Vygl is an AI-powered security scanning platform that combines four scan engines — SAST (OpenGrep), SCA (OSV), Secrets Detection (Gitleaks), and IaC Scanning (Checkov) — with AI-powered triage. It helps development teams find vulnerabilities across code, dependencies, secrets, and infrastructure, then uses AI to identify false positives and suggest fixes.

How does Vygl's AI triage work?

Every finding from all scan engines is automatically reviewed by an LLM. The AI classifies each finding as a true or false positive, assigns a confidence score (high, medium, low), provides detailed reasoning, and suggests fixes for confirmed vulnerabilities. Teams can bring their own LLM provider or use Vygl's built-in provider.

Does Vygl access my source code?

No. Vygl runs scans in your environment as a Docker container. Only findings metadata is sent to the cloud dashboard — your source code never leaves your infrastructure. This privacy-first approach means your code stays yours.

What CI/CD pipelines does Vygl support?

Vygl runs as a Docker container and works with GitHub Actions, GitLab CI/CD, and any Docker-compatible pipeline. It can also run locally for development. By default, Vygl reports findings without blocking your pipeline, but you can configure blocking behavior through Policy as Code rules.

Vygl is free for open-source projects. Commercial access is currently invitation-only. You can request access by emailing access@vygl.io.

What scan engines does Vygl use?

Vygl uses four specialized engines: OpenGrep for SAST (static code analysis), OSV for SCA (dependency vulnerability scanning), Gitleaks for secrets detection (600+ patterns), and Checkov for IaC scanning (Terraform, Kubernetes, Docker, CloudFormation).

How does Vygl compare to other security scanning tools?

Vygl combines SAST, SCA, secrets detection, and IaC scanning in a single platform (vs running Semgrep, Snyk, TruffleHog, and Checkov separately). It has AI triage built-in for automatic false positive identification, operates privacy-first with code staying in your environment, offers one-click AI Security Brief reports, and never blocks CI/CD by default.

What integrations does Vygl support?

Vygl integrates with GitHub (PR comments), GitLab (MR comments), Slack (real-time notifications), and AI IDEs via MCP (Model Context Protocol) — including Claude Code, Cursor, and Windsurf. Microsoft Teams and custom webhook integrations are coming soon. Vygl also exports CycloneDX SBOMs and provides a cloud dashboard for centralized finding management.

What is Vygl's MCP integration?

Vygl provides an MCP (Model Context Protocol) server that lets developers query security findings, verify issues with AI triage, and check project health directly from AI-powered IDEs like Claude Code, Cursor, and Windsurf. Available MCP tools include search_findings, get_finding_detail, get_project_health, get_security_posture, list_projects, and ai_verify_finding.

What is Vygl's AI Security Brief?

The AI Security Brief is a one-click feature that generates a comprehensive AI-powered security report for your project. It analyzes all open findings across scan types and provides an executive summary, priority actions (critical issues to fix first), and quick wins (low-effort, high-impact fixes).

Find Vulnerabilities.
Cut Through the Noise.

Scan your code for vulnerabilities, insecure dependencies, hardcoded secrets, and infrastructure misconfigurations. AI-powered triage helps you identify what's real and what's noise — so your team focuses on fixing what actually matters.

Request Access Learn More

from flask import Flask, request
import sqlite3, os
 3
app = Flask(__name__)
 5
API_KEY = "sk-proj-4f8a...29xQ"
 7
def get_user(user_id):
   db.execute(f"SELECT * WHERE id={user_id}")
   query = request.args.get("q")
   os.system(f"grep {query} /var/log")
   return jsonify(result)

<project>
 <dependencies>
 3
   <dependency>
     <groupId>org.apache.logging.log4j</groupId>
     <artifactId>log4j-core</artifactId>
     <version>2.14.1</version>
   </dependency>
 9
   <dependency>
     <groupId>com.fasterxml.jackson.core</groupId>
     <version>2.9.8</version>
   </dependency>

resource "aws_s3_bucket" "data" {
 bucket = "acme-app-uploads"
}
 4
resource "aws_s3_bucket_acl" "data" {
 acl = "public-read"
}
 8
resource "aws_security_group" "web" {
 ingress {
   from_port   = 0
   to_port     = 65535
   cidr_blocks = ["0.0.0.0/0"]

Scanning...

