a990cbb752a8b340677b2235ba6ab8b -
Branch / Tag:
refs/tags/v0.6.0 - Owner: https://github.com/ayaanmaliksgithub
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-cli.yml@aef2c6c14a990cbb752a8b340677b2235ba6ab8b -
Trigger Event:
release
-
Statement type: