A Burp Suite extension that bridges HTTP requests to the Vigolium server-side security scanning engine. Captures requests from Burp, forwards them to Vigolium's API for vulnerability scanning, and displays findings directly in Burp.
- GitHub: github.com/vigolium/vigolium
- Docs: docs.vigolium.com
- Site: www.vigolium.com
| Vigolium Burp Integration 1 | Vigolium Burp Integration 2 |
|---|---|
![]() |
![]() |
Burp Suite ──► Vigolium Extension ──► Vigolium API Server ──► Scan Engine
▲ │
└── Poll Findings ◄──────┘
- Proxy Mode — Automatically forwards proxy traffic to Vigolium with configurable filter rules
- Context Menu — Right-click "Send to Vigolium" from any Burp tool (Proxy History, Site Map, Repeater, etc.)
- Findings Tab — Displays scan results with severity, request/response detail via Burp's message editor
- Logs Tab — Real-time activity log with level filtering
| Tab | Purpose |
|---|---|
| Findings | Split pane: findings table + request/response detail |
| Settings | Server connection, proxy toggle, filter rules, hotkeys |
| Logs | Timestamped activity log (INFO/WARN/ERROR) |
| Component | Choice |
|---|---|
| Burp API | Montoya API |
| Build | Gradle (Kotlin DSL) + Shadow plugin |
| Java | 21 |
| HTTP Client | OkHttp |
| JSON | Gson |
Download the pre-built jar from burp-vigolium.jar and load it in Burp via Extensions > Add.
./gradlew spotlessApply buildThe output jar is built via Shadow plugin at build/libs/burp-vigolium.jar.
First, start the Vigolium server so the extension has an API to connect to:
vigolium server -AThen retrieve the API key to enter in the extension:
vigolium config ls server.auth_api_key --force| Method | Endpoint | Description |
|---|---|---|
GET |
/api/health |
Connection test |
GET |
/api/modules |
List scan modules |
POST |
/api/scan |
Submit batch scan tasks |
GET |
/api/findings?session_id=X&since=T |
Poll new findings |
All requests use Authorization: Bearer {API_KEY}.
Vigolium is made with ♥ by @j3ssie, with @theblackturtle as a core contributor.

