0 filters active
Skip to Content
logo
  • Home
  • Quick start
    • FAQ
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Use the platform
        • Platform sections and header items
        • Sign-up and login authentication
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • Examine the evidence of exploitability
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Enable and disable notifications
        • Explore the user menu
        • Leave group
        • Subscribe to news
      • Manage repositories
      • See vulnerabilities
        • CVSS score adjustment
        • Find reachable dependency vulnerabilities
        • Vulnerability signature update
        • What is SCA?
        • Contribute to enhancing the scanners
        • Fluid Attacks' scanners
        • Know and reproduce the scanner’s OWASP Benchmark results
        • APK scanner configuration file
        • DAST scanner configuration file
        • SAST scanner configuration file
        • SCA scanner configuration file
        • Scan with a configuration file
        • Exclude findings from scan reports
        • Run scans locally
        • Understand the scanner output
        • Use standalone scanners
        • Use the scanners in CI/CD
      • Automatic remediation
      • Custom remediation guides
      • Introduction to Sorts
      • Sorts user guide
      • Connection mechanisms
      • Cloud connection
      • Egress connection
      • Connector connection
      • Types of authentication
      • AWS CodeCommit
      • Accuracy SLA
      • Availability SLA
      • False negatives
      • False positives
      • Response SLA
      • Scope
      • Service-level agreement summary
      • Changelog
        • 2023
        • 2024
        • 2025
        • 2026
      • Roadmap
      • AI functions
      • Attack surfaces
      • Binaries
      • Browsers
      • CI/CD
      • Clouds
      • CVEs for reachability
      • Evidence formats
      • Frameworks
      • IDE functionalities
      • Languages
      • Languages for fixes
      • Package managers
      • Remediation
      • SCM systems
      • Secrets
      • Standards
      • Ticketing systems
      • Documentation sections
    • Machine
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • D3
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
    • Pentesting tools
  • Compliance
    • Authentication
      • Clients
      • Password policies
      • Staff
    • Authorization
      • Access revocation
      • Clients
      • Employee termination
      • Endpoints
      • Secret rotation
      • Sessions
      • Staff
    • Availability
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
    • Confidentiality
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
    • Integrity
      • Applicant evaluation
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Monitoring
      • Production data isolation
      • Secure emails
      • SLSA compliance
      • Standard timezone
      • Static website
      • Training plan
    • Non-repudiation
      • Everything as code
      • Extensive logs
    • Privacy
      • Data privacy policy
      • Data retention policy
      • Data use policy
      • Email obfuscation
      • Time tracking
      • Manual for the NDR
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Data transmission
      • Unsubscribe email
      • Use of cookies
    • Resilience
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
    • Transparency
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dryrun Security
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security (GHAS)
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 
  • Home
  • Quick start
    • FAQ
      • Billing
      • Integrations
      • Platform
      • Scanner
      • Ask our pentesters to explain a vulnerability
      • Fix code with gen AI from the IDE
      • See safe dependency versions
      • Import repositories to test
      • Invite team members to sign up
      • Billing for the Advanced plan
      • Continuous Hacking free trial, plans and pricing
      • Continuous Hacking methodology
      • Continuous Hacking PoV
      • CVSSF metric
      • Glossary
      • Main website
      • Platform demo
      • Tutorial videos
      • What is DAST?
      • What is SAST?
      • Assign vulnerability remediation to a team member
      • See details of the reported security vulnerabilities
    • Sign up to Fluid Attacks
      • Break the build
      • Install CI Gate to break the build
      • Verify whether a fix was successful
  • Find and fix
    • Use the platform
        • Platform sections and header items
        • Sign-up and login authentication
        • Create and delete groups
        • Create another organization
        • Know your Groups section
        • Manage a group's configuration
