Email Notifications

Vygl sends two kinds of email: transactional (org invites, password resets — these go automatically and aren’t configurable) and event notifications (scan results, finding alerts, CVE Watch — opt-in).

Setting up event notifications

1. Open Settings → Integrations and click Add Email.
2. Enter one or more recipient addresses (comma-separated).
3. Pick events: scan_completed, critical_finding, high_finding, cve_critical, cve_high, cve_batch_summary.
4. Apply filters (project, severity, scan type) if you want to scope.
5. Save and click Test to send a synthetic event to the recipient list.

What’s in a notification email

Branded HTML with the Vygl logo, dark-mode CSS, and a responsive layout. Each event type has its own template:

• Scan completion — summary table, severity breakdown, link to scan detail.
• Finding alert — finding title, file, rule, AI verdict, link to finding detail.
• CVE Watch — affected packages, EPSS / KEV signals, link to alert.

Plain-text alternatives are included for clients that don’t render HTML.

Transactional emails

These send automatically — no configuration needed:

• Member invites — sent when an admin invites a user. The link expires in 7 days.
• Password reset — sent when a user clicks Forgot Password. The link expires in 7 days.

Transactional emails carry one-time tokens that hash on the server; the raw token never goes to the database.

Bounces aren't auto-removed

If a recipient’s email hard-bounces, Vygl currently doesn’t auto-remove them from the integration. Periodically check the integration’s recipient list and prune addresses that no longer route. (Auto-removal on bounce is on the roadmap.)

Provider

Vygl uses Resend for outbound email. There’s no SMTP fallback today — if Resend is unavailable, transactional emails are queued for retry; event notifications are dropped after a few retries to prevent backlogs.