Skip to main content

CLI for Virgil — self-hosted security audit with the triage built in. Real scanners + clustering + LLM priority queue + code-grounded chat. Installs as `virgil` on your PATH.

Project description

virgil

Terminal client for Virgil — self-hosted security audit with the triage built in. Real scanners + clustering + LLM priority queue + code-grounded chat.

The CLI is a thin shell over a running Virgil API. It bundles your working directory, submits a scan, streams progress, and prints the ranked findings with CI-friendly exit codes.

Install

pip install virgilhq        # or: pipx install virgilhq

The PyPI package is virgilhq (the bare virgil name was already taken). The command on your $PATH is still just virgil.

You'll also need a running Virgil instance. The standard self-hosted setup is docker compose up from the main repo — takes about a minute the first time.

Usage

# Scan and land on triage (counts → ranked clusters → next-steps hint).
virgil scan .

# Or land on a different surface after the scan finishes.
virgil scan . --show report        # exec narrative
virgil scan . --show surface       # languages / frameworks / IaC profile
virgil scan . --show ask_virgil    # drop into the chat REPL pre-flighted

# Scan a GitHub URL instead of a local path.
virgil scan --url https://github.com/OWASP/NodeGoat

# PR mode — only flag findings on lines changed between two SHAs.
virgil scan . --base-sha abc1234 --head-sha def5678

# Don't wait for the scan to finish; print the audit ID and return.
virgil scan . --no-wait

# After a scan, drill in:
virgil clusters <audit-id>               # every cluster, sorted by severity
virgil clusters <audit-id> --sev high    # filter
virgil cluster  <audit-id> <key>         # one cluster in detail (prefix match ok)
virgil findings <audit-id>               # raw findings table
virgil chat     <audit-id>               # interactive Q&A grounded in this audit
virgil chat     <audit-id> -m "what's the worst finding?"   # one-shot
virgil open     <audit-id>               # launch the web app on the triage tab
virgil open     <audit-id> --page chat   # …or chat / findings / report / attack-surface
virgil status   <audit-id>

# Reports in any supported format.
virgil report <audit-id> --format md
virgil report <audit-id> --format sarif -o findings.sarif
virgil report <audit-id> --format json
virgil report <audit-id> --format pdf

Config

Persistent settings live in ~/.config/virgil/config.json:

virgil config show
virgil config set api_url=https://virgil.example.com/api
virgil config set web_url=https://virgil.example.com
virgil config set default_fail_on=high
virgil config set default_post_scan_view=ask_virgil     # triage | report | surface | ask_virgil
virgil config unset default_fail_on
virgil config path

Resolution order for each setting: env var → config file → built-in default.

CI integration

virgil scan . --fail-on critical     # exits 1 on any Critical
virgil scan . --fail-on high         # exits 1 on Critical or High
virgil scan . --fail-on never        # always exits 0

Exit codes:

Code Meaning
0 scan finished, no findings exceeded --fail-on
1 scan finished, findings exceed the configured threshold
2 the audit itself failed (clone error, scanner crash, etc.)
3 could not reach the Virgil API

Environment

Variable Default What it does
VIRGIL_API http://localhost:8000 API base URL.
VIRGIL_WEB http://localhost:3000 Web app base URL used by virgil open.
VIRGIL_FAIL_ON critical Default --fail-on threshold for virgil scan.
VIRGIL_SHOW triage Default --show surface after virgil scan (triage / report / surface / ask_virgil).
VIRGIL_CONFIG_DIR ~/.config/virgil Override the config directory.

What the output looks like

$ virgil scan .
bundle /work/myrepo → zip → submit
┌─ [ virgil ] ───────────────────────────────────────────────────────────────┐
│ audit_id  c9b1…                                                            │
│ source    scan.zip                                                         │
│ state     succeeded  phase=completed                                       │
└────────────────────────────────────────────────────────────────────────────┘

 CRIT  HIGH  MED   LOW   INFO  KEV  unreach
   2     7    14    6     3     1     19

╭─ [ fix.this_week() · ranked ] ─────────────────────────────────────────────╮
│ #01 [ CRIT ]  Hard-coded AWS access key in source  ×3                      │
│      Critical credential exposure with CISA-KEV-adjacent risk profile…     │
│ #02 [ HIGH ]  SQL injection via raw query helper  ×12                      │
│      12 callsites share src/db/query.py — fix the helper, not callsites.   │
╰────────────────────────────────────────────────────────────────────────────╯

License

Apache-2.0. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

virgilhq-0.3.0.tar.gz (18.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

virgilhq-0.3.0-py3-none-any.whl (20.9 kB view details)

Uploaded Python 3

File details

Details for the file virgilhq-0.3.0.tar.gz.

File metadata

  • Download URL: virgilhq-0.3.0.tar.gz
  • Upload date:
  • Size: 18.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for virgilhq-0.3.0.tar.gz
Algorithm Hash digest
SHA256 4ad0c07ee8c217e56297a2bb164cae96dc99c295a24ea2901a6a348c6ddb3678
MD5 d8848d7602ec6d1e5107f11db5a2fa48
BLAKE2b-256 5591bad2e0a5314f297bff3b2626b535702f06eda495df61125fea156730f45a

See more details on using hashes here.

Provenance

The following attestation bundles were made for virgilhq-0.3.0.tar.gz:

Publisher: publish-cli.yml on ayaanmaliksgithub/virgil

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file virgilhq-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: virgilhq-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 20.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for virgilhq-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e9a6ffe03dde009443e529f8839d66c0a633d862551424ecc40b475d2e39d6ca
MD5 d441c29fbeb1ec73afb14d377200015a
BLAKE2b-256 2b39985c63e6a205c6e3d12e3a5f2fee032e0e79584d23e5e151d74f1bad5752

See more details on using hashes here.

Provenance

The following attestation bundles were made for virgilhq-0.3.0-py3-none-any.whl:

Publisher: publish-cli.yml on ayaanmaliksgithub/virgil

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page