AI Consultation (Chat)

AI Consultation is a project-scoped chat: Vygl loads the relevant context (recent scans, findings, dependencies, container vulnerabilities) and you ask whatever you need. Responses stream token-by-token. Suggested triage actions can be applied with one click.

Starting a session

1. Open a project’s detail page.
2. Click the AI Consultation tab.
3. Type your question in the chat input.

The first message either creates a new session or resumes an existing one with matching context. Vygl computes a fingerprint over the project’s data (latest scan, findings counts, dependencies) and reuses sessions when the data hasn’t changed.

What you can ask

Useful prompts:

• “What are my top three risks right now?”
• “Why is this CVE bad? Can I delay fixing it?”
• “Show me unfixed criticals in auth-service.”
• “Which dependencies should I upgrade first?”
• “Are any of these findings reachable from public endpoints?” (best-effort; reachability isn’t fully wired)
• “Mark all findings under tests/fixtures/** as false positive.”

Claude has access to your findings, scans, dependencies, and any organizational memory you’ve configured. It does not have access to your raw source code (only the snippets attached to findings).

Suggested actions

Claude can propose triage actions in the chat — for example: “7 findings under tests/fixtures/ look like documented placeholders. Mark them all false-positive?”

These render as one-click buttons. If you click Apply, Vygl executes the action via the API. The whitelist of allowed actions is narrow:

• mark_findings_false_positive
• mark_findings_ignored
• add_comment

That’s it. Claude can’t open PRs, create Jira tickets, or modify settings — those are intentionally out of reach.

Session lifecycle

Sessions persist. The next time you open the same project’s consultation, your prior chat is there. If the underlying data changes substantially (new scan, lots of new findings), Vygl creates a fresh session so the AI doesn’t reason against stale data.

Container images get their own consultation context too — the AI Analysis tab on an image detail page is the entry point.

Data goes to the LLM

Findings, code snippets, CVE IDs, dependency names, and your org memories are all sent to Claude as context. This is the same data you’ve already trusted to AI verification. If your security policy restricts third-party code analysis, both features should be off in Settings → AI.

Per-project, not cross-project

Each consultation is scoped to one project. “Compare risk across all my projects” isn’t supported today — you’d need to ask the question in each project’s session and consolidate manually.