# Vygl > Vygl is a security scanning SaaS platform (SAST, SCA, secrets, IaC, container images). The CLI runs every scan engine **locally** in your dev or CI environment and pushes only findings metadata to the cloud — on the CLI path, source code never leaves your environment. Opt-in managed scans (GitHub/GitLab App) run the same engines server-side instead. Findings are deduplicated by fingerprint so triage state (status, AI verification, suppression) is preserved across scans. Key concepts: - **Local-first architecture**: source code stays on the developer's machine or CI runner; only rule IDs, file paths, line numbers, and normalized snippets are uploaded. - **Engines bundled in one Docker image** (`vygl/vygl-cli:latest`): OpenGrep (SAST), osv-scanner (SCA + container `--image` mode), Gitleaks (secrets), Checkov (IaC). - **Fingerprint-based dedup**: `sha256(scan_type + rule_id + file_path + start_line + normalized_snippet)`. Auto-fixed findings are inferred when a full scan no longer includes a previously-seen fingerprint. - **AI verification**: Claude verifies whether a finding is a true positive, returns verdict + confidence + suggested fix; Organizational Memory captures codebase context to suppress recurring false positives. - **CVE Watch**: hourly re-check of your dependency inventory against new CVEs, enriched with EPSS exploit probability and CISA KEV. - **MCP server**: Vygl exposes a Model Context Protocol server so AI IDE tools (Claude Code, Cursor, Codex, OpenCode) can query findings directly. ## Getting Started - [Introduction](https://docs.vygl.io/): What Vygl scans, how local-first scanning works, where to go next. - [Sign Up & Sign In](https://docs.vygl.io/getting-started/sign-in/): Email/password or SSO via Google, Microsoft Entra, GitHub, or GitLab. - [Onboarding Walkthrough](https://docs.vygl.io/getting-started/onboarding/): A guided four-step setup that connects your first integration, runs a CLI scan, and discovers repositories. - [Quickstart](https://docs.vygl.io/getting-started/quickstart/): Pull the CLI Docker image, scan a local directory, push findings to the dashboard — in five minutes. ## Connecting Your Code - [Overview](https://docs.vygl.io/connect/overview/): Three connection options — managed SCM apps, CI/CD pipelines, or the local CLI. Alternatives, not stages. - [GitHub App](https://docs.vygl.io/connect/github/): Install the Vygl GitHub App for automatic scans on push, PR gating, and inline PR comments. - [GitLab](https://docs.vygl.io/connect/gitlab/): Connect GitLab.com or self-hosted GitLab via OAuth — auto-scan pushes and merge requests. - [Bitbucket](https://docs.vygl.io/connect/bitbucket/): Connect Bitbucket Cloud via OAuth for automatic scans and pull-request comments. - [PR / MR Comments](https://docs.vygl.io/connect/pr-comments/): Post scan summaries on pull/merge requests — severity breakdown, new vs recurring findings, deep links. ## Scanning - [Scan Engines](https://docs.vygl.io/scanning/engines/): OpenGrep (SAST), osv-scanner (SCA), Gitleaks (secrets), Checkov (IaC), plus container scanning. - [Running Scans (CLI)](https://docs.vygl.io/scanning/cli/): Every `vygl` command, flag, and common pattern for local and CI use. - [CI/CD Pipelines](https://docs.vygl.io/scanning/ci-cd/): Drop-in configs for GitHub Actions, GitLab CI, Bitbucket Pipelines, and Docker-based CI. - [Configuration](https://docs.vygl.io/scanning/configuration/): Configure behavior with `.vygl.yml` — engine exclusions, severity gates, project binding. - [Severity Gates](https://docs.vygl.io/scanning/severity-gates/): Fail CI when findings reach a chosen severity; configurable per-project, per-repo, or per-run. - [Custom Rules](https://docs.vygl.io/scanning/custom-rules/): Add your own OpenGrep YAML rules — written in-dashboard, imported from git, or uploaded directly. ## Container Security - [Container Scanning](https://docs.vygl.io/containers/overview/): Scan images for OS-package and application-dependency vulnerabilities — locally with the CLI or automatically via a connected registry. - [Connecting Registries](https://docs.vygl.io/containers/registries/): Connect a Harbor registry — Vygl discovers images, scans on push, and runs a daily catch-up rescan. - [Image Detail & Layers](https://docs.vygl.io/containers/image-detail/): Per-image inspection — layer-by-layer breakdown, vulnerable packages by ecosystem, base-layer flagging, AI risk summary. - [Source ↔ Container