        • Register payment information
        • See the target of evaluation's status and SBOM
        • Sort groups into portfolios
        • Invite contributing developers
        • Manage members
        • Manage your organization's authors
        • Understand roles
        • Import repositories fast and safely with OAuth
        • Manage environments
        • Manage repositories
        • Manage your credentials
        • Resolve events impeding tests
        • See retrieved repositories not yet added to any group
        • Analyze your supply chain security
        • Assign treatments
        • Correlate your threat model to vulnerabilities
        • Examine the evidence of exploitability
        • Request a vulnerability be dismissed as Zero Risk
        • See vulnerabilities assigned to you
        • See where vulnerabilities are and more details
        • Verify fixes with reattacks
        • Ask the AI Agent
        • Ask via chat
        • Post comments
        • Send Fluid Attacks an email
        • Talk to a Pentester
        • Watch certifiable tutorial videos or get a demo
        • Access recent downloads
        • Check your compliance with standards
        • View analytics common to orgs, groups and portfolios
        • Download a report of detected vulnerabilities
        • View analytics for the group level only
        • View analytics for the portfolio level only
        • Use analytics charts options
        • View and download logs
        • Accept vulnerabilities
        • Manage fix prioritization policies
        • Manage security gates
        • Prevent the deployment of builds with vulnerabilities
        • View details of the security of your builds
        • Enable and disable notifications
        • Explore the user menu
        • Leave group
        • Subscribe to news
      • Manage repositories
      • See vulnerabilities
        • CVSS score adjustment
        • Find reachable dependency vulnerabilities
        • Vulnerability signature update
        • What is SCA?
        • Contribute to enhancing the scanners
        • Fluid Attacks' scanners
        • Know and reproduce the scanner’s OWASP Benchmark results
        • APK scanner configuration file
        • DAST scanner configuration file
        • SAST scanner configuration file
        • SCA scanner configuration file
        • Scan with a configuration file
        • Exclude findings from scan reports
        • Run scans locally
        • Understand the scanner output
        • Use standalone scanners
        • Use the scanners in CI/CD
      • Automatic remediation
      • Custom remediation guides
      • Introduction to Sorts
      • Sorts user guide
      • Connection mechanisms
      • Cloud connection
      • Egress connection
      • Connector connection
      • Types of authentication
      • AWS CodeCommit
      • Accuracy SLA
      • Availability SLA
      • False negatives
      • False positives
      • Response SLA
      • Scope
      • Service-level agreement summary
      • Changelog
        • 2023
        • 2024
        • 2025
        • 2026
      • Roadmap
      • AI functions
      • Attack surfaces
      • Binaries
      • Browsers
      • CI/CD
      • Clouds
      • CVEs for reachability
      • Evidence formats
      • Frameworks
      • IDE functionalities
      • Languages
      • Languages for fixes
      • Package managers
      • Remediation
      • SCM systems
      • Secrets
      • Standards
      • Ticketing systems
      • Documentation sections
    • Machine
  • Integrations
      • Local tools
      • Access Talk to a Pentester and help from Jira issues
      • Automate Jira issue creation
      • Create Jira issues for vulnerabilities
      • Go to vulnerability evidence and more from Jira issues
      • Install the Fluid Attacks app for Jira Cloud
      • Link vulnerabilities to Jira issues or unlink them
      • Request reattacks from Jira issues
      • Set up the Jira integration
      • Set up the Azure DevOps integration
      • Set up the GitLab integration
      • Install the VS Code extension
      • View vulnerable lines, use fix options and more
      • VS Code extension error and solution catalog
      • Identify and address vulnerabilities from IntelliJ
      • Install the IntelliJ plugin
      • Identify and address vulnerabilities from Cursor
      • Install the Cursor extension
      • AWS Marketplace integration
    • MCP server
      • Installation
      • Capabilities and use cases
      • Docker installation
      • Excluding files from analysis
      • Integrate with Azure DevOps Peer Reviewer Assistant
      • Integrate with GitLab Peer Reviewer Assistant
      • Troubleshooting
      • Introduction
      • Use the API
      • Learn the basics of the Fluid Attacks API
