Skip to content
docs

GitLab Integration

Authorize Vygl on GitLab.com or your self-hosted GitLab instance to discover projects, register webhooks, and post merge-request comments. The integration uses standard OAuth 2.0 with automatic token refresh.

Install

Section titled “Install”

  1. Open Settings → Connections in Vygl.

  2. Click Connect GitLab. You’re redirected to GitLab’s authorization page.

  3. Authorize. Approve the requested scopes — read_api and write_repository.

  4. Pick projects. GitLab redirects back to Vygl. Select the projects you want scanned.

Webhooks register automatically. Pushes and merge requests trigger scans.

Scopes

Section titled “Scopes”
ScopeWhy
read_apiRead project metadata, list branches, fetch source for scanning
write_repositoryPost comments on merge requests, set commit pipeline status

GitLab tokens have expiries; Vygl refreshes them transparently in the background.

What happens on a push or MR

Section titled “What happens on a push or MR”
  1. GitLab fires a webhook with the push/MR event. Vygl verifies the HMAC signature.
  2. Vygl clones the project at the new commit.
  3. Scan engines run server-side.
  4. Findings appear in the dashboard, deduplicated against history.
  5. For merge requests, Vygl posts (or updates) the summary comment and pipeline status.

Branch filtering

Section titled “Branch filtering”

Each project can specify a branch filter regex. Merge-request scans always run; push scans on non-matching branches are skipped.

Self-hosted GitLab

Section titled “Self-hosted GitLab”

Self-hosted GitLab Community and Enterprise editions both work. The integration reads the API base URL from your OAuth app configuration; nothing additional is needed beyond pointing the OAuth back to your instance.

Removing access

Section titled “Removing access”

Revoke from GitLab (User Settings → Applications) at any time. Webhook events stop immediately. Existing data is retained — remove the connection in Vygl’s Settings → Connections to stop showing the integration.