GitHub App
The Vygl GitHub App grants access to selected repositories without requiring personal access tokens. Once installed, Vygl receives webhook events for pushes and pull requests, runs scans automatically, and can post finding summaries directly on PRs.
Install
Section titled “Install”-
Open Settings → Connections in Vygl.
-
Click Install on GitHub. You’re redirected to GitHub’s app-install page.
-
Select the account. Pick the user or organization that owns the repositories.
-
Choose repositories. Select all repositories or pick a subset. You can change this later from your GitHub org’s app settings.
-
Approve. GitHub redirects back to Vygl and stores the installation ID. Vygl mints short-lived installation access tokens on demand from the App’s private key — no long-lived OAuth token is ever persisted.
After installation, Vygl discovers your repositories — pick which ones to scan from the Connections tab. Webhooks register automatically.
Permissions
Section titled “Permissions”The Vygl GitHub App requests:
| Permission | Why |
|---|---|
| Contents: Read | Clone the repository for scanning |
| Metadata: Read | Discover branches and commit metadata |
| Pull requests: Write | Post finding-summary comments on PRs |
| Commit statuses: Write | Post commit status (so branch protection can require passing scans) |
GitHub treats apps differently from personal access tokens — these permissions apply only to the repositories you explicitly select.
What happens on a push or PR
Section titled “What happens on a push or PR”- GitHub fires a webhook to Vygl. Vygl verifies the HMAC signature; unsigned or mis-signed requests are rejected.
- Vygl clones the repository at the new commit (
--depth 1for efficiency). - The four scan engines run server-side.
- Findings are written to the dashboard, deduplicated against past scans.
- For pull requests, Vygl posts (or updates) the summary comment and writes commit status. See PR / MR Comments.
Branch filtering
Section titled “Branch filtering”Each repository’s scan_config.branches list filters which branch pushes trigger a scan. Patterns are glob (fnmatch) — e.g. main, release/*, * (default). PR scans always run regardless of the filter.
Today the filter has no UI — set it via the API by patching the repository’s scan_config. A connection-tab control is on the roadmap.
Self-hosted GitHub Enterprise
Section titled “Self-hosted GitHub Enterprise”The managed App flow is github.com-only today — installation tokens are minted against https://api.github.com. To scan code on GitHub Enterprise Server, use the CI + Git-token flow: the token’s API base URL is derived from your project’s repository URL (https://<your-ghes-host>/api/v3/...).
Removing access
Section titled “Removing access”Teardown has two independent halves — do both for a clean removal:
- In Vygl — disable a single repository, or disconnect the whole provider, from Settings → Connections. See Managing connected repositories.
- On GitHub — uninstall the app (your org’s GitHub Settings → Installed Apps). Webhook events stop immediately.
Doing only one leaves the other half live: removing the Vygl connection but leaving the App installed is harmless but untidy; uninstalling on GitHub but leaving the connection leaves a dead connection row. Existing scans and findings remain in Vygl either way.