      • Things to know before using the API
  • Stack
      • Bash
      • Python
      • Terraform
      • TypeScript
      • Ariadne
      • Commitlint
      • D3
      • Docker
      • ESLint
      • GraphQL
      • Hypercorn
      • Kubernetes
      • Labels
      • Mypy
      • Nix Flakes
      • Platform audit logs
      • Platform authentication
      • Platform authorization
      • Pydantic AI
      • React
      • Ruff
      • Sops
      • Starlette
      • Tree-sitter
      • Visual Studio Code
      • AWS
      • Batch
      • Bedrock
      • BigCodeBench
      • BugSnag
      • Checkly
      • Claude 3.5 Sonnet
      • Cloudflare
      • CloudWatch
      • Cost Management
      • Datadog
      • dbt
      • DynamoDB
      • EBS
      • EC2
      • EKS
      • ELB
      • Engineering metrics
      • ePayco
      • EventBridge
      • GitLab
      • GitLab CI
      • Google Workspace
      • IAM
      • Jamf
      • KMS
      • Lambda
      • LogRocket
      • Okta
      • OpenAI
      • OpenSearch
      • Organizations
      • QuickSight
      • S3
      • SageMaker
      • Snowflake
      • Statuspage
      • Step Functions
      • Stripe
      • Treli
      • Ubiquiti
      • Vanta
      • Voyage AI
      • VPC
      • VPN
      • Zoho One
      • Zoho Sign
    • Pentesting tools
  • Compliance
    • Authentication
      • Clients
      • Password policies
      • Staff
    • Authorization
      • Access revocation
      • Clients
      • Employee termination
      • Endpoints
      • Secret rotation
      • Sessions
      • Staff
    • Availability
      • Distributed apps
      • Distributed firewall
      • Everything backed up
      • Multiple zones
      • Recovery objective
    • Confidentiality
      • Device (re)enrolling
      • Direct hiring
      • Encryption at rest
      • Encryption in transit
      • No personal gain
      • Personnel NDA
      • Secure deletion
    • Integrity
      • Applicant evaluation
      • Awareness
      • Certification Hub
      • Certified cloud provider
      • Certified security analysts
      • Comprehensive reporting
      • Developing for integrity
      • Monitoring
      • Production data isolation
      • Secure emails
      • SLSA compliance
      • Standard timezone
      • Static website
      • Training plan
    • Non-repudiation
      • Everything as code
      • Extensive logs
    • Privacy
      • Data privacy policy
      • Data retention policy
      • Data use policy
      • Email obfuscation
      • Time tracking
      • Manual for the NDR
      • OTR messaging
      • Polygraph tests
      • Project pseudonymization
      • Data transmission
      • Unsubscribe email
      • Use of cookies
    • Resilience
      • Continuity and recovery
      • Equipment and telecommuting
      • Everything is decentralized
      • Redundant roles
    • Transparency
      • Complaint management
      • Data leakage policy
      • Ethics hotline
      • Help channel
      • Incident management
      • Information security responsibility
      • Open source
      • Quality policy
      • Status page
      • Testing our technology
      • Vulnerability releasing
  • Compare
    • 42Crunch
    • 7 Way Security
    • Aikido
    • Anvil Secure
    • Apiiro
    • AppCheck
    • Appdome
    • Appknox
    • Aqua
    • ArmorCode
    • Arnica
    • Astra
    • Base4
    • Bishop Fox
    • Black Duck
    • Black Hills
    • Breachlock
    • Bright Security
    • Burp Suite
    • Checkmarx
    • CloudGuard
    • Cobalt
    • Codacy
    • Conviso
    • Cure53
    • Cycode
    • Cyver
    • Data Theorem
    • DataDog
    • DeepSource
    • DefectDojo
    • Detectify
    • Devel
    • Dryrun Security
    • Dynatrace
    • Edgescan
    • Endor Labs
    • Escape
    • Evolve Security
    • Faraday Security
    • FortiDevSec
    • Fortify
    • GitHub Advanced Security (GHAS)
    • GitLab Ultimate
    • GuardRails
    • HackerOne
    • Hackmetrix
    • Hadrian
    • HCL AppScan
    • Heeler
    • Hopper Security
    • ImmuniWeb
    • Inspectiv
    • Intigriti
    • Intruder
    • Invicti
    • JFrog
    • Jit
    • Kiuwan
    • Legit Security
    • Mandiant
    • Mend
    • Mindgard
    • Moderne
    • NetSPI
    • NowSecure
    • Nucleus Security
    • Oligo Security
    • Orca Security
    • Oversecured
    • OX Security
    • Phoenix Security
    • PlexTrac
    • Praetorian
    • Prancer
    • Prisma Cloud
    • Probely
    • Prowler
    • ReversingLabs
    • RunSybil
    • Safety
    • Securitum
    • Seemplicity
    • Semgrep
    • Snyk
    • Socket
    • SonarQube
    • Sonatype
    • SOOS
    • StackHawk
    • Strike
    • Synacktiv
    • Tenable Nessus
    • ThreatModeler
    • Veracode
    • White Jaguars
    • Wiz
    • Xygeni
    • ZAP
    • ZeroPath
  • Log in to the platform 

