Connecting Your Code
Vygl scans code three ways. Pick the one that matches how your team works:
Managed SCM integration (recommended)
Section titled “Managed SCM integration (recommended)”Install the Vygl GitHub App or authorize the GitLab / Bitbucket OAuth integration. Once connected, Vygl receives webhook events for pushes and pull requests, runs scans automatically, and can post finding summaries directly on PRs.
Best for: teams that want the whole flow automated end-to-end.
Setup: one click, browser OAuth, repository selection. No CI configuration required (though you can still add CI as a second layer for offline scans).
CI pipeline + API key
Section titled “CI pipeline + API key”Add a single vygl scan step to your CI pipeline (GitHub Actions, GitLab CI, Bitbucket Pipelines, Jenkins, anything with Docker). The CLI auto-detects branch, commit, repo URL from the CI environment and pushes findings to the dashboard. Pair it with a Git Token to enable PR comments.
Best for: teams already running CI workflows, or those who can’t (yet) install an SCM app.
Setup: copy a config snippet into .github/workflows/, .gitlab-ci.yml, or your equivalent. Add VYGL_API_KEY as a CI secret.
Local CLI (no SCM at all)
Section titled “Local CLI (no SCM at all)”Run vygl scan from a developer laptop or any environment with Docker. The CLI works offline (--no-upload) for evaluation, or with an API key to push results to the dashboard.
Best for: evaluation, ad-hoc audits, monorepos that span multiple SCM providers, repos that aren’t pushed anywhere yet.
Combining approaches
Section titled “Combining approaches”The three approaches compose. A common pattern:
- Managed SCM integration for automatic scans and PR comments on every push.
- CI pipeline as a second layer for stricter gates (e.g. block merges based on severity) or for compliance archives.
- Local CLI for developer pre-commit scans (
--no-uploadkeeps results local).