Skip to content

Connecting Your Code

Vygl scans code three ways. Pick one — these are alternative ways to trigger scans, not stages you need to combine. Most teams only ever use one.

Managed SCMCI/CD pipelineLocal CLI
Where scans runVygl’s servers (clones your repo)Your CI runner (your code stays put)Your laptop
What triggers a scanGitHub/GitLab/Bitbucket webhooks (every push & PR)Your pipeline (every build)You, manually
SetupOne click — install an App / OAuthAdd a step to .github/workflows/, .gitlab-ci.yml, etc.docker pull
PR / MR comments✓ Built in✓ With a Git Token
Blocks merges via CI status✓ Commit status check✓ Pipeline exit code
Source code leaves your env?✓ Cloned to Vygl✗ Stays in your runner✗ Stays local

If your code is on GitHub.com, GitLab (Cloud or self-hosted), or Bitbucket Cloud, managed SCM is the simplest path — same automation, less wiring. CI/CD is the right pick when your runners must do the cloning (private network, Bitbucket Server / GitHub Enterprise Server, regulated environments).

Install the Vygl GitHub App or authorize the GitLab / Bitbucket OAuth integration. Once connected, Vygl receives webhook events for pushes and pull requests, runs scans automatically, and can post finding summaries directly on PRs.

Best for: teams on GitHub.com, GitLab (Cloud or self-hosted), or Bitbucket Cloud that want the whole flow automated end-to-end.

Setup: one click, browser OAuth, repository selection. No CI configuration required.

Add a single vygl scan step to your CI pipeline (GitHub Actions, GitLab CI, Bitbucket Pipelines, Jenkins, anything with Docker). The CLI auto-detects branch, commit, and repo URL from the CI environment and pushes findings to the dashboard. Pair it with a Git Token to enable PR comments.

Best for: self-hosted SCMs that aren’t on the managed-OAuth path (Bitbucket Server, GitHub Enterprise Server), private-network repos that Vygl can’t reach, or teams who’d rather drive scans from their own runner. Also fine if you simply prefer it — the dashboard experience is identical.

Setup: copy a config snippet into .github/workflows/, .gitlab-ci.yml, or your equivalent. Add VYGL_API_KEY as a CI secret.

Run vygl scan from a developer laptop or any environment with Docker. The CLI works offline (--no-upload) for evaluation, or with an API key to push results to the dashboard.

Best for: evaluation, ad-hoc audits, monorepos that span multiple SCM providers, repos that aren’t pushed anywhere yet.

Once a provider is connected, Settings → Connections lists every connection and, beneath it, an Enabled repositories table of the repositories Vygl scans.

  1. Open Settings → Connections.
  2. Find the repository in the Enabled repositories table.
  3. Click its disable (trash) action.

Vygl stops scanning that repository on future pushes and pull requests. The SCM connection itself stays intact, and the repository’s existing scans and findings are kept — you can re-enable it any time from the Add Repository dialog on the Projects page.

  1. Open Settings → Connections.
  2. Click the disconnect (unplug) action on the connection and confirm.

The connection is removed and webhooks for every repository under it are torn down — no more managed scans from that provider.

No. Pick one. The three approaches can coexist, but for almost every team a single approach is enough:

  • Managed SCM already scans every push and PR, posts comments, and gates merges via commit status — there’s no separate “CI gate” you need to add.
  • CI/CD already runs on every push and PR (because your pipeline does), and --fail-on blocks the merge via the pipeline’s exit code.

The only time it makes sense to layer them is the local CLI alongside one of the cloud paths — running vygl scan --no-upload on a developer laptop for a fast pre-commit check, while managed SCM or CI handles the authoritative scan on push. That’s the only “combining” pattern most teams will ever need.