Skip to content
docs

Configuration

A .vygl.yml file at your repository root configures which scan engines run, which paths to exclude, the CI severity gate, and the fingerprint ignore list for known false positives.

Full example

Section titled “Full example”
version: "1"


scan:
  types:
    - sast
    - sca
    - secrets
    - iac
  fail_on: high


  sast:
    exclude_paths:
      - "vendor/**"
      - "tests/**"


  secrets:
    exclude_paths:
      - "tests/fixtures/**"
    allowed_patterns:
      - "EXAMPLE_.*"


  sca:
    exclude_packages:
      - "pkg:npm/lodash"


ignore:
  fingerprints:
    - "abc123..."  # Known false positive

Top-level keys

Section titled “Top-level keys”

scan.types

Section titled “scan.types”

Which engines to run. Defaults to all four (sast, sca, secrets, iac). Engines that have nothing to scan in your repo are skipped automatically — for example, SCA is silent on a repo with no manifest files.

scan.fail_on

Section titled “scan.fail_on”

The CI severity gate. Valid values: critical, high, medium, low. The CLI exits non-zero when findings at or above this level are present. See Severity Gates for the precedence rules.

scan.<engine>.exclude_paths

Section titled “scan.<engine>.exclude_paths”

Per-engine glob patterns to skip. Common excludes:

  • vendor/**, node_modules/** — third-party code
  • tests/**, test_fixtures/** — intentionally-insecure test data
  • .git/**, .venv/** — build/state directories

scan.secrets.allowed_patterns

Section titled “scan.secrets.allowed_patterns”

Regular expressions whose matches are not reported as secrets. Useful for documented placeholders like EXAMPLE_API_KEY or XXXXXXXX-PLACEHOLDER.

scan.sca.exclude_packages

Section titled “scan.sca.exclude_packages”

Skip findings for specific packages, written as PURLs (pkg:npm/lodash, pkg:pypi/requests, etc.). Useful when a vulnerable dependency has a documented mitigation in your environment.

ignore.fingerprints

Section titled “ignore.fingerprints”

Fingerprints of specific findings you’ve already triaged as false positives. Copy a fingerprint from the dashboard finding-detail view; the same fingerprint suppresses the issue across all branches. Fingerprints are stable: they’re computed from rule + file + line + a normalized snippet, so they survive code reformatting and unrelated edits.

Environment variables

Section titled “Environment variables”

The CLI also reads these environment variables (CLI flags take precedence over both the env and the config file):

VariablePurpose
VYGL_API_KEYAPI key for authentication (required for cloud upload)
VYGL_API_URLAPI base URL (default: https://api.vygl.io)
VYGL_PROJECT_IDOverride auto-detected project ID