Skip to content

Configuration

A .vygl.yml file at your repository root configures per-engine exclusions, the CI severity gate, and project binding. Settings the file doesn’t define fall back to project-level settings in the dashboard, then to defaults.

project_id: prj_abc123 # Optional — overrides VYGL_PROJECT_ID and auto-detection
scan:
fail_on: high
send_committer: true # Default true — set false to omit author metadata
sast:
exclude_paths:
- "vendor/**"
- "tests/**"
exclude_rules:
- "javascript.express.audit.express-cookie-session-no-secure"
sca:
exclude_packages:
- "pkg:npm/lodash"
iac:
frameworks:
- terraform
- dockerfile
exclude_checks:
- CKV_AWS_46

Optional. Binds the scan to a specific Vygl project ID. Equivalent to --project-id on the CLI or VYGL_PROJECT_ID in the env. CLI flag wins; otherwise the precedence is env → file → auto-detect from git remote.

The CI severity gate. Valid values: critical, high, medium, low. The CLI exits non-zero when findings at or above this level are present. See Severity Gates for the precedence rules.

Default true. When false, the CLI omits commit author email/name/external-id from the upload. Useful when CI runs as a service identity and you don’t want that account credited as the committer.

Glob patterns to skip during SAST. Common excludes: vendor/**, node_modules/**, tests/**, .git/**, .venv/**.

Rule-ID list passed to OpenGrep as --exclude-rule. Useful for rules that are noisy in your codebase but you don’t want to disable for the whole org.

Skip findings for specific packages, written as PURLs (pkg:npm/lodash, pkg:pypi/requests). Useful when a vulnerable dependency has a documented mitigation in your environment.

Restrict Checkov to a subset of terraform, dockerfile, kubernetes, cloudformation. Default is to scan everything Checkov can identify.

Checkov check IDs to skip (e.g. CKV_AWS_46). Use this when a specific check is deliberately accepted across the whole repo.

For per-finding suppression, use:

  • Inline novygl comments in source — the engine drops the finding at scan time. See Inline Suppression.
  • Triage in the dashboard — mark findings false_positive, ignored, or suppressed. The decision is sticky across rescans.

There is no .vygl.yml fingerprint or path-based suppression for the Secrets engine today; rely on novygl comments or in-dashboard triage.

The CLI also reads these environment variables (CLI flags take precedence over both the env and the config file):

VariablePurpose
VYGL_API_KEYAPI key for authentication (required for cloud upload).
VYGL_API_URLAPI base URL (default: https://api.vygl.io).
VYGL_PROJECT_IDOverride auto-detected project ID.
VYGL_GIT_PROVIDERForce the SCM type (github, gitlab, bitbucket, gitea).

CI-native vars (GITHUB_*, CI_*, BITBUCKET_*, GITEA_*) are read for branch / commit / repo / PR / committer auto-detection — see CI/CD Pipelines.