This guide explains how to authenticate uploads from automated pipelines where an interactive browser login is not available. It is for CI maintainers who want scan results in Vibgrate Cloud.
Overview
The interactive vg login browser flow is ideal on a developer's machine but does not work in headless CI. For pipelines, authenticate uploads with a DSN token instead. A DSN is an HMAC-signed token that authenticates dashboard uploads, which lets vg push run without a browser.
Create a DSN
Generate a DSN with the CLI:
vg dsn create
Store the resulting token as a secret in your CI provider. Never commit a DSN to the repository or paste it into logs.
Use the DSN in a scan
Provide the token to the scan via the --dsn flag, reading it from your CI secret store. For example, referencing a secret environment variable:
vg scan --push --dsn "$VIBGRATE_DSN"
This scans the current directory and uploads the results to Vibgrate Cloud in one step, authenticated by the DSN.
Keep secrets safe
- Inject the DSN through your CI provider's secret mechanism, not in plain text.
- Rotate the DSN if you suspect it has been exposed by generating a new one.
- Limit who can read the secret to the jobs that actually push.
Related
See the vg login article for interactive use, the dsn create command page for token details, the CI integration guides, and the auth troubleshooting article.