Each scan runs four engines locally and pushes only findings metadata to the cloud. Container scanning is a fifth, separate flow covered in Container Scanning.
Static Analysis (SAST)
Powered by OpenGrep with community rules and your own custom rules.
Detects SQL injection, XSS, command injection, insecure crypto, hardcoded credentials in code, missing authentication checks, and other code-level vulnerabilities. Custom rules let you encode organization-specific patterns.
Supply Chain (SCA)
Powered by osv-scanner against the OSV vulnerability database.
Checks direct and transitive dependencies for known CVEs. Supports Python (requirements.txt, pyproject.toml, poetry.lock, pipfile), Node.js (package.json, package-lock.json, yarn.lock), Go (go.mod, go.sum), Ruby (Gemfile.lock), Rust (Cargo.lock), PHP (composer.lock), and Java (pom.xml, gradle.lockfile).
Secret Detection
Powered by Gitleaks with 600+ built-in patterns plus Vygl’s custom rules.
Detects hardcoded API keys, passwords, tokens, and private keys. Suppress test fixtures with allowed_patterns in .vygl.yml, or with inline novygl comments.
Infrastructure as Code (IaC)
Powered by Checkov with the latest community ruleset.
Scans Terraform, Dockerfile, Kubernetes manifests, and CloudFormation for misconfigurations — public S3 buckets, missing encryption, overly permissive IAM, exposed ports, and more.
The CLI walks your repo once and picks engines based on what’s present:
package.json, requirements.txt, etc.) are detected.Restrict which engines run with --scan-types sast,secrets on the CLI, or with scan.types in .vygl.yml.
Each engine has its own exclusion settings in .vygl.yml:
scan.sast.exclude_paths — skip vendor/test/generated codescan.secrets.exclude_paths and scan.secrets.allowed_patterns — skip test fixtures and documented placeholdersscan.sca.exclude_packages — skip dependencies with documented mitigationsexclude_paths)See Configuration for the full schema.
SAST rules can be extended in the dashboard or imported from a git repository — see Custom Rules.