Scan with a configuration file

Last updated: Mar 16, 2026

The most flexible way to run any of Fluid Attacks’ scanners is with a YAML configuration file.

Here is a simple example showing the recommended configuration of the SAST CLI:


namespace: myapp
output:
  file_path: ./Fluid-Attacks-Results.csv
  format: CSV
working_dir: .
language: EN
sast:
  include:
    - .
  exclude:
    - glob(**/node_modules/**)
    - glob(**/test/**)

When learning to use the scanners with configuration files, pay close attention to the available keys and the manner of including/excluding paths, so that you utilize the scanners’ full capabilities.

Common configuration file keys

There are some common keys that apply to all of Fluid Attacks’ scanners. Here is a breakdown of what each key in the configuration file represents.

All keys are optional, so you can customize scans to your needs. Therefore, the tool should function correctly even if some keys are missing from the configuration file.

namespace

namespace indicates a name for the analysis, typically the name of the repository being analyzed. For example:


namespace: my_app

working_dir

working_dir indicates the path to the repository you want to analyze. If configuring paths in the apk, sast, or sca keys, write such paths relative to this directory. For example:


working_dir: /absolute/path/to/directory

commit

Use commit to include the current commit SHA of the repository you want to analyze, only if you require it in the SARIF results file. For example:


commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38

The tool does not take this commit SHA into account when analyzing your repository, i.e., all analyses are executed on the latest commit regardless of this key.

language

language indicates the language for the vulnerability report. Valid values are EN (English) and ES (Spanish). The default value is EN if not specified. For example:


language: ES

output

output indicates where scan results are stored and in what format. By default, vulnerability reports are displayed in the terminal. You can use these options:

file_path: Defines the output file location
format: Defines the output format, which can be CSV (comma-separated values) or SARIF (Static Analysis Results Interchange Format)

For example:


output:
  - file_path: relative/path/to/file
  - format: CSV

Read “Understanding outputs ” for more details.

checks

checks specifies which weaknesses to look for. See the documentation of weaknesses in Fluid Attacks’ classification, which includes detailed descriptions, to make your choice. If this key is not present, the target is checked for all vulnerabilities. This is generally recommended to ensure comprehensive scans.

The following is an example for checking against F050 (Guessed weak credentials ) and F277 (Weak credential policy - Password Expiration ):


checks:
  - F050
  - F277

strict

strict configures the scan to run in strict mode, failing the execution (breaking the build ) if any vulnerabilities are found (with an exit code 1). Ideal for using the scanner as a CI/CD job . Enable strict mode as follows:


strict: true

Next, see the section specific to each scanner to know what other keys are supported in each case:

Have a question about the scanner or encountered a problem? Read “Scanner FAQ ”.

Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .