Skip to content

Running Scans (CLI)

The Vygl CLI runs every scan engine locally and uploads only findings metadata. It works on a developer laptop, a CI runner, or any environment with Docker.

vygl scan [OPTIONS] [PATH]

The most common flags:

Flag (long / short)Purpose
--scan-types / -tComma-separated list of engines (default: sast,sca,secrets,iac,malware). Valid values: sast, sca, secrets, iac, malware, container. malware and container are gated by org/project settings — when the cloud policy says they’re off, the CLI skips them automatically and prints a short notice.
--imageScan a container image instead of a directory. Forces --scan-types container.
--fail-onExit non-zero when findings reach this severity. One of critical, high, medium, low.
--no-uploadRun engines locally without pushing results to the cloud.
--name / -nProject name (use when there’s no git remote).
--project-id / -pBind to an existing project explicitly (also VYGL_PROJECT_ID).
--branch / -bOverride the auto-detected branch (useful in detached-HEAD CI).
--commitOverride the auto-detected commit SHA.
--repo-urlOverride the auto-detected repository URL.
--git-providerForce the SCM type (github, gitlab, bitbucket, gitea); also VYGL_GIT_PROVIDER.
--prPull/merge request number — enables PR comment posting. Auto-detected on GitHub Actions, GitLab CI, and Bitbucket Pipelines.
--config / -cPath to a .vygl.yml (overrides auto-discovery).
--show-allPrint every finding to stdout, not just the gate-triggering ones.
--triggerMark the trigger source on the dashboard (default ci; e.g. manual, scheduled).
--api-urlOverride the API base URL. Defaults to VYGL_API_URL then https://api.vygl.io.

Scan only secrets and dependencies, fail on high or above:

vygl scan --scan-types secrets,sca --fail-on high .

Local-only run (no upload):

vygl scan --no-upload .

Scan a container image:

vygl scan --image myorg/myapp:1.2.3

CI run with explicit branch (detached HEAD):

vygl scan --branch main .

Scan a PR and post a comment:

vygl scan --fail-on high --pr 1234 .
CommandWhat it does
vygl auth set-key <KEY>Store an API key locally in ~/.vygl/credentials (chmod 600).
vygl auth testVerify your key works and show the org it belongs to.
CommandWhat it does
vygl project listList all projects in your organization.
CommandWhat it does
vygl results <SCAN_ID>Fetch and print results from a previous scan.