PR / MR Comments

Vygl can post scan summaries on pull requests across GitHub, GitLab, and Bitbucket. The comment includes a severity breakdown, new vs recurring counts, a findings table with deep links back to the dashboard, and AI verdicts where available.

Enable comments

Comments are off by default. Enable in two steps:

Add a Git Token in Projects → (your project) → Settings. The token is what Vygl uses to post the comment back to your SCM.
Pass --pr <number> to the vygl scan command in CI. The CI snippets in CI/CD Pipelines include the right environment variable for each provider.

Tokens by provider

Provider	Required token & scope
GitHub	Personal access token (classic) with `repo` scope, or fine-grained token with Pull requests: write
GitLab	Personal access token with `api` scope (works with GitLab.com and self-hosted)
Bitbucket	App password with `pullrequest:write` scope (works with Cloud and Server)

Add the token via the project’s Settings → Git Tokens form. Tokens are encrypted at rest and rotated when you replace them; the token is shown once at creation, then masked.

What’s in the comment

Header — branch, commit SHA, scan duration, scan types that ran.
Severity breakdown — counts by critical / high / medium / low.
New vs recurring — newly-introduced findings on this PR vs ones already present on the target branch.
Findings table — one row per finding: severity, type, rule ID, file location, AI verdict (if any), deep link to the finding detail page in Vygl.
Footer — link to the full scan in Vygl.

The comment is updated in place on subsequent scans of the same PR — no comment spam.

What if the SCM is self-hosted?

GitLab self-hosted and Bitbucket Server both work. Vygl reads the API base URL from the token’s metadata when the SCM connection is configured; for one-off self-hosted setups, the API URL can be specified explicitly when adding the token.