PR / MR Comments
Vygl can post scan summaries on pull requests across GitHub, GitLab, and Bitbucket. The comment includes a severity breakdown, new vs recurring counts, and a findings table whose titles deep-link to the dashboard.
Enable comments
Section titled “Enable comments”Comments are off by default. Enable them in two steps:
- Add a Git Token on the project’s settings tab. Vygl uses the token to post the comment back to your SCM.
- Pass
--pr <number>tovygl scanin CI when running on a PR/MR. The CLI auto-detects the PR number on GitHub Actions, GitLab CI, and Bitbucket Pipelines, so the flag is only needed in unsupported environments. The CI snippets in CI/CD Pipelines wire this up for each provider.
If your code is connected via the managed GitHub App / GitLab / Bitbucket OAuth integration, no Git Token is needed — Vygl posts the comment using the integration’s own credentials.
Tokens by provider
Section titled “Tokens by provider”| Provider | Required token & scope |
|---|---|
| GitHub | Personal access token (classic) with repo scope, or fine-grained token with Pull requests: write. Works with github.com and GitHub Enterprise Server (the host is parsed from the project’s repository URL). |
| GitLab | Personal access token with api scope. Works with GitLab.com and self-hosted. |
| Bitbucket | App password (Cloud) or HTTP access token (Server) authorized for pull-request write. |
The token lives in the project’s Git Token field on Project → Settings. Saving overwrites the previous value; rotate by replacing it. The current value is editable in the same form — it is not encrypted at the database layer, so treat it like any other secret in your project config.
What’s in the comment
Section titled “What’s in the comment”- Header — project name, branch, scan types that ran.
- Severity breakdown — counts by critical / high / medium / low.
- New vs recurring — newly-introduced findings on this PR vs ones already present on the target branch.
- Findings table — columns
Severity | Type | Finding | File. The “Finding” cell is a markdown link to the finding detail page in Vygl, where you’ll see the rule ID, snippet, AI verdict, and full reasoning. The table caps at 20 new + 30 recurring rows; overflow is summarized in the footer. - Footer — link to the full scan in Vygl plus an attribution line.
Each scan posts a fresh comment — comments are not edited in place today. If you re-run a scan on the same PR multiple times, expect one comment per run. (Update-in-place is on the roadmap.)
What if the SCM is self-hosted?
Section titled “What if the SCM is self-hosted?”For the Git-token + CI flow, the API base URL is derived from the project’s repository URL. Set the project’s Repository URL to your self-hosted host (e.g. https://gitlab.example.com/group/project or https://ghe.example.com/org/repo) and Vygl will route the comment through the matching API endpoint — https://<host>/api/v4/... for GitLab, https://<host>/api/v3/... for GitHub Enterprise, https://<host>/rest/api/1.0/... for Bitbucket Server.