Vygl is an AI-native ASPM (Application Security Posture Management) platform that combines six scan engines — SAST (OpenGrep), SCA (OSV), Malicious Package Detection (GuardDog), Secrets Detection (Gitleaks), IaC Scanning (Checkov), and Container Scanning — with AI-powered triage. It helps development teams find vulnerabilities across code, dependencies, malicious packages, secrets, infrastructure, and container images, then uses AI to identify false positives and suggest fixes.

What types of vulnerabilities does Vygl detect?

Vygl detects SQL injection, XSS, command injection, path traversal, and SSRF in source code (SAST); known CVEs in dependencies like Log4Shell and Spring4Shell (SCA); malicious packages — typosquats, install-script backdoors, obfuscated payloads, and compromised maintainer releases across npm, PyPI, Go, and RubyGems (Malicious Package Detection); hardcoded API keys, database credentials, JWT secrets, and private keys using 600+ patterns (Secrets); infrastructure misconfigurations like public S3 buckets and unrestricted security groups in Terraform, Kubernetes, Docker, and CloudFormation (IaC); and vulnerable OS and application packages in built container images (Container Scanning).

How does Vygl's AI triage work?

Every finding from all scan engines is automatically reviewed by an LLM. The AI classifies each finding as a true or false positive, assigns a confidence score (high, medium, low), provides detailed reasoning, and suggests fixes for confirmed vulnerabilities. Teams can bring their own LLM provider or use Vygl's built-in provider.

Does Vygl access my source code?

No. Vygl runs scans in your environment as a Docker container. Only findings metadata is sent to the cloud dashboard — your source code never leaves your infrastructure. This privacy-first approach means your code stays yours.

What CI/CD pipelines does Vygl support?

Vygl runs as a Docker container and works with GitHub Actions, GitLab CI/CD, and any Docker-compatible pipeline. It can also run locally for development. With Managed Scans, Vygl scans every push to connected GitHub, GitLab, and Bitbucket repositories without any CI/CD configuration. By default, Vygl reports findings without blocking your pipeline, but you can configure blocking behavior through Policy as Code rules.

Does Vygl scan container images?

Yes. Vygl scans container images from the CLI (vygl scan --image) or by connecting your container registry for auto-scan on push. It finds vulnerable OS packages and application dependencies across every image layer, correlates container CVEs with your source-code SCA findings, and generates per-image AI security briefs with base-image upgrade advice and priority fixes.

Does Vygl detect malicious packages and supply-chain attacks?

Yes. Vygl's malicious package detection engine, powered by GuardDog, scans your dependencies for supply-chain attacks across npm, PyPI, Go, and RubyGems — including typosquats and confusable names, malicious install or postinstall scripts, obfuscated payloads, suspicious binary execution, exfiltration to attacker infrastructure, and compromised maintainer releases. This is separate from SCA: SCA finds known CVEs in legitimate packages, while malicious package detection finds packages that are intentionally hostile.

How is malicious package detection different from SCA?

SCA (Software Composition Analysis) matches your dependencies against the OSV database of known CVEs in legitimate open-source packages — vulnerabilities like Log4Shell where the maintainers wrote insecure code. Malicious package detection looks for packages that should never have been published in the first place: typosquatted packages mimicking popular libraries, install scripts that exfiltrate environment variables, obfuscated code, and releases pushed by compromised maintainer accounts. Both engines run on the same dependency manifests and both flow through Vygl's AI triage.

Which package ecosystems does Vygl scan for malware?

Vygl's GuardDog-powered malicious package detection covers npm (JavaScript/TypeScript), PyPI (Python), Go modules, and RubyGems — the registries most frequently targeted by supply-chain attackers.

Which container registries does Vygl integrate with?

Harbor and Amazon ECR are supported today with auto-scan on push via webhooks. Google Artifact Registry (GAR), Docker Hub, and GitHub Container Registry (GHCR) are coming soon. You can also scan any image directly from the CLI without a registry integration.

