Use a configuration file
Last updated: Apr 7, 2026
The most flexible way to run any of Fluid Attacks' scanners is with a YAML configuration file.
Here is a simple example showing the recommended configuration of the SAST CLI:
namespace: myapp
output:
file_path: ./Fluid-Attacks-Results.csv
format: CSV
working_dir: .
language: EN
sast:
include:
- .
exclude:
- glob(**/node_modules/**)
- glob(**/test/**)When learning to use the scanners with configuration files, pay close attention to the available keys and the manner of including/excluding paths, so that you utilize the scanners' full capabilities.
Common configuration file keys
There are some common keys that apply to all of Fluid Attacks' scanners. Here is a breakdown of what each key in the configuration file represents.
All keys are optional, so you can customize scans to your needs. Therefore, the tool should function correctly even if some keys are missing from the configuration file.
namespace
namespace indicates a name for the analysis,
typically the name of the repository being analyzed.
For example:
namespace: my_appworking_dir
working_dir indicates the path to the repository you want to analyze.
If configuring paths in the apk,
sast,
or sca
keys, write such paths relative to this directory.
For example:
working_dir: /absolute/path/to/directorycommit
Use commit to include the current commit SHA of the repository
you want to analyze,
only if you require it in the SARIF results file.
For example:
commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38The tool does not take this commit SHA into account when analyzing your repository, i.e., all analyses are executed on the latest commit regardless of this key.
language
language indicates the language for the vulnerability report.
Valid values are EN (English) and ES (Spanish).
The default value is EN if not specified.
For example:
language: ESoutput
output indicates where scan results are stored and in what format.
By default,
vulnerability reports are displayed in the terminal.
You can use these options:
file_path: Defines the output file locationformat: Defines the output format, which can beCSV(comma-separated values) orSARIF(Static Analysis Results Interchange Format)
For example:
output:
- file_path: relative/path/to/file
- format: CSVRead "Understanding outputs" for more details.
checks
checks specifies which weaknesses to look for.
See the documentation of weaknesses
in Fluid Attacks' classification,
which includes detailed descriptions,
to make your choice.
If this key is not present,
the target is checked for all vulnerabilities.
This is generally recommended to ensure comprehensive scans.
The following is an example for checking against F050 (Guessed weak credentials) and F277 (Weak credential policy - Password Expiration):
checks:
- F050
- F277strict
strict configures the scan to run in strict mode,
failing the execution (breaking the build)
if any vulnerabilities are found (with an exit code 1).
Ideal for using the scanner as a CI/CD job.
Enable strict mode as follows:
strict: truestrictness_threshold
strictness_threshold is supported by the
SAST
and SCA scanners.
It sets a severity floor for pipeline gating.
When configured,
the scan exits with code 1 only if at least one vulnerability
is found at or above the specified severity level.
Valid values are none, low, medium, high, and critical.
strictness_threshold: highFor example,
setting strictness_threshold: high breaks the pipeline
only when a high or critical vulnerability is found,
while low and medium findings are still reported
but do not interrupt the execution.
strictness_threshold and strict are independent. If strict: true is set,
the pipeline breaks on any vulnerability regardless of severity. If only
strictness_threshold is set, the pipeline breaks only on vulnerabilities at
or above the configured severity level.
Next, see the section specific to each scanner to know what other keys are supported in each case:
Have a question about the scanner or encountered a problem? Read "Scanner FAQ".
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.