Configuration
A .vygl.yml file at your repository root configures per-engine exclusions, the CI severity gate, and project binding. Settings the file doesn’t define fall back to project-level settings in the dashboard, then to defaults.
Full example
Section titled “Full example”project_id: prj_abc123 # Optional — overrides VYGL_PROJECT_ID and auto-detectionscan: fail_on: high send_committer: true # Default true — set false to omit author metadata
sast: exclude_paths: - "vendor/**" - "tests/**" exclude_rules: - "javascript.express.audit.express-cookie-session-no-secure"
sca: exclude_packages: - "pkg:npm/lodash"
iac: frameworks: - terraform - dockerfile exclude_checks: - CKV_AWS_46Top-level keys
Section titled “Top-level keys”project_id
Section titled “project_id”Optional. Binds the scan to a specific Vygl project ID. Equivalent to --project-id on the CLI or VYGL_PROJECT_ID in the env. CLI flag wins; otherwise the precedence is env → file → auto-detect from git remote.
scan.fail_on
Section titled “scan.fail_on”The CI severity gate. Valid values: critical, high, medium, low. The CLI exits non-zero when findings at or above this level are present. See Severity Gates for the precedence rules.
scan.send_committer
Section titled “scan.send_committer”Default true. When false, the CLI omits commit author email/name/external-id from the upload. Useful when CI runs as a service identity and you don’t want that account credited as the committer.
scan.sast.exclude_paths
Section titled “scan.sast.exclude_paths”Glob patterns to skip during SAST. Common excludes: vendor/**, node_modules/**, tests/**, .git/**, .venv/**.
scan.sast.exclude_rules
Section titled “scan.sast.exclude_rules”Rule-ID list passed to OpenGrep as --exclude-rule. Useful for rules that are noisy in your codebase but you don’t want to disable for the whole org.
scan.sca.exclude_packages
Section titled “scan.sca.exclude_packages”Skip findings for specific packages, written as PURLs (pkg:npm/lodash, pkg:pypi/requests). Useful when a vulnerable dependency has a documented mitigation in your environment.
scan.iac.frameworks
Section titled “scan.iac.frameworks”Restrict Checkov to a subset of terraform, dockerfile, kubernetes, cloudformation. Default is to scan everything Checkov can identify.
scan.iac.exclude_checks
Section titled “scan.iac.exclude_checks”Checkov check IDs to skip (e.g. CKV_AWS_46). Use this when a specific check is deliberately accepted across the whole repo.
Suppressing findings
Section titled “Suppressing findings”For per-finding suppression, use:
- Inline
novyglcomments in source — the engine drops the finding at scan time. See Inline Suppression. - Triage in the dashboard — mark findings
false_positive,ignored, orsuppressed. The decision is sticky across rescans.
There is no .vygl.yml fingerprint or path-based suppression for the Secrets engine today; rely on novygl comments or in-dashboard triage.
Environment variables
Section titled “Environment variables”The CLI also reads these environment variables (CLI flags take precedence over both the env and the config file):
| Variable | Purpose |
|---|---|
VYGL_API_KEY | API key for authentication (required for cloud upload). |
VYGL_API_URL | API base URL (default: https://api.vygl.io). |
VYGL_PROJECT_ID | Override auto-detected project ID. |
VYGL_GIT_PROVIDER | Force the SCM type (github, gitlab, bitbucket, gitea). |
CI-native vars (GITHUB_*, CI_*, BITBUCKET_*, GITEA_*) are read for branch / commit / repo / PR / committer auto-detection — see CI/CD Pipelines.