Correlation](https://docs.vygl.io/containers/correlation/): Map vulnerabilities found in images back to the source dependencies that share the same CVE. ## Findings & Triage - [Findings Overview](https://docs.vygl.io/findings/overview/): A unified view of every vulnerability — searchable, filterable, deduplicated by fingerprint per branch. - [Triage States & Lifecycle](https://docs.vygl.io/findings/triage/): All statuses — open, acknowledged, fix_claimed, fixed, false_positive, ignored, suppressed, auto_fixed — how snoozes expire, and how fix-claims get verified. - [Auto-Fix Reconciliation](https://docs.vygl.io/findings/auto-fix/): Detection of fixed findings by comparing fingerprints across full scans, per branch and per scan-type. - [Detection History](https://docs.vygl.io/findings/history/): Two parallel timelines per finding — scan-by-scan detection records and the audit-driven status-transition log. - [Inline Suppression](https://docs.vygl.io/findings/suppression/): Suppress findings in source with `novygl` comments — or use in-dashboard triage when you want an audit trail. ## AI Features - [AI Verification](https://docs.vygl.io/ai/verification/): Ask Claude to verify whether a finding is a true positive — verdict, confidence, reasoning, suggested fix. - [Security Brief](https://docs.vygl.io/ai/consultation/): Pre-computed AI brief per project — top risks, remediation paths, triage suggestions — with follow-up chat. - [Organizational Memory](https://docs.vygl.io/ai/memory/): Teach Vygl the context behind your codebase to eliminate recurring false positives across verdicts, briefs, and container analyses. - [Container AI Analysis](https://docs.vygl.io/ai/container-analysis/): Pre-computed AI risk summary for every scanned image — risk posture, remediation priorities, base-image guidance. ## CVE Watch - [CVE Watch](https://docs.vygl.io/cve-watch/): Hourly monitoring of your dependencies for new CVEs, enriched with EPSS exploit probability and CISA KEV. ## Integrations - [Slack](https://docs.vygl.io/integrations/slack/): Send scan summaries, finding alerts, CVE notifications via incoming webhooks. Filter by severity, scan type, or project. - [Microsoft Teams](https://docs.vygl.io/integrations/teams/): Adaptive-Card-formatted alerts delivered via Power Automate Workflows. - [Email](https://docs.vygl.io/integrations/email/): Send finding summaries, CVE alerts, and scan results to one or more recipients. - [Generic Webhooks](https://docs.vygl.io/integrations/webhooks/): POST-to-any-URL webhook delivery — currently on the roadmap. - [Jira](https://docs.vygl.io/integrations/jira/): Auto-create Jira tickets from findings and sync triage state — currently in development. ## AI Tools / MCP - [MCP Server Overview](https://docs.vygl.io/mcp/overview/): Vygl's Model Context Protocol server lets AI tools query findings, security posture, and projects directly. - [IDE Setup](https://docs.vygl.io/mcp/setup/): Connect Claude Code, Cursor, OpenCode, Codex, Claude Web, or Claude Desktop to the Vygl MCP server. ## Team & Access - [Members & Roles](https://docs.vygl.io/team/members/): Invite teammates, assign roles, and manage organization access. Three roles map to three permission tiers. - [API Keys](https://docs.vygl.io/team/api-keys/): Create scoped API keys for the CLI, MCP, and direct REST API access. - [Audit Log](https://docs.vygl.io/team/audit-log/): Immutable record of every triage action, member change, integration update, and scan submission. ## Reference - [CLI Reference](https://docs.vygl.io/reference/cli/): Complete reference for every `vygl` command, flag, environment variable, and exit code. - [REST API](https://docs.vygl.io/reference/api/): Vygl's REST API powers the dashboard, CLI, and every integration. Authenticate with a bearer API key. - [Exports — SARIF, CSV, SBOM](https://docs.vygl.io/reference/exports/): Download findings as SARIF 2.1.0 or CSV, and dependency inventories as CycloneDX 1.4 or SPDX 2.3 SBOMs. ## Optional - [Full documentation corpus (single file)](https://docs.vygl.io/llms-full.txt): The entire docs site concatenated into one markdown file — ideal for one-shot ingestion by AI tools. - [XML sitemap](https://docs.vygl.io/sitemap-index.xml): Machine-readable index of every URL. - [Product home](https://vygl.io): Vygl marketing site. - [App](https://app.vygl.io): Sign in to the Vygl dashboard. - [API base URL](https://api.vygl.io): Production REST API host.