Skip to content

Slack

Connect a Slack incoming webhook to receive real-time scan results, critical-finding alerts, and CVE Watch notifications. Each integration can subscribe to specific event types and filter by severity, scan type, or project so each channel only gets what its team needs.

  1. Create a Slack incoming webhook. In Slack, go to api.slack.com/messaging/webhooks, pick the workspace and channel, and copy the webhook URL.

  2. Add the integration in Vygl. Open Settings → Integrations, click Add Slack, paste the webhook URL. The URL must begin with https://hooks.slack.com/ — the integration form rejects anything else.

  3. Subscribe to events. Pick which events should fire to this channel — see the event list below.

  4. Apply filters — restrict to specific projects, scan types, or severities. Useful when one channel cares only about production findings.

  5. Pick an AI verdict filter — by default every per-finding alert pings immediately. To quiet noisy channels, pick AI-verified TPs only or TPs and uncertain so Vygl waits for the LLM verdict before notifying. Requires AI verification to be enabled for your org. See AI Verification → notification filter.

  6. Test. Click the Test button on the integration row; a sample message should appear in your Slack channel within a few seconds.

  • scan_completed — every successful scan.
  • scan_failed — engine errors or upload failures.
  • critical_finding / high_finding — new findings at that severity.
  • cve_critical / cve_high / cve_batch_summary — CVE Watch alerts.

A typical scan-completion message includes:

  • Project name, branch, scan types that ran, duration, trigger (push / PR / manual / scheduled), commit SHA.
  • Severity breakdown with emoji indicators.
  • All new findings with type (SAST / SCA / Secrets / IaC / Malware), rule ID, file location, and clickable links.
  • All recurring findings with first-seen and last-seen dates.
  • A link to the full scan detail in Vygl.

CVE Watch messages are scoped to the affected dependency and include the OSV ID, severity, package, fixed versions, and the affected-project list.

When AI verification is enabled and an integration is on a verified-only filter, the AI verdict gates whether the message is sent — it isn’t rendered inline in the message body today.

Toggle the integration’s Enabled switch off to pause it without deleting the configuration. Useful for maintenance windows or noisy onboarding periods.