What are Vygl Managed Scans?

Managed Scans let you connect source repositories (GitHub, GitLab, Bitbucket) and container registries (Harbor, Amazon ECR) so Vygl scans every push and image automatically. Findings flow straight to your IDE agents via MCP, Slack, and the dashboard — no CI/CD pipeline configuration required. Policy as Code applies across every managed scan, so you enforce security policy once and it propagates everywhere.

Does Vygl support SSO?

Yes. Vygl supports Single Sign-On via Google, GitHub, GitLab, and Microsoft Entra ID (formerly Azure AD), letting teams sign in with their existing identity provider.

Vygl is free for open-source projects. Commercial access is currently invitation-only. You can request access by emailing access@vygl.io.

What scan engines does Vygl use?

Vygl uses six specialized engines: OpenGrep for SAST (static code analysis), OSV for SCA (dependency vulnerability scanning), GuardDog for malicious package detection (npm, PyPI, Go, RubyGems), Gitleaks for secrets detection (600+ patterns), Checkov for IaC scanning (Terraform, Kubernetes, Docker, CloudFormation), and container image scanning for OS and application package CVEs across every layer.

How does Vygl compare to other security scanning tools?

Vygl combines SAST, SCA, malicious package detection, secrets detection, IaC, and container image scanning in a single platform (vs running Semgrep, Snyk, GuardDog, TruffleHog, Checkov, and Trivy separately). It has AI triage built-in for automatic false positive identification, operates privacy-first with code staying in your environment, offers one-click AI Security Brief reports, and never blocks CI/CD by default.

What integrations does Vygl support?

Source repositories via Managed Scans: GitHub, GitLab, and Bitbucket (cloud). Container registries: Harbor and Amazon ECR today; Google Artifact Registry (GAR), Docker Hub, and GitHub Container Registry (GHCR) coming soon. Code review: GitHub PR comments and GitLab MR comments. Notifications: Slack and Microsoft Teams real-time alerts; custom webhooks coming soon. AI IDEs via MCP (Model Context Protocol): Claude Code, Cursor, and Windsurf. Identity: Single Sign-On with Google, GitHub, GitLab, and Microsoft Entra ID. Vygl also exports CycloneDX SBOMs and provides a cloud dashboard for centralized finding management.

What is Vygl's MCP integration?

Vygl provides an MCP (Model Context Protocol) server that lets developers query security findings, verify issues with AI triage, and check project health directly from AI-powered IDEs like Claude Code, Cursor, and Windsurf. Available MCP tools include search_findings, get_finding_detail, get_project_health, get_security_posture, list_projects, and ai_verify_finding.

What is Vygl's AI Security Brief?

The AI Security Brief is a one-click feature that generates a comprehensive AI-powered security report for your project. It analyzes all open findings across scan types and provides an executive summary, priority actions (critical issues to fix first), and quick wins (low-effort, high-impact fixes).

AI-NATIVE ASPM PLATFORM

Stop fixing
noise.

SAST OpenGrep

SCA OSV

Malware GuardDog

Secrets Gitleaks

IaC Checkov

Images OSV

AI verifies every finding, suggests fixes, and watches your SBOM for new CVEs — so your team only fixes what's actually real.

AI Triage·Suggested Fixes·AI Security Briefs·CVE Watch·Alerts to PRs, Slack & Teams·MCP for AI IDEs·Policy as Code

Request Access See how it works

Scan Engines

~70%

FPs Cleared

24/7

CVE Watch

worker/jobs/rebuild.py:6

SAST · OPENGREP

RULE python.lang.security.audit.subprocess-shell-true

1import subprocess

2from pathlib import Path

4def trigger_rebuild():

5 cmd = "git pull origin main && make build"

6 subprocess.run(cmd, shell=True, check=True)

Scanner ⚠ HIGH · COMMAND INJECTION

AI reviewing · taint sources · subprocess args · call sites

✓ FALSE POSITIVE · CLEARED CONF 94%

cmd is a local string literal with no user input. No tainted source reaches subprocess.run, and the rule fires on shell=True regardless of taint — safe to clear.

