Skip to content

CLI Reference

The Vygl CLI is distributed as a Docker image (vygl/vygl-cli:latest). For walkthroughs and patterns, see Running Scans (CLI); this page is the terse reference.

vygl scan [OPTIONS] [PATH]

Scan a directory or, with --image, a container image.

FlagShortTypeDefaultDescription
--scan-types-tcomma listsast,sca,secrets,iac,malwareEngines to run. Valid: sast, sca, secrets, iac, malware, container. malware and container may be turned off by org/project settings — the CLI fetches the policy on each run and skips disabled engines automatically.
--imagestringScan a container image; forces --scan-types container.
--fail-onseverityunsetSeverity that exits non-zero. One of critical, high, medium, low.
--no-uploadflagfalseSkip pushing findings to the cloud.
--name-nstring(auto)Project name (used when no git remote).
--project-id-pUUID(auto)Bind to a specific project. Overrides VYGL_PROJECT_ID and the YAML project_id.
--branch-bstring(auto)Override branch detection.
--commitsha(auto)Override commit detection.
--repo-urlURL(auto)Override git-remote detection.
--git-providerstring(auto)Force SCM type (github, gitlab, bitbucket, gitea); also VYGL_GIT_PROVIDER.
--print(auto)PR/MR number — enables comment posting. Auto-detected on GitHub Actions, GitLab CI, Bitbucket Pipelines.
--config-cpath(auto)Path to a .vygl.yml; overrides auto-discovery.
--show-allflagfalsePrint every finding to stdout, not just gate-triggering ones.
--triggerstringciMark the trigger source on the dashboard (e.g. manual, scheduled).
--api-urlURLfrom envOverride API base URL. Effective default: VYGL_API_URL, falling back to https://api.vygl.io.
CommandDescription
vygl auth set-key <KEY>Store API key in ~/.vygl/credentials (chmod 600).
vygl auth testVerify the stored key and print the org it belongs to.
CommandDescription
vygl project listList all projects in your organization.
CommandDescription
vygl results <SCAN_ID>Print findings from a previous scan.
VariablePurpose
VYGL_API_KEYAPI key (required for cloud upload).
VYGL_API_URLAPI base URL (default https://api.vygl.io).
VYGL_PROJECT_IDOverride auto-detected project ID.
VYGL_GIT_PROVIDERForce SCM type (github, gitlab, bitbucket, gitea).

CI-native vars (GITHUB_*, CI_*, BITBUCKET_*, GITEA_*) are read for branch / commit / repo / PR / committer auto-detection.

CodeMeaning
0Scan completed; no findings ≥ --fail-on threshold and no Block-mode rule fired.
1Scan completed; either findings at/above --fail-on are present, OR a cloud-policy rule in Block mode produced a finding (independent of --fail-on), OR the run errored (engine failure, network error, invalid auth, malformed config).

The CLI today returns 0 or 1 — there’s no separate “run errored” exit code.

The CLI reads CI-native environment variables to fill scan metadata automatically. Supported providers:

  • GitHub Actions (GITHUB_*).
  • GitLab CI (CI_*).
  • Bitbucket Pipelines (BITBUCKET_*).
  • Gitea Actions.
  • Generic git fallback (uses git rev-parse and git remote get-url origin).

Override any auto-detected value with the corresponding flag, or with VYGL_GIT_PROVIDER to force the SCM family.

The loader accepts any of .vygl.yml, .vygl.yaml, vygl.yml, .vigil.yml, .vigil.yaml, vigil.yml at the repo root. See Configuration for the schema.

fail_on precedence (highest to lowest): --fail-on flag → scan.fail_on in the YAML → project setting in the dashboard.