Quickstart

The fastest way to evaluate Vygl: run the Docker image against a local checkout, see findings, then add an API key to push results to the dashboard.

Pull the image

The CLI ships as a single Docker image with every scan engine bundled — OpenGrep (SAST), Gitleaks (secrets), osv-scanner (SCA), and Checkov (IaC).

docker pull vygl/vygl-cli:latest

Scan locally (no cloud required)

Run a scan against the current directory. The --no-upload flag keeps everything local.

docker run --rm \
  -v "$(pwd)":/scan \
  vygl/vygl-cli scan /scan --no-upload

You’ll see a finding table printed to stdout. The CLI exits 0 unless you set a severity gate (covered in Severity Gates).

Push findings to the dashboard

1. Open Vygl, go to Settings → API Keys, click Generate Key, copy it. The key starts with vgl_.

2. Re-run the scan with the API key set. The CLI auto-detects your git remote and creates or matches a project.

   docker run --rm --network host \
     -v "$(pwd)":/scan \
     -e VYGL_API_URL=https://api.vygl.io \
     -e VYGL_API_KEY=vgl_your_api_key_here \
     vygl/vygl-cli scan /scan

3. Open the dashboard. The scan appears under Projects, with findings listed and ready to triage.

No git remote?

Pass --name "My Project" to give the project an explicit name when there’s no git remote (e.g. when scanning a local checkout that hasn’t been pushed):

docker run --rm --network host \
  -v /path/to/code:/scan \
  -e VYGL_API_URL=https://api.vygl.io \
  -e VYGL_API_KEY=vgl_your_api_key_here \
  vygl/vygl-cli scan --name "My Project" /scan

Where to next

• In a CI pipeline? Continue to CI/CD Pipelines.
• Want to connect a repo for automatic scans + PR comments? See Connecting Your Code.
• Need to tune what gets scanned? See Configuration.