Severity Gates

A severity gate makes the CLI exit non-zero when findings at or above a chosen level are present, failing your CI build. Three places can set it.

Setting the gate

Project setting (recommended for teams)

Open Projects → (your project) → Settings → Scanning & AI Overrides and pick a level under Fail CI/CD build on severity. The CLI picks it up automatically — pipelines stay simple.

vygl scan .          # Picks up the project setting

.vygl.yml

Set scan.fail_on in your repo’s config file. Useful for repos that should always have a stricter gate than the project default.

scan:
  fail_on: high

CLI flag

A local --fail-on flag wins over both, so individual developers can tighten the gate temporarily:

vygl scan --fail-on critical .

Severity levels

Level	Meaning
critical	Fail only on critical findings (most permissive)
high	Fail on critical or high
medium	Fail on critical, high, or medium
low	Fail on any finding (most strict)

When no gate is set, the CLI exits 0 regardless of findings — useful for dashboard-only “Monitor” mode.

Precedence

When multiple sources are set, Vygl picks the value in this order:

1. CLI --fail-on flag
2. .vygl.yml scan.fail_on
3. Project setting in the dashboard
4. No gate (exit 0)

What “fail” means

When the gate triggers:

• The CLI prints a summary table of triggering findings.
• The process exits with code 1 (CI build fails).
• Findings are still uploaded — your dashboard reflects the scan whether or not the gate fired.

Suppressed findings don't count

Findings marked false_positive, ignored, or auto_fixed never trigger the gate. AI-verdicted false positives behave the same way only when Auto-suppress AI false positives is enabled in Settings → AI.