CI/CD Pipelines

Add a single Vygl step to your pipeline to scan every push and pull request. The CLI auto-detects branch, commit, and repository URL from CI environment variables — the only secret you need to configure is VYGL_API_KEY.

Pipeline configs

GitHub Actions

GitHub Actions

name: Vygl Security Scan
on:
  push:
    branches: [main]
  pull_request:

jobs:
  security-scan:
    runs-on: ubuntu-latest
    container:
      image: vygl/vygl-cli:latest
      options: --entrypoint ""
    env:
      VYGL_API_KEY: ${{ secrets.VYGL_API_KEY }}
    steps:
      - uses: actions/checkout@v4
      - run: vygl scan --fail-on high .
      # Optional: post scan summary as a PR comment.
      # Add a Git Token in project settings, then uncomment:
      # - run: vygl scan --fail-on high --pr ${{ github.event.pull_request.number }} .

Add VYGL_API_KEY under Settings → Secrets and variables → Actions. Branch, commit, and repo URL are auto-detected from the GitHub Actions environment.

GitLab CI

GitLab CI

vygl-scan:
  stage: test
  image:
    name: vygl/vygl-cli:latest
    entrypoint: [""]
  variables:
    VYGL_API_KEY: $VYGL_API_KEY
  script:
    - vygl scan --fail-on high .
    # Optional: post scan summary as an MR comment.
    # Add a Git Token in project settings, then use:
    # - vygl scan --fail-on high --pr $CI_MERGE_REQUEST_IID .
  # Optional: restrict to MRs and the default branch only.
  # rules:
  #   - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  #   - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

Add VYGL_API_KEY under Settings → CI/CD → Variables (mark as masked). Works with GitLab.com and self-hosted instances.

Bitbucket Pipelines

Bitbucket Pipelines

pipelines:
  default:
    - step:
        name: Vygl Security Scan
        image:
          name: vygl/vygl-cli:latest
          entrypoint: [""]
        script:
          - vygl scan --fail-on high .
          # Optional: post scan summary as a PR comment.
          # Add a Git Token in project settings, then use:
          # - vygl scan --fail-on high --pr $BITBUCKET_PR_ID .
  pull-requests:
    '**':
      - step:
          name: Vygl Security Scan
          image:
            name: vygl/vygl-cli:latest
            entrypoint: [""]
          script:
            - vygl scan --fail-on high .
            # Uncomment to post scan summary as a PR comment:
            # - vygl scan --fail-on high --pr $BITBUCKET_PR_ID .

Add VYGL_API_KEY as a repository variable in Repository settings → Pipelines → Variables.

Docker (any CI)

docker run --rm \
  -v "$(pwd)":/scan \
  -e VYGL_API_KEY=vgl_your_key \
  vygl/vygl-cli scan --fail-on high /scan
# Optional: add --pr <number> to post a scan summary as a PR/MR comment

Works with any CI system that supports Docker containers (Jenkins, CircleCI, Drone, Buildkite, Gitea Actions, …).

Control fail-on from the dashboard

Instead of hardcoding --fail-on in every pipeline, open Projects → (your project) → Settings → Scanning & AI Overrides and pick a severity under Fail CI/CD build on severity. The CLI picks it up automatically, so pipelines can be as simple as vygl scan .. A local --fail-on flag or a .vygl.yml entry still overrides the project setting.

What gets auto-detected

When run inside CI, the CLI reads environment variables to fill in scan metadata:

• Repository URL, branch, commit SHA — from CI-native variables (GITHUB_REPOSITORY, CI_COMMIT_REF_NAME, BITBUCKET_BRANCH, etc.).
• PR number — only when explicitly passed via --pr. CI-native variables are referenced in the snippets above.
• Trigger type (push / pull_request / scheduled) — derived from CI variables.

If detection fails, override with --repo-url, --branch, --commit, or --pr flags.