Running Scans (CLI)

The Vygl CLI runs every scan engine locally and uploads only findings metadata. It works on a developer laptop, a CI runner, or any environment with Docker.

The scan command

vygl scan [OPTIONS] [PATH]

Options must come before the path. The most common flags:

Flag	Purpose
--scan-types	Comma-separated list of engines (default: sast,sca,secrets,iac)
--fail-on	Severity threshold that exits non-zero (critical, high, medium, low)
--no-upload	Run engines locally without pushing results to the cloud
--name	Project name (use when there’s no git remote)
--project-id	Bind to an existing project explicitly
--branch	Override the auto-detected branch (useful in detached-HEAD CI)
--pr	Pull/merge request number — enables PR comment posting
--api-url	Override the API base URL (default: https://api.vygl.io)

Common patterns

Scan only secrets and dependencies, fail on high or above:

vygl scan --scan-types secrets,sca --fail-on high .

Local-only run (no upload):

vygl scan --no-upload .

CI run with explicit branch (detached HEAD):

vygl scan --branch main .

Scan a PR and post a comment:

vygl scan --fail-on high --pr 1234 .

Auth commands

Command	What it does
vygl auth set-key <KEY>	Store an API key locally in ~/.vygl/credentials
vygl auth test	Verify your key works and show the org it belongs to

Project commands

Command	What it does
vygl project list	List all projects in your organization
vygl results <SCAN_ID>	View results from a previous scan

Where to set the severity gate

Hardcoding --fail-on in every pipeline gets repetitive. Set the threshold once at Projects → (your project) → Settings → Scanning & AI Overrides and the CLI picks it up automatically. A local --fail-on flag still wins when a developer wants a stricter gate. See Severity Gates.