The Vygl CLI is distributed as a Docker image (vygl/vygl-cli:latest). For walkthroughs and patterns, see Running Scans (CLI) ; this page is the terse reference.
vygl scan [OPTIONS] [PATH]
Scan a directory. Options must come before the path.
Flag Type Default Description --scan-typescomma list sast,sca,secrets,iacEngines to run --fail-onseverity unset Severity that exits non-zero --no-uploadflag false Skip pushing findings to the cloud --namestring (auto) Project name (used when no git remote) --project-idUUID (auto) Bind to a specific project --branchstring (auto) Override branch detection --commitsha (auto) Override commit detection --repo-urlURL (auto) Override git-remote detection --print unset PR/MR number — enables comment posting --api-urlURL https://api.vygl.ioOverride API base URL
Command Description vygl auth set-key <KEY>Store API key in ~/.vygl/credentials (chmod 600) vygl auth testVerify the stored key and print the org it belongs to
Command Description vygl project listList all projects in your organization
Command Description vygl results <SCAN_ID>Print findings from a previous scan
Variable Purpose VYGL_API_KEYAPI key (required for cloud upload) VYGL_API_URLAPI base URL (default https://api.vygl.io) VYGL_PROJECT_IDOverride auto-detected project ID
Code Meaning 0Scan completed; no findings ≥ --fail-on threshold 1Scan completed; findings at or above the threshold are present (CI gate fired) 2Scan errored — engine failure, network error, invalid auth, malformed config
The CLI reads CI-native environment variables to fill scan metadata automatically. Supported providers:
GitHub Actions (GITHUB_*)
GitLab CI (CI_*)
Bitbucket Pipelines (BITBUCKET_*)
Gitea Actions
Generic git fallback (uses git rev-parse and git remote get-url origin)
Override any auto-detected value with the corresponding flag.
A .vygl.yml (or legacy .vigil.yml) at the repo root configures scan behavior — see Configuration for the schema.