Skip to content

GitHub App

The Vygl GitHub App grants access to selected repositories without requiring personal access tokens. Once installed, Vygl receives webhook events for pushes and pull requests, runs scans automatically, and can post finding summaries directly on PRs.

  1. Open Settings → Connections in Vygl.

  2. Click Install on GitHub. You’re redirected to GitHub’s app-install page.

  3. Select the account. Pick the user or organization that owns the repositories.

  4. Choose repositories. Select all repositories or pick a subset. You can change this later from your GitHub org’s app settings.

  5. Approve. GitHub redirects back to Vygl and stores the installation ID. Vygl mints short-lived installation access tokens on demand from the App’s private key — no long-lived OAuth token is ever persisted.

After installation, Vygl discovers your repositories — pick which ones to scan from the Connections tab. Webhooks register automatically.

The Vygl GitHub App requests:

PermissionWhy
Contents: ReadClone the repository for scanning
Metadata: ReadDiscover branches and commit metadata
Pull requests: WritePost finding-summary comments on PRs
Commit statuses: WritePost commit status (so branch protection can require passing scans)

GitHub treats apps differently from personal access tokens — these permissions apply only to the repositories you explicitly select.

  1. GitHub fires a webhook to Vygl. Vygl verifies the HMAC signature; unsigned or mis-signed requests are rejected.
  2. Vygl clones the repository at the new commit (--depth 1 for efficiency).
  3. The four scan engines run server-side.
  4. Findings are written to the dashboard, deduplicated against past scans.
  5. For pull requests, Vygl posts (or updates) the summary comment and writes commit status. See PR / MR Comments.

Each repository’s scan_config.branches list filters which branch pushes trigger a scan. Patterns are glob (fnmatch) — e.g. main, release/*, * (default). PR scans always run regardless of the filter.

Today the filter has no UI — set it via the API by patching the repository’s scan_config. A connection-tab control is on the roadmap.

The managed App flow is github.com-only today — installation tokens are minted against https://api.github.com. To scan code on GitHub Enterprise Server, use the CI + Git-token flow: the token’s API base URL is derived from your project’s repository URL (https://<your-ghes-host>/api/v3/...).

Teardown has two independent halves — do both for a clean removal:

  • In Vygl — disable a single repository, or disconnect the whole provider, from Settings → Connections. See Managing connected repositories.
  • On GitHub — uninstall the app (your org’s GitHub Settings → Installed Apps). Webhook events stop immediately.

Doing only one leaves the other half live: removing the Vygl connection but leaving the App installed is harmless but untidy; uninstalling on GitHub but leaving the connection leaves a dead connection row. Existing scans and findings remain in Vygl either way.