Skip to main content

CLI for Virgil — self-hosted security audit with the triage built in. Real scanners + clustering + LLM priority queue + code-grounded chat. Installs as `virgil` on your PATH.

Project description

virgil

Terminal client for Virgil — self-hosted security audit with the triage built in. Real scanners + clustering + LLM priority queue + code-grounded chat.

The CLI is a thin shell over a running Virgil API. It bundles your working directory, submits a scan, streams progress, and prints the ranked findings with CI-friendly exit codes.

Install

virgil is a CLI tool, so the right installer is pipx — it puts the binary on your $PATH and isolates the dependencies from your system Python:

pipx install virgilhq

Don't have pipx yet? Either install it once, or fall back to user-mode pip:

# macOS
brew install pipx && pipx ensurepath

# Linux / other
python3 -m pip install --user pipx && pipx ensurepath

# Fallback if you don't want pipx at all:
python3 -m pip install --user virgilhq

The PyPI package is virgilhq (the bare virgil name was already taken). The command on your $PATH is still just virgil.

Why pipx and not pip install? Modern Python distributions (Homebrew Python, Debian/Ubuntu's python3, etc.) mark the system interpreter as externally managed per PEP 668 — a bare pip install errors out. pipx quietly handles the venv for you, which is what you want for CLI tools anyway: each one gets its own isolated environment so a virgil upgrade can't break some other tool.

You'll also need a running Virgil instance. The standard self-hosted setup is docker compose up from the main repo — takes about a minute the first time. The CLI's defaults (http://localhost:8000 for the API, http://localhost:3000 for the web app) match that setup exactly, so no config is needed.

If you're pointing at a remote Virgil instead:

virgil config set api_url=https://virgil.example.com/api
virgil config set web_url=https://virgil.example.com

Usage

# Scan and land on triage (counts → ranked clusters → next-steps hint).
virgil scan .                                 # local directory
virgil scan                                   # …also defaults to the cwd
virgil scan github.com/OWASP/NodeGoat         # remote, bare host
virgil scan OWASP/NodeGoat                    # remote, GitHub shorthand
virgil scan https://github.com/OWASP/NodeGoat # remote, full URL

# Land on a different surface after the scan finishes.
virgil scan . --show report                   # exec narrative
virgil scan . --show surface                  # languages / frameworks / IaC profile
virgil scan . --show ask_virgil               # drop into the chat REPL pre-flighted

# PR mode — only flag findings on lines changed between two SHAs.
virgil scan . --base-sha abc1234 --head-sha def5678

# Don't wait for the scan to finish; print the audit ID and return.
virgil scan . --no-wait

# After a scan, drill in:
virgil clusters <audit-id>               # every cluster, sorted by severity
virgil clusters <audit-id> --sev high    # filter
virgil cluster  <audit-id> <key>         # one cluster in detail (prefix match ok)
virgil findings <audit-id>               # raw findings table
virgil chat     <audit-id>               # interactive Q&A grounded in this audit
virgil chat     <audit-id> -m "what's the worst finding?"   # one-shot
virgil open     <audit-id>               # launch the web app on the triage tab
virgil open     <audit-id> --page chat   # …or chat / findings / report / attack-surface
virgil status   <audit-id>

# Reports in any supported format.
virgil report <audit-id> --format md
virgil report <audit-id> --format sarif -o findings.sarif
virgil report <audit-id> --format json
virgil report <audit-id> --format pdf

Config

Persistent settings live in ~/.config/virgil/config.json:

virgil config show
virgil config set api_url=https://virgil.example.com/api
virgil config set web_url=https://virgil.example.com
virgil config set default_fail_on=high
virgil config set default_post_scan_view=ask_virgil     # triage | report | surface | ask_virgil
virgil config unset default_fail_on
virgil config path

Resolution order for each setting: env var → config file → built-in default.

CI integration

virgil scan . --fail-on critical     # exits 1 on any Critical
virgil scan . --fail-on high         # exits 1 on Critical or High
virgil scan . --fail-on never        # always exits 0

Exit codes:

Code Meaning
0 scan finished, no findings exceeded --fail-on
1 scan finished, findings exceed the configured threshold
2 the audit itself failed (clone error, scanner crash, etc.)
3 could not reach the Virgil API

Environment

Variable Default What it does
VIRGIL_API http://localhost:8000 API base URL.
VIRGIL_WEB http://localhost:3000 Web app base URL used by virgil open.
VIRGIL_FAIL_ON critical Default --fail-on threshold for virgil scan.
VIRGIL_SHOW triage Default --show surface after virgil scan (triage / report / surface / ask_virgil).
VIRGIL_CONFIG_DIR ~/.config/virgil Override the config directory.

What the output looks like

$ virgil scan .
bundle /work/myrepo → zip → submit
┌─ [ virgil ] ───────────────────────────────────────────────────────────────┐
│ audit_id  c9b1…                                                            │
│ source    scan.zip                                                         │
│ state     succeeded  phase=completed                                       │
└────────────────────────────────────────────────────────────────────────────┘

 CRIT  HIGH  MED   LOW   INFO  KEV  unreach
   2     7    14    6     3     1     19

╭─ [ fix.this_week() · ranked ] ─────────────────────────────────────────────╮
│ #01 [ CRIT ]  Hard-coded AWS access key in source  ×3                      │
│      Critical credential exposure with CISA-KEV-adjacent risk profile…     │
│ #02 [ HIGH ]  SQL injection via raw query helper  ×12                      │
│      12 callsites share src/db/query.py — fix the helper, not callsites.   │
╰────────────────────────────────────────────────────────────────────────────╯

License

Apache-2.0. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

virgilhq-0.3.1.tar.gz (20.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

virgilhq-0.3.1-py3-none-any.whl (22.3 kB view details)

Uploaded Python 3

File details

Details for the file virgilhq-0.3.1.tar.gz.

File metadata

  • Download URL: virgilhq-0.3.1.tar.gz
  • Upload date:
  • Size: 20.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for virgilhq-0.3.1.tar.gz
Algorithm Hash digest
SHA256 1a1723a311d15dc49395a4badd6370b402257daad5b0609f510f16a14e25ce0f
MD5 551e15447653da1e9ac36846cd5b1b81
BLAKE2b-256 3f933feeca2534c8c9f948a99e9b7c9d0af6f1b7477f16307758aea1f8d369e1

See more details on using hashes here.

Provenance

The following attestation bundles were made for virgilhq-0.3.1.tar.gz:

Publisher: publish-cli.yml on ayaanmaliksgithub/virgil

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file virgilhq-0.3.1-py3-none-any.whl.

File metadata

  • Download URL: virgilhq-0.3.1-py3-none-any.whl
  • Upload date:
  • Size: 22.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for virgilhq-0.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 bbdeb54dedfc635f88f3faf97bdf79d3d2cb2b42ac7725b23c89ed5bd761a715
MD5 91c37c38b92209b920474c65d59d00f3
BLAKE2b-256 87f1e05d1e5b7b62a6386040312659f8e77a4f5c6b8efc38f9bad7ffad94dd4d

See more details on using hashes here.

Provenance

The following attestation bundles were made for virgilhq-0.3.1-py3-none-any.whl:

Publisher: publish-cli.yml on ayaanmaliksgithub/virgil

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page