On This Page

  • CLI structure
  • Repo mode
  • CI mode
  • Repository path
  • Use the tool as a standalone app
  • Use the tool in your CI/CD pipeline
  • GitHub
  • GitLab
  • Travis
  • Specifications for using the CI/CD mode
  • Use the tool as a Docker container
Find and fixPrioritize filesSorts user guide

Sorts user guide

This document guides you through configuring and using Sorts, Fluid Attacks’ tool to assess the vulnerability probability of files in code repositories.

CLI structure

The Sorts command-line interface (CLI) follows this structure:

sorts [OPTIONS] REPOSITORY_PATH

The available options allow you to analyze repositories or commits and customize the output format.

Repo mode

Repo mode analyzes a single repository and generates a file describing the vulnerability probability of each file. To use Repo mode, employ the --mode flag with the repo argument.

Example:

m gitlab:fluidattacks/universe@trunk /sorts --mode repo path/to/repository

In Repo mode, you can specify the output file format using the --out option. The available formats are JSON (default) and CSV.

CI mode

CI mode integrates Sorts into your CI/CD pipeline. It is specifically designed for the phase where users need approval to merge their commits, where Sorts checks the mean risk of a commit and adjusts the required approvers based on a configuration file. To use CI mode, employ the --mode flag with the ci argument.

Example:

m gitlab:fluidattacks/universe@trunk /sorts --mode ci platform/path/to/repository

CI mode requires a YAML configuration file to define how Sorts handles commits. By default, Sorts looks for sorts_config.yaml in your repository’s root directory. You can specify a different file path using the --config flag.

For more detailed information on using CI mode, refer to Use the tool in your CI/CD pipeline .

At the moment, CI mode can only be used on the GitLab platform.

Repository path

Both Repo and CI modes require the absolute path to your repository. This can be a local path or the platform-specific path used in your CI/CD pipeline.

Use the tool as a standalone app

  1. Make sure you have the following tools installed in your system:

    • Nix 
    • Makes 

  2. Use Sorts as follows:

    m gitlab:fluidattacks/universe@trunk /sorts

    You can then use the --help flag to learn more about what Sorts can do for you.

    The main Sorts function is analyzing a repository and outputting a file with the names and corresponding probabilities of such files being vulnerable. This can be done with the following command:

    m gitlab:fluidattacks/universe@trunk /sorts /path/to/repository

  3. Optionally, specify which type of output you want by using the --out flag.

    Upon completing the analysis, Sorts generates an output file (JSON or CSV) containing the names of all files in the repository and their corresponding vulnerability probabilities.