SAST SCA Secrets IaC

SecretsHardcoded API keyCRIT

SASTSQL InjectionHIGH

SASTCommand InjectionHIGH

SCALog4Shell CVE-2021-44228CRIT

SCACVE-2019-12384MED

IaCS3 public accessHIGH

IaCOpen ingress 0.0.0.0/0CRIT

Every Layer of Your Stack, Covered

Multiple scan engines and AI-powered triage. From source code to infrastructure — so your team can ship with confidence.

SAST OpenGrep

Code Analysis

SQL injection, XSS, command injection, path traversal, SSRF, and insecure deserialization.

SQLiXSSRCEPath TraversalSSRF

SCA OSV

Dependency Analysis

Vulnerable dependencies like Log4Shell and Spring4Shell. CVE tracking across 7+ languages.

Log4ShellSpring4ShellCVE TrackingSBOM

Secrets Gitleaks

Secret Detection

Hardcoded AWS keys, database credentials, JWT secrets, and private keys using 600+ patterns.

AWS KeysJWT SecretsDB CredsPrivate Keys

IaC Checkov

Infrastructure Scanning

Public S3 buckets, unrestricted security groups, overprivileged IAM, and container misconfigs.

TerraformKubernetesDockerCloudFormation

AI LLM-Powered

Finding Triage

Findings flow through AI triage. Each result is analyzed for confidence, scored as true or false positive, and paired with a suggested fix. Bring your own LLM provider or use ours.

False Positives Identified

True Positives Verified + Fix suggested

AI-Powered Triage

Findings are automatically reviewed by AI. See verdicts, confidence scores, and suggested fixes — so your team spends less time on false positives and more time on real issues.

app.vygl.io/findings/a3e7f…

High SAST Open

python.django.security.injection.sql-injection

User-controlled data is used in a raw SQL query, which could lead to SQL injection.

backend/views/users.py:42-44

35 from django.http import JsonResponse

36 from .models import User

38 @login_required

39 @require_GET

40 def search_users(request):

41 """Search users by name."""

42 query = request.GET.get("q")

43 users = User.objects.raw(

44 f"SELECT * FROM users WHERE name LIKE '%{query}%'"

45 )

46 results = [

47 {"id": u.id, "name": u.name}

48 for u in users

49 ]

50 return JsonResponse({"users": results})

AI Verification

AI-generated — verify manually before acting.

Analyze this finding with AI to determine if it's a true or false positive and get a suggested fix.

AI Security Brief

One click, full project report. An AI-generated security brief analyzes all findings and gives your team actionable insights in seconds.

app.vygl.io/projects/acme-api

acme-api main

Findings Dependencies Security Brief Scans

Security Brief

Generate a comprehensive AI-powered security brief for this project. Analyzes all open findings across scan types.

Bring Your Own LLM

Your Models, Your Choice

Run AI triage with local models for full privacy, or connect to any major provider. Supports any OpenAI-compatible API out of the box.

Local Models Ollama, llama.cpp, vLLM

Recommended

OpenAI GPT-4o, GPT-4 Turbo

Anthropic Claude Sonnet, Haiku

AWS Bedrock Claude, Llama, Mistral

Azure OpenAI GPT-4o, Enterprise

OpenAI-Compatible Groq, Together AI, LiteLLM

Local models keep all data in your environment. Cloud providers only receive individual findings for triage — never your source code.

Why Vygl

Built for Security-Conscious Teams

Comprehensive scanning, AI-assisted triage, and native integration into your AppSec and DevSecOps pipelines.

Your Code Stays Yours

Scans run in your environment. Only findings metadata is sent to the cloud — not your source code.

Comprehensive Coverage

SAST, SCA, secrets, and IaC scanning in one platform. One scan covers your entire stack.

Smart Deduplication

SHA-256 fingerprinting eliminates duplicates across scans. Focus on what actually matters.

