Skip to content

PR / MR Comments

Vygl can post scan summaries on pull requests across GitHub, GitLab, and Bitbucket. The comment includes a severity breakdown, new vs recurring counts, and a findings table whose titles deep-link to the dashboard.

Comments are off by default. Enable them in two steps:

  1. Add a Git Token on the project’s settings tab. Vygl uses the token to post the comment back to your SCM.
  2. Pass --pr <number> to vygl scan in CI when running on a PR/MR. The CLI auto-detects the PR number on GitHub Actions, GitLab CI, and Bitbucket Pipelines, so the flag is only needed in unsupported environments. The CI snippets in CI/CD Pipelines wire this up for each provider.

If your code is connected via the managed GitHub App / GitLab / Bitbucket OAuth integration, no Git Token is needed — Vygl posts the comment using the integration’s own credentials.

ProviderRequired token & scope
GitHubPersonal access token (classic) with repo scope, or fine-grained token with Pull requests: write. Works with github.com and GitHub Enterprise Server (the host is parsed from the project’s repository URL).
GitLabPersonal access token with api scope. Works with GitLab.com and self-hosted.
BitbucketApp password (Cloud) or HTTP access token (Server) authorized for pull-request write.

The token lives in the project’s Git Token field on Project → Settings. Saving overwrites the previous value; rotate by replacing it. The current value is editable in the same form — it is not encrypted at the database layer, so treat it like any other secret in your project config.

  • Header — project name, branch, scan types that ran.
  • Severity breakdown — counts by critical / high / medium / low.
  • New vs recurring — newly-introduced findings on this PR vs ones already present on the target branch.
  • Findings table — columns Severity | Type | Finding | File. The “Finding” cell is a markdown link to the finding detail page in Vygl, where you’ll see the rule ID, snippet, AI verdict, and full reasoning. The table caps at 20 new + 30 recurring rows; overflow is summarized in the footer.
  • Footer — link to the full scan in Vygl plus an attribution line.

Each scan posts a fresh comment — comments are not edited in place today. If you re-run a scan on the same PR multiple times, expect one comment per run. (Update-in-place is on the roadmap.)

For the Git-token + CI flow, the API base URL is derived from the project’s repository URL. Set the project’s Repository URL to your self-hosted host (e.g. https://gitlab.example.com/group/project or https://ghe.example.com/org/repo) and Vygl will route the comment through the matching API endpoint — https://<host>/api/v4/... for GitLab, https://<host>/api/v3/... for GitHub Enterprise, https://<host>/rest/api/1.0/... for Bitbucket Server.