Local Scripts
Local scripts are useful during development when you want to run workers, execute a specific scan or ingest job, run migrations, or test Codex container behavior without deploying to AWS.
Scan worker
python scripts/run-scan-worker.py
Starts the long-running scan worker process. Required when VEGA_SCAN_EXECUTION_MODE=external (the API queues scans but doesn't run them). The worker:
- Sends heartbeats to track liveness
- Runs
ReconcileScansUseCaseto recover stale scans (stuckrunningscans where the runner crashed) - Runs
RunQueuedScanUseCaseto claim and execute the next queued scan — either locally or by launching an ECS task
When to use: any time you want to test the scan pipeline in a realistic multi-process setup.
Scan runner (run one scan manually)
python scripts/run-scan-runner.py <scan_id>
# or
VEGA_SCAN_ID=<scan_id> python scripts/run-scan-runner.py
Runs a single already-queued scan directly, mimicking exactly what the ECS runner task does. The most direct way to debug scan execution without spinning up AWS infrastructure.
The --phase flag controls which phase to run:
| Flag | Default | Description |
|---|---|---|
--phase scan |
✓ | Full scan (plan + audit) |
--phase plan |
Planning step only | |
--phase audit |
Audit step for a specific set of components | |
--phase verify |
Verification step for a batch of findings |
# Run the full scan flow
python scripts/run-scan-runner.py abc123 --phase scan
# Run a verification phase manually (matches what ECS does)
python scripts/run-scan-runner.py abc123 \
--phase verify \
--finding-ids finding_1,finding_2
The --finding-ids argument (comma-separated, also via VEGA_ASSIGNED_FINDING_IDS env var) seeds the verification phase with specific finding IDs to verify.
When to use: when you have a specific failing scan or verification phase and want to debug its execution with local logging.
Repository ingest worker
python scripts/run-repo-ingest-worker.py
Starts the long-running repository ingest worker process. Required when VEGA_REPO_INGEST_EXECUTION_MODE=sqs (the API queues ingest jobs but doesn't run them). The worker:
- Sends heartbeats
- Runs
ReconcileRepositoryIngestUseCaseto recover stale ingest jobs - Runs
RunQueuedRepositoryIngestUseCaseto claim and execute the next queued ingest job
When to use: when testing the full ingest pipeline in a multi-process setup.
Repository ingest runner (run one ingest manually)
python scripts/run-repo-ingest-runner.py <ingest_job_id>
# or
VEGA_INGEST_JOB_ID=<ingest_job_id> python scripts/run-repo-ingest-runner.py
Runs a single already-queued ingest job directly, mimicking what the ECS ingest runner task does. Downloads or clones source, creates a SourceSnapshot, and transitions the repository to ready.
When to use: when debugging a failing repository ingest without AWS infrastructure.
Repository ingest dispatcher
python scripts/run-repo-ingest-dispatcher.py
A utility that dispatches ingest jobs for repositories that are in a state requiring re-ingest. Useful for bulk operations or recovering from a failed batch.
Database migrations
python scripts/run-db-migrations.py
Applies any pending SQL migrations to the Postgres database configured in VEGA_DATABASE_URL. Safe to run multiple times — it skips migrations that have already been applied.
When to use: after pulling code that contains new migration files, or after switching to a fresh Postgres database.
Maintenance jobs
python scripts/run-maintenance.py
# or for a single run
python scripts/run-maintenance.py --once
Runs maintenance tasks: stale scan reconciliation, cleanup of expired planning artifacts, old session removal, and orphaned record cleanup. Use --once to run all jobs and exit.
When to use: when you want to clean up local state or test that maintenance logic works correctly.
Build Codex runner image
scripts/build-codex-runner-image.sh
Builds the vega-codex-runner:latest Docker image from docker/codex-runner/Dockerfile. This image is used by scripts/codex-in-target-container.sh to run Codex in an isolated Docker sandbox during local scans.
Required before running scans locally if VEGA_CORE_CODEX_BIN is set to the default container script (which it is by default).
When to use: first-time setup, or after changes to docker/codex-runner/Dockerfile.
AWS helper scripts (scripts/aws/)
| Script | Purpose |
|---|---|
build-and-push-images.sh |
Build Docker images for linux/amd64 and push to ECR |
terraform-plan.sh |
Run terraform plan for an environment |
terraform-apply.sh |
Run terraform apply for an environment |
deploy.sh |
Force-update ECS services to pick up new images |
run-migrations.sh |
Run database migrations via the maintenance ECS task |
smoke-test.sh |
Run the smoke test against the deployed API |