Running Scans (CLI)
The Vygl CLI runs every scan engine locally and uploads only findings metadata. It works on a developer laptop, a CI runner, or any environment with Docker.
The scan command
Section titled “The scan command”vygl scan [OPTIONS] [PATH]The most common flags:
| Flag (long / short) | Purpose |
|---|---|
--scan-types / -t | Comma-separated list of engines (default: sast,sca,secrets,iac,malware). Valid values: sast, sca, secrets, iac, malware, container. malware and container are gated by org/project settings — when the cloud policy says they’re off, the CLI skips them automatically and prints a short notice. |
--image | Scan a container image instead of a directory. Forces --scan-types container. |
--fail-on | Exit non-zero when findings reach this severity. One of critical, high, medium, low. |
--no-upload | Run engines locally without pushing results to the cloud. |
--name / -n | Project name (use when there’s no git remote). |
--project-id / -p | Bind to an existing project explicitly (also VYGL_PROJECT_ID). |
--branch / -b | Override the auto-detected branch (useful in detached-HEAD CI). |
--commit | Override the auto-detected commit SHA. |
--repo-url | Override the auto-detected repository URL. |
--git-provider | Force the SCM type (github, gitlab, bitbucket, gitea); also VYGL_GIT_PROVIDER. |
--pr | Pull/merge request number — enables PR comment posting. Auto-detected on GitHub Actions, GitLab CI, and Bitbucket Pipelines. |
--config / -c | Path to a .vygl.yml (overrides auto-discovery). |
--show-all | Print every finding to stdout, not just the gate-triggering ones. |
--trigger | Mark the trigger source on the dashboard (default ci; e.g. manual, scheduled). |
--api-url | Override the API base URL. Defaults to VYGL_API_URL then https://api.vygl.io. |
Common patterns
Section titled “Common patterns”Scan only secrets and dependencies, fail on high or above:
vygl scan --scan-types secrets,sca --fail-on high .Local-only run (no upload):
vygl scan --no-upload .Scan a container image:
vygl scan --image myorg/myapp:1.2.3CI run with explicit branch (detached HEAD):
vygl scan --branch main .Scan a PR and post a comment:
vygl scan --fail-on high --pr 1234 .Auth commands
Section titled “Auth commands”| Command | What it does |
|---|---|
vygl auth set-key <KEY> | Store an API key locally in ~/.vygl/credentials (chmod 600). |
vygl auth test | Verify your key works and show the org it belongs to. |
Project commands
Section titled “Project commands”| Command | What it does |
|---|---|
vygl project list | List all projects in your organization. |
Results
Section titled “Results”| Command | What it does |
|---|---|
vygl results <SCAN_ID> | Fetch and print results from a previous scan. |