Use a configuration file
Last updated: Jun 25, 2026
The most flexible way to run any of Fluid Attacks' scanners is with a YAML configuration file.
Here is a simple example showing the recommended configuration of the SAST CLI:
namespace: myapp
output:
file_path: ./Fluid-Attacks-Results.csv
format: CSV
working_dir: .
language: EN
sast:
include:
- .
exclude:
- glob(**/node_modules/**)
- glob(**/test/**)When learning to use the scanners with configuration files, pay close attention to the available keys and the manner of including/excluding paths, so that you utilize the scanners' full capabilities.
Common configuration file keys
There are some common keys that apply to all of Fluid Attacks' scanners. Here is a breakdown of what each key in the configuration file represents.
All keys are optional, so you can customize scans to your needs. Therefore, the tool should function correctly even if some keys are missing from the configuration file.
namespace
namespace indicates a name for the analysis,
typically the name of the repository being analyzed.
For example:
namespace: my_appworking_dir
working_dir indicates the path to the repository you want to analyze.
If configuring paths in the mast,
sast,
or sca
keys, write such paths relative to this directory.
For example:
working_dir: /absolute/path/to/directorycommit
Use commit to include the current commit SHA of the repository
you want to analyze,
only if you require it in the SARIF results file.
For example:
commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38The tool does not take this commit SHA into account when analyzing your repository, i.e., all analyses are executed on the latest commit regardless of this key.
language
language indicates the language for the vulnerability report.
Valid values are EN (English) and ES (Spanish).
The default value is EN if not specified.
For example:
language: ESoutput
output indicates where scan results are stored and in what format.
By default,
vulnerability reports are displayed in the terminal.
You can use these options:
file_path: Defines the output file locationformat: Defines the output format, which can beCSV(comma-separated values),SARIF(Static Analysis Results Interchange Format), orALL(generates both CSV and SARIF simultaneously)
For example:
output:
file_path: relative/path/to/file
format: CSVRead "Understanding outputs" for more details.
checks
checks specifies which weaknesses to look for.
See the documentation of weaknesses
in Fluid Attacks' classification,
which includes detailed descriptions,
to make your choice.
If this key is not present,
the target is checked for all vulnerabilities.
This is generally recommended to ensure comprehensive scans.
The following is an example for checking against F050 (Guessed weak credentials) and F277 (Weak credential policy - Password Expiration):
checks:
- F050
- F277tracing_opt_out
Set tracing_opt_out to true to prevent the scanner
from sending anonymized telemetry to Fluid Attacks' servers.
Defaults to false.
tracing_opt_out: truestrict
strict configures the scan to run in strict mode,
failing the execution (breaking the build)
if any vulnerabilities are found (with an exit code 1).
Ideal for using the scanner as a CI/CD job.
Enable strict mode as follows:
strict: truestrictness_threshold
strictness_threshold is supported by the
SAST,
SCA,
and DAST scanners.
It sets a severity floor for pipeline gating.
When configured,
the scan exits with code 1 only if at least one vulnerability
is found at or above the specified severity level.
Valid values are none, low, medium, high, and critical.
strictness_threshold: highFor example,
setting strictness_threshold: high breaks the pipeline
only when a high or critical vulnerability is found,
while low and medium findings are still reported
but do not interrupt the execution.
strictness_threshold and strict are independent. If strict: true is set,
the pipeline breaks on any vulnerability regardless of severity. If only
strictness_threshold is set, the pipeline breaks only on vulnerabilities at
or above the configured severity level.
Specify paths in the include/exclude subsections
You can specify your paths in two different ways:
- Using a path relative to the working directory
(if the
working_dirkey is not defined, the working directory is automatically set to the same directory you called the scanner execution), for example:
namespace: namespace
working_dir: /test/directory
sast:
include:
- src/main/java/org/test/Test.java- Using Unix-style globs,
relative to
working_dir, for example:
namespace: namespace
working_dir: /test/directory
sast:
include:
- glob(*)
exclude:
- glob(**.java)
- glob(src/**/test*.py)The recommended configuration is to scan all paths of working_dir
by using . in the include option:
sast:
include:
- .Next, see the section specific to each scanner to know what other keys are supported in each case:
- MAST scanner
- Containers SCA scanner
- CSPM scanner
- DAST scanner
- SAST scanner
- SCA scanner
- Secret Scanning scanner
Have a question about the scanner or encountered a problem? Read "Scanner FAQ".
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' pentesting team, fill out this contact form.