SUGGESTED · ALLOWLIST RULE

rule: python.lang.security.audit.subprocess-shell-true path: worker/jobs/rebuild.py

Verified 0.7s Qwen Coder · Local → Posted to PR #1284

services/billing/pom.xml:39

SCA · OSV-SCANNER

CVE CVE-2021-44228 · Log4Shell · org.apache.logging.log4j:log4j-core

36<dependency>

37 <groupId>org.apache.logging.log4j</groupId>

38 <artifactId>log4j-core</artifactId>

39 <version>2.14.1</version>

40 <scope>runtime</scope>

41</dependency>

Scanner ⚠ CRITICAL · RCE · CVSS 10.0

AI reviewing · reachability · logger config · advisory range

! CONFIRMED · REAL CONF 99%

2.14.1 falls inside the Log4Shell advisory range (< 2.17.1). Reachable via your logger config at billing/log4j2.xml — exploitable in production. Recommend immediate upgrade.

SUGGESTED FIX

Verified 1.1s Qwen Coder · Local → Slack #sec-alerts

tests/fixtures/seed.py:5

SECRETS · GITLEAKS

RULE gitleaks:aws-access-token · entropy 4.32

1import pytest

3@pytest.fixture

4def mock_s3_client(monkeypatch):

5 monkeypatch.setenv("AWS_ACCESS_KEY_ID", "AKIAIOSFODNN7EXAMPLE")

6 yield mock_s3()

Scanner ⚠ CRITICAL · HARDCODED AWS KEY

AI reviewing · key validity · file context · usage scope

✓ FALSE POSITIVE · CLEARED CONF 98%

Value matches AWS's documented example credential AKIAIOSFODNN7EXAMPLE — non-functional, used in their public docs. File is under tests/fixtures/ and only loaded by pytest. No production exposure.

SUGGESTED · ALLOWLIST PATTERN

rule: gitleaks:aws-access-token path: tests/fixtures/**

Verified 0.5s Qwen Coder · Local → Auto-suppressed

Every Layer of Your Stack, Covered

Six engines scan top to bottom — source code, dependencies, malicious packages, secrets, infrastructure, and the built image. AI verifies every finding underneath.

Source Code

SAST · OpenGrep

SQL injection XSS Command injection Path traversal SSRF Insecure deserialization

Dependencies

SCA · OSV

Log4Shell Spring4Shell CVE tracking CycloneDX SBOM 7+ ecosystems

Malicious Packages

Malware · GuardDog

Typosquats Install-script backdoors Obfuscated payloads Maintainer takeovers npm · PyPI · Go · RubyGems

Secrets

Secrets · Gitleaks

AWS keys DB credentials JWT secrets Private keys 600+ patterns

Infrastructure

IaC · Checkov

Public S3 buckets Open security groups Over-privileged IAM Terraform · K8s · CloudFormation

Container Images

Image · OSV

OS package CVEs App package CVEs Layer attribution Source ↔ image correlation

AI VERIFICATION LAYER

Every finding from every layer flows through AI triage. Confidence scored. False positives cleared. Fixes suggested.

✓ Cleared

! Real + fix

Connect Your Repos. Scanning Starts Automatically.

Connect any repo or registry. Vygl scans every push — findings flow to your IDE, Slack, and dashboard. No CI/CD config.

Source Code

GitHub

GitLab

Bitbucket

Container Registry

Harbor

Amazon ECR

Google Artifact Soon

Docker Hub Soon

Live Workloads

Kubernetes Soon

Vygl Scan Engine

SAST · SCA · Malware · Secrets · IaC · Container

AI triage on every finding

Delivered to

AI IDE Agents Claude · Cursor · Windsurf

Slack summary + report links

Microsoft Teams channel alerts + report links

PR / MR Comments inline findings + AI triage

Dashboard real-time posture updates

Zero CI/CD Config

No YAML, no pipelines, no Docker setup. Connect your account and scanning begins on the next push.