Use the tool in your CI/CD pipeline

You can find a Makes container in the container registry , which you can use to run Sorts on any service that supports containers, including most CI/CD providers and then use its results to trigger any action you deem appropriate. Read on to learn how to use it with different CI/CD providers.

GitHub

# .github/workflows/dev.yml
name: Makes CI
on: [push, pull_request]
jobs:
   sorts:
      runs-on: ubuntu-latest
      steps:
         - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
         - uses: docker://ghcr.io/fluidattacks/makes:latest
         name: sorts
         with:
            args: m gitlab:fluidattacks/universe@trunk /sorts /platform/path/to/repository

GitLab

# .gitlab-ci.yml
/sorts:
  image: ghcr.io/fluidattacks/makes:latest
  script:
    - m gitlab:fluidattacks/universe@trunk /sorts /platform/path/to/repository

Sorts includes a built-in function, currently only on GitLab, that you can use in your merge request pipeline to assign more approvers when the mean risk associated with the commit exceeds a specified value. Learn more about this in the Specifications on using the CI/CD mode .

Travis

# .travis.yml
os: linux
language: nix
nix: 2.3.12
install: nix-env -if https://github.com/fluidattacks/makes/archive/23.06.tar.gz
jobs:
  include:
    - script: m gitlab:fluidattacks/universe@trunk /sorts /platform/path/to/repository

Specifications for using the CI/CD mode

Sorts’ CI/CD mode analyzes a commit that is pushed to a repository and checks what the probabilities are for the files that are in the commit to be vulnerable. Based on the mean vulnerability probability of all the files in the commit, Sorts can update the rules for allowing the commit to be merged within the main branch in order to give more risky files the attention the user deems necessary.

To use this mode correctly, you need a configuration file to specify Sorts’ behavior. By default, Sorts looks for a file called sorts_config.yaml located in the root of your repository. However, you can also specify the file path by using the --config flag. The file needs to be written in YAML format. The following is an example of a valid configuration file:

ci:
  enable: true
  max_risk: 70
  platform: gitlab
  required_approvals: 2
  approvers: ["user-1", "user-2"]
  token: ENV_VAR_CONTAINING_API_TOKEN

Here is the function of each parameter:

  • enable: Enables or disables Sorts in your pipeline
  • max_risk: The upper threshold for the commit’s mean risk before additional approvers are required
  • platform: Your development platform (currently, only gitlab is supported)
  • required_approvals: The number of approvals needed when a commit’s risk exceeds max_risk
  • approvers: A list of users who can approve high-risk commits (leave empty to allow any developer to approve)
  • token: An environment variable containing an API token for Sorts to modify approval rules

Make sure you don’t write the token directly in the configuration file; this would be an exposure of sensitive information in your source code. Sorts only works by using the name of the environment variable that contains the token, not the token itself.

After creating the configuration file correctly and placing it in your repository, you can use Fluid Attacks’ Makes container and Sorts CI mode in your pipeline. See the following example for GitLab:

# .gitlab-ci.yml
/sorts:
  image: ghcr.io/fluidattacks/makes:latest
  script:
    - m gitlab:fluidattacks/universe@trunk /sorts /platform/path/to/repository

When a merge request is created, Sorts automatically adjusts the required approvals based on the commit’s risk and your configuration.

Use the tool as a Docker container

To use Sorts as a container, you only need to have Docker installed and then use this command:

docker run -v <path/to/repository>:repo/<repository> ghcr.io/fluidattacks/makes:latest m gitlab:fluidattacks/universe@trunk /sorts /repo/<repository>

Replace <path/to/repository> with the absolute path to your repository and <repository> with the repository’s name.

This command downloads the necessary image, mounts your repository, runs Sorts, and generates an output file (JSON or CSV).

Last updated on February 19, 2026
Introduction to SortsConnection mechanisms
Fluid Attacks 2026. All rights reserved.