Skip to main content

Authenticating the CLI in CI

Push scan results from automated pipelines without an interactive browser by using a DSN token, so vg push works headlessly in CI.

Vibgrate Docs

Vibgrate Help

This guide explains how to authenticate uploads from automated pipelines where an interactive browser login is not available. It is for CI maintainers who want scan results in Vibgrate Cloud.

Overview

The interactive vg login browser flow is ideal on a developer's machine but does not work in headless CI. For pipelines, authenticate uploads with a DSN token instead. A DSN is an HMAC-signed token that authenticates dashboard uploads, which lets vg push run without a browser.

Create a DSN

Generate a DSN with the CLI:

vg dsn create

Store the resulting token as a secret in your CI provider. Never commit a DSN to the repository or paste it into logs.

Use the DSN in a scan

Provide the token to the scan via the --dsn flag, reading it from your CI secret store. For example, referencing a secret environment variable:

vg scan --push --dsn "$VIBGRATE_DSN"

This scans the current directory and uploads the results to Vibgrate Cloud in one step, authenticated by the DSN.

Keep secrets safe

  • Inject the DSN through your CI provider's secret mechanism, not in plain text.
  • Rotate the DSN if you suspect it has been exposed by generating a new one.
  • Limit who can read the secret to the jobs that actually push.

Related

See the vg login article for interactive use, the dsn create command page for token details, the CI integration guides, and the auth troubleshooting article.

Related Commands