Policy as Code

Cloud-managed rules with monitor, block, and disable modes. Enforce security policies in CI/CD.

CI/CD Native

Runs in GitHub Actions, GitLab CI, or any Docker-compatible pipeline. Block merges on critical findings.

AI-Assisted Triage

AI reviews each finding to help identify false positives and prioritize real issues. Bring your own LLM provider or use ours.

Your Security Posture, at a Glance

Findings from every scan flow into a unified dashboard. Track trends, triage issues, and manage your security posture across all projects and branches.

app.vygl.io/dashboard

Open

293

MTTR

4.2h

Scan Success

94%

AI Cleared

Findings Over Time

StatusType

7D1M3M6M

New findings Resolved

AI Insights

Active

251 of 293 analyzed 86%

True Positive18964%

False Positive4716%

Uncertain155%

Pending4214%

Confidence 198 High 41 Med 12 Low

Top Rules

RuleSevTPFPCount

gitleaks.generic-api-keyHigh543387

sql-injection-fstringCrit21223

CVE-2021-44228Crit16016

s3-bucket-public-accessHigh8412

Managed Scans

Connect Your Repos. Scanning Starts Automatically.

Link your GitHub, GitLab, or Bitbucket account — Vygl installs webhooks, clones on every push or PR, runs all engines, and posts results back. No CI/CD config required.

GitHub GitHub App

Connected

GitLab OAuth 2.0

Connected

Bitbucket OAuth 2.0

Connected

Push / PR

Webhook

Clone

SAST · SCA · Secrets · IaC

PR Comment + Status Check

Zero CI/CD Config

No YAML, no pipelines, no Docker setup. Connect your account and scanning begins on the next push.

Ephemeral Cloning

Source code is cloned to a temp directory and deleted immediately after scanning. Nothing persists.

Commit Status Gates

Block merges when critical or high findings are detected. Configurable fail-on threshold per repo.

AI Triage on Every Scan

Every finding is automatically verified by AI. True positives, false positives, and suggested fixes — right in the PR comment.

Self-Hosted Support

Works with GitHub Enterprise, self-hosted GitLab, and Bitbucket Data Center. Not just cloud.

Org-Wide Policies

Cloud-managed rules apply to every managed scan. Enforce security policy across all repos from one place.

CVE Watch

New CVE Drops. You Know Instantly.

Vygl continuously monitors every package in your SBOM against new vulnerability disclosures. When a CVE hits a dependency you ship — your team knows before it's exploited.

24/7 Continuous Monitoring

4× Daily Scan Cycles

SBOM-Aware

Every dependency from your scans is automatically tracked against live CVE feeds. No manual package lists.

Instant Notifications

Slack, email, or webhook alerts fire as soon as a new CVE matches a package in your SBOM.

Upgrade Guidance

Every alert includes the affected version range, CVSS score, and recommended fix version.

CVE Alerts Live

Critical

CVE-2026-31245 2 min ago

Remote Code Execution in jsonwebtoken

jsonwebtoken <9.0.2 3 projects affected

Notified via

High

CVE-2026-28891 6 hours ago

Prototype Pollution in lodash.merge

lodash <4.17.22 7 projects affected

Medium

CVE-2026-27433 1 day ago

ReDoS in semver range parsing

semver <7.5.5 12 projects affected

Integrations

Fits Into Your Workflow

Get notified where your team already works. Vygl integrates with the tools you use every day.

github.com/acme/acme-api/pull/247

feature/user-prefs main

Conversation 3 Files changed 4

vygl-bot bot commented 2 minutes ago

Vygl Scan Results

acme-api — feature/user-prefs | SAST, SCA, SECRETS, IAC

47 findings — 2 critical | 8 high | 12 medium | 3 low
5 new | 42 recurring

New Findings (5)

Severity	Type	Finding	File
CRITICAL	SCA	Log4Shell CVE-2021-44228 in log4j-core@2.14.1	`pom.xml`
CRITICAL	SAST	SQL Injection via string concatenation	`backend/views/users.py`
HIGH	SECRETS	Hardcoded API key	`config/settings.py`
HIGH	SAST	Command Injection via os.system()	`backend/utils/deploy.py`
MEDIUM	SCA	CVE-2019-12384 in jackson-databind@2.9.8	`pom.xml`

Recurring Findings (42) — ...and 42 more

AI Triage Summary

True Positive Log4Shell — JNDI lookup enabled, log4j-core 2.14.1 is exploitable. Upgrade to 2.21+.