Ephemeral Cloning

Source code is cloned to a temp directory and deleted immediately after scanning. Nothing persists.

Org-Wide Policies

Cloud-managed rules apply to every managed scan. Enforce security policy across all repos from one place.

New CVE Drops. You Know Instantly.

Vygl monitors your SBOM against new CVE disclosures. When one hits a dependency you ship, your team knows before it's exploited.

24/7 Continuous Monitoring

4× Daily Scan Cycles

SBOM-Aware

Every dependency from your scans is automatically tracked against live CVE feeds. No manual package lists.

Instant Notifications

Slack, email, or webhook alerts fire as soon as a new CVE matches a package in your SBOM.

Upgrade Guidance

Every alert includes the affected version range, CVSS score, and recommended fix version.

CVE Alerts Live

Critical

CVE-2026-31245 2 min ago

Remote Code Execution in jsonwebtoken

jsonwebtoken <9.0.2 3 projects affected

Notified via

High

CVE-2026-28891 6 hours ago

Prototype Pollution in lodash.merge

lodash <4.17.22 7 projects affected

Medium

CVE-2026-27433 1 day ago

ReDoS in semver range parsing

semver <7.5.5 12 projects affected

AI-Powered Triage

AI reviews every finding with verdicts, confidence scores, and suggested fixes — so you spend less time on false positives.

app.vygl.io/findings/a3e7f…

High SAST Open

python.django.security.injection.sql-injection

User-controlled data is used in a raw SQL query, which could lead to SQL injection.

backend/views/users.py:42-44

35 from django.http import JsonResponse

36 from .models import User

38 @login_required

39 @require_GET

40 def search_users(request):

41 """Search users by name."""

42 query = request.GET.get("q")

43 users = User.objects.raw(

44 f"SELECT * FROM users WHERE name LIKE '%{query}%'"

45 )

46 results = [

47 {"id": u.id, "name": u.name}

48 for u in users

49 ]

50 return JsonResponse({"users": results})

AI Verification

AI-generated — verify manually before acting.

Analyze this finding with AI to determine if it's a true or false positive and get a suggested fix.

AI Security Brief

One click, full project report. AI analyzes every finding and surfaces actionable insights in seconds.

app.vygl.io/projects/acme-api

acme-api main

Findings Dependencies Security Brief Scans

Security Brief

Generate a comprehensive AI-powered security brief for this project. Analyzes all open findings across scan types.

Your Security Posture, at a Glance

Every finding in one dashboard. Track trends, triage, and manage posture across projects and branches.

app.vygl.io/dashboard

Open

293

MTTR

4.2h

Scan Success

94%

AI Cleared

Findings Over Time

StatusType

7D1M3M6M

New findings Resolved

AI Insights

Active

251 of 293 analyzed 86%

True Positive18964%

False Positive4716%

Uncertain155%

Pending4214%

Confidence 198 High 41 Med 12 Low

Top Rules

RuleSevTPFPCount

gitleaks.generic-api-keyHigh543387

sql-injection-fstringCrit21223

CVE-2021-44228Crit16016

s3-bucket-public-accessHigh8412

Your Security Data, Inside Your IDE

Query findings and verify issues from Claude Code, Cursor, or any MCP-compatible IDE — zero context switching.

Claude Code acme-api

~/projects/acme-api codex-1 full-auto

users.py

38 @login_required

39 @require_GET

40 def search_users(request):

41 """Search users."""

42 query = request.GET.get("q")

43 users = User.objects.raw(

44 f"...%{query}%'"

45 )

46 results = [{"id": u.id}

47 for u in users]

48 return JsonResponse(..)

