GitHub App

The Vygl GitHub App grants access to selected repositories without requiring personal access tokens. Once installed, Vygl receives webhook events for pushes and pull requests, runs scans automatically, and can post finding summaries directly on PRs.

Install

1. Open Settings → Connections in Vygl.

2. Click Install on GitHub. You’re redirected to GitHub’s app-install page.

3. Select the account. Pick the user or organization that owns the repositories.

4. Choose repositories. Select all repositories or pick a subset. You can change this later from your GitHub org’s app settings.

5. Approve. GitHub redirects back to Vygl and stores the installation ID + OAuth token.

After installation, Vygl discovers your repositories — pick which ones to scan from the Connections tab. Webhooks register automatically.

Permissions

The Vygl GitHub App requests:

Permission	Why
Contents: Read	Clone the repository for scanning
Metadata: Read	Discover branches and commit metadata
Pull requests: Write	Post finding-summary comments on PRs
Checks: Write	Post commit status (so branch protection can require passing scans)

GitHub treats apps differently from personal access tokens — these permissions apply only to the repositories you explicitly select.

What happens on a push or PR

1. GitHub fires a webhook to Vygl. Vygl verifies the HMAC signature; unsigned or mis-signed requests are rejected.
2. Vygl clones the repository at the new commit (--depth 1 for efficiency).
3. The four scan engines run server-side.
4. Findings are written to the dashboard, deduplicated against past scans.
5. For pull requests, Vygl posts (or updates) the summary comment and writes commit status. See PR / MR Comments.

Branch filtering

Each repository can specify a branch filter regex. Pushes to branches that don’t match are skipped — useful for repositories with high commit volume on feature branches.

Configure this on the repository’s row in Settings → Connections.

Webhook verification is mandatory

Vygl rejects any webhook event with a missing or invalid HMAC signature. If you see scans not running on push, check Vygl’s audit log for webhook.signature_invalid events — that points at GitHub mis-signing or a stale shared secret.

Self-hosted GitHub Enterprise

GitHub Enterprise Server is supported. The OAuth and webhook flow is identical; the only difference is the API base URL, which Vygl reads from the app installation metadata.

Removing access

Uninstall the app from GitHub at any time (your org’s GitHub Settings → Installed Apps). Webhook events stop immediately. Existing scans and findings remain in Vygl; remove the connection in Settings → Connections to stop showing the integration.