True Positive SQL Injection — user-controlled input flows directly into raw SQL query without parameterization

Likely FP Command Injection — input is validated through allowlist, os.system() receives only predefined commands

View full scan results

Posted by Vygl — security scanning with AI-powered triage

GitHub PRs

GitLab MRs

Never blocks CI

Available

Slack

Available

Real-time scan results with severity breakdowns, new vs recurring findings, AI verdicts, and clickable links to every finding.

Scan completion summaries
Critical & high finding alerts
Direct links to findings
Test notifications

Microsoft Teams

Coming Soon

Get scan notifications and finding alerts delivered directly to your Teams channels.

Custom Webhooks

Coming Soon

Send scan events to any HTTP endpoint. Build custom integrations with your internal tools and workflows.

AI IDE Integration

Your Security Data, Inside Your IDE

Query findings, verify issues, and check project health — directly from Claude Code, Codex, OpenCode, Cursor, or any MCP-compatible IDE. Zero context switching.

Claude Code acme-api

~/projects/acme-api codex-1 full-auto

users.py

38 @login_required

39 @require_GET

40 def search_users(request):

41 """Search users."""

42 query = request.GET.get("q")

43 users = User.objects.raw(

44 f"...%{query}%'"

45 )

46 results = [{"id": u.id}

47 for u in users]

48 return JsonResponse(..)

AI Chat MCP

Works with any MCP-compatible IDE

Claude Code

Codex

OpenCode

Cursor

Windsurf

Any MCP Client

Find Vulnerabilities.
Cut Through the Noise.

Every Layer of Your Stack, Covered

Code Analysis

Dependency Analysis

Secret Detection

Infrastructure Scanning

Finding Triage

AI-Powered Triage

python.django.security.injection.sql-injection

AI Security Brief

Security Brief

Your Models, Your Choice

Built for Security-Conscious Teams

Your Code Stays Yours

Comprehensive Coverage

Smart Deduplication

Policy as Code

CI/CD Native

AI-Assisted Triage

Run Anywhere. Review Everything.

Your Security Posture, at a Glance

Connect Your Repos. Scanning Starts Automatically.

Zero CI/CD Config

Ephemeral Cloning

Commit Status Gates

AI Triage on Every Scan

Self-Hosted Support

Org-Wide Policies

New CVE Drops. You Know Instantly.

SBOM-Aware

Instant Notifications

Upgrade Guidance

Fits Into Your Workflow

feat: add user preferences API endpoint

Vygl Scan Results

Slack

Microsoft Teams

Custom Webhooks

Your Security Data, Inside Your IDE

Ready to Secure Your Code?

Find Vulnerabilities. Cut Through the Noise.

Every Layer of Your Stack, Covered

Code Analysis

Dependency Analysis

Secret Detection

Infrastructure Scanning

Finding Triage

AI-Powered Triage

python.django.security.injection.sql-injection

AI Security Brief

Security Brief

Your Models, Your Choice

Built for Security-Conscious Teams

Your Code Stays Yours

Comprehensive Coverage

Smart Deduplication

Policy as Code

CI/CD Native

AI-Assisted Triage

Run Anywhere. Review Everything.

Your Security Posture, at a Glance

Connect Your Repos. Scanning Starts Automatically.

Zero CI/CD Config

Ephemeral Cloning

Commit Status Gates

AI Triage on Every Scan

Self-Hosted Support

Org-Wide Policies

New CVE Drops. You Know Instantly.

SBOM-Aware

Instant Notifications

Upgrade Guidance

Fits Into Your Workflow

feat: add user preferences API endpoint

Vygl Scan Results

Slack

Microsoft Teams

Custom Webhooks

Your Security Data, Inside Your IDE

Ready to Secure Your Code?

Find Vulnerabilities.
Cut Through the Noise.