AI Chat MCP

Works with any MCP-compatible IDE

Claude Code

Codex

OpenCode

Cursor

Windsurf

Any MCP Client

Fits Into Your Workflow

Vygl notifies your team in the tools they already use.

github.com/acme/acme-api/pull/247

feature/user-prefs main

Conversation 3 Files changed 4

vygl-bot bot commented 2 minutes ago

Vygl Scan Results

acme-api — feature/user-prefs | SAST, SCA, MALWARE, SECRETS, IAC

47 findings — 2 critical | 8 high | 12 medium | 3 low
5 new | 42 recurring

New Findings (5)

Severity	Type	Finding	File
CRITICAL	SCA	Log4Shell CVE-2021-44228 in log4j-core@2.14.1	`pom.xml`
CRITICAL	SAST	SQL Injection via string concatenation	`backend/views/users.py`
HIGH	SECRETS	Hardcoded API key	`config/settings.py`
HIGH	SAST	Command Injection via os.system()	`backend/utils/deploy.py`
MEDIUM	SCA	CVE-2019-12384 in jackson-databind@2.9.8	`pom.xml`

Recurring Findings (42) — ...and 42 more

AI Triage Summary

True Positive Log4Shell — JNDI lookup enabled, log4j-core 2.14.1 is exploitable. Upgrade to 2.21+.

True Positive SQL Injection — user-controlled input flows directly into raw SQL query without parameterization

Likely FP Command Injection — input is validated through allowlist, os.system() receives only predefined commands

View full scan results

Posted by Vygl — security scanning with AI-powered triage

GitHub PRs

GitLab MRs

Never blocks CI

Available

Slack

Available

Real-time scan results with severity breakdowns, new vs recurring findings, AI verdicts, and clickable links to every finding.

Scan completion summaries
Critical & high finding alerts
Direct links to findings
Test notifications

Microsoft Teams

Available

Get scan notifications and finding alerts delivered directly to your Teams channels.

Scan completion summaries
Critical & high finding alerts
Direct links to findings
Test notifications

Custom Webhooks

Coming Soon

Send scan events to any HTTP endpoint. Build custom integrations with your internal tools and workflows.

Stop fixing
noise.

Every Layer of Your Stack, Covered

Scan Images. See Every Layer.

CLI Scanning

Registry Integration

Source ↔ Container Correlation

Per-Image AI Analysis

Connect Your Repos. Scanning Starts Automatically.

Zero CI/CD Config

Ephemeral Cloning

Org-Wide Policies

New CVE Drops. You Know Instantly.

SBOM-Aware

Instant Notifications

Upgrade Guidance

AI-Powered Triage

python.django.security.injection.sql-injection

AI Security Brief

Security Brief

Your Models, Your Choice

Your Security Posture, at a Glance

Run Anywhere. Review Everything.

Your Security Data, Inside Your IDE

Fits Into Your Workflow

feat: add user preferences API endpoint

Vygl Scan Results

Slack

Microsoft Teams

Custom Webhooks

Ready to Secure Your Code?

Stop fixing noise.

Every Layer of Your Stack, Covered

Scan Images. See Every Layer.

CLI Scanning

Registry Integration

Source ↔ Container Correlation

Per-Image AI Analysis

Connect Your Repos. Scanning Starts Automatically.

Zero CI/CD Config

Ephemeral Cloning

Org-Wide Policies

New CVE Drops. You Know Instantly.

SBOM-Aware

Instant Notifications

Upgrade Guidance

AI-Powered Triage

python.django.security.injection.sql-injection

AI Security Brief

Security Brief

Your Models, Your Choice

Your Security Posture, at a Glance

Run Anywhere. Review Everything.

Your Security Data, Inside Your IDE

Fits Into Your Workflow

feat: add user preferences API endpoint

Vygl Scan Results

Slack

Microsoft Teams

Custom Webhooks

Ready to Secure Your Code?

Stop fixing
noise.