Authentication
Last updated: Jul 17, 2026
Authenticating a scan attributes every run to your Fluid Attacks group. Fluid Attacks' command-line scanners and the CI Gate authenticate with a CI Gate token, a credential scoped to your group. Supply it in one of two ways.
Authentication is currently optional and never blocks a scan, but a future release will require it. We recommend adopting it now so your runs are attributed to your group.
Two ways to supply it
| Way to supply it | Best for | What you store |
|---|---|---|
| Short-lived, via OpenID Connect | Any system that can mint OIDC tokens | Nothing — minted per job |
| Long-lived secret | Systems that cannot mint OIDC tokens | The CI Gate token, as a secret |
Short-lived, via OpenID Connect (recommended)
Your CI/CD provider mints a short-lived, signed token for each job,
your scan names its group with --group,
and Fluid Attacks verifies it against a trust you define once,
issuing your group's access for that run.
There is no secret to store or rotate.
Follow the OIDC federation guide to set it up.
Long-lived secret
Where OIDC is not available,
generate a long-lived CI Gate token and store it as a secret.
Generate it from your group's DevSecOps → Manage token flow
(see
CI Gate configuration),
then expose it to the scan as the INTEGRATES_API_TOKEN environment variable:
export INTEGRATES_API_TOKEN="<your-ci-gate-token>"
ss scan --strict .The token is used only to identify the caller; it is never printed or written to logs.
For scanners delivered as Docker containers, pass --group inside the docker run command and hand the token to the container as an environment variable
(-e INTEGRATES_OIDC_TOKEN or -e INTEGRATES_API_TOKEN).
Which should I use?
- Can your CI/CD system or runtime mint OpenID Connect tokens? GitHub Actions, GitLab CI, Azure DevOps, Kubernetes, and many others can. Prefer OIDC — it avoids storing a long-lived secret.
- If it cannot, store a long-lived CI Gate token.
Both authenticate the run to your group identically; they differ only in whether a long-lived secret is stored.
A separate personal API token authenticates you to the GraphQL API, not a scan — see API basics.
OWASP Benchmark results
Know about the Fluid Attacks scanner true positive rate of 100 on the OWASP Benchmark. A guide is included to reproduce the results in vulnerability detection.
OIDC federation
Set up token-less OpenID Connect (OIDC) federation so your CI/CD pipelines authenticate to Fluid Attacks without a stored secret.