Introduction
Vygl is a security scanning platform that finds vulnerabilities in your code, dependencies, secrets, infrastructure-as-code, and container images. Scans run locally — in your developer environment or CI runner — and only findings metadata is pushed to the cloud. Source code never leaves your environment.
What Vygl scans
Section titled “What Vygl scans”- Static analysis (SAST) — SQL injection, XSS, command injection, insecure crypto, and other code-level vulnerabilities, via OpenGrep with community rules and your own custom rules.
- Supply chain (SCA) — direct and transitive dependencies checked against the OSV vulnerability database. Supports Python, Node.js, Go, Ruby, Rust, PHP, and Java.
- Secrets — hardcoded API keys, passwords, tokens, and private keys via Gitleaks (600+ built-in patterns) plus Vygl’s custom rules.
- Infrastructure-as-code (IaC) — Terraform, Dockerfile, Kubernetes, and CloudFormation misconfigurations via Checkov.
- Container images — OS package CVEs and embedded application dependencies, scanned layer by layer.
How it works
Section titled “How it works”The Vygl CLI runs every scan engine locally on your code. Only the resulting findings metadata — rule IDs, file paths, line numbers, normalized snippets — is sent to the dashboard. The platform deduplicates findings by fingerprint, preserves triage state across scans, can run AI verification on potential false positives, and routes notifications to Slack, Microsoft Teams, email, generic webhooks, or as PR comments on your repository.
Where to go next
Section titled “Where to go next” Quickstart Pull the CLI, scan a local directory, push findings to the dashboard — five minutes.
Connect your repository Install the GitHub App, GitLab, or Bitbucket integration for automatic scans and PR comments.
Add Vygl to CI/CD Drop-in pipeline configs for GitHub Actions, GitLab CI, Bitbucket, and Docker.
Triage findings with AI Verify true positives automatically, write organizational memory, and chat about your security posture.