Find and fixUse the CLIUse a configuration fileContainers SCA scanner

Containers SCA scanner

Last updated: Apr 22, 2026

Quick scan vs. configuration file

The containers SCA scanner supports two modes of operation.

Quick scan — analyze a single public image directly from the command line, without a configuration file:

sca scan alpine:3.17

This outputs a SARIF report by default.

Configuration file — use a YAML configuration file for more advanced scenarios: scanning private or ECR images, scanning multiple images at once, specifying custom output paths, or exporting an SBOM alongside a vulnerability report:

sca scan --config config.yaml

The rest of this page describes the configuration file options in detail.

General configuration file keys

Here is an overview of the general configuration file keys. Remember that this applies to all of Fluid Attacks' scanners.

namespace: myapp
output:
  file_path: ./Fluid-Attacks-Results.sarif
  format: SARIF
containers_sca:
  images:
    - image_uri: alpine:3.17
working_dir: .
language: EN

Specific configuration file keys

The following key is available for the containers SCA scanner, and it can be used to perform SCA analysis over container images.

containers_sca

This key contains an images list of container images to scan. Each entry supports the following options:

  • image_uri (mandatory): The URI of the container image to analyze. Accepts standard image references such as alpine:3.17.
  • image_config (optional): Additional settings for pulling and analyzing the image. See image_config options for details.

For example:

containers_sca:
  images:
    - image_uri: alpine:3.17
    - image_uri: registry.example.com/myapp:latest
      image_config:
        docker_credentials:
          docker_username: user
          docker_password: token

image_config options

The image_config sub-key supports the following options:

  • use_docker_daemon (optional): When set to true, the scanner connects to your local Docker daemon to analyze images stored locally. This is only available on Linux systems.
  • os_override (optional): Override the target OS for image analysis. Defaults to linux.
  • arch_override (optional): Override the target architecture for image analysis. Defaults to arm64.

For example, to scan an amd64 Windows image:

containers_sca:
  images:
    - image_uri: mcr.microsoft.com/windows/server:2022
      image_config:
        os_override: windows
        arch_override: amd64

  • docker_credentials (optional): Credentials for authenticating against a Docker-compatible registry:

    • docker_username: The registry username.
    • docker_password: The password or token with read access to the image.

  • ecr_credentials (optional): Credentials for authenticating against AWS Elastic Container Registry (ECR). Accepts either static credentials or role assumption:

    Static credentials:

    • access_key_id (mandatory): AWS access key ID.
    • secret_access_key (mandatory): AWS secret access key.
    • session_token (optional): Required when using temporary credentials (i.e., when access_key_id starts with ASIA).
    • aws_region (optional): AWS region of the ECR registry. Defaults to us-east-1.

    Role assumption:

    • role_arn (mandatory): ARN of the IAM role to assume.
    • external_id (mandatory): External ID required for role assumption.
    • aws_region (optional): AWS region of the ECR registry. Defaults to us-east-1.

Output configuration

Vulnerability report

Use the top-level output key to configure the vulnerability report:

  • file_path (optional): Path where the report will be written. Defaults to .fluidattacks-containers-sca-results.sarif or .fluidattacks-containers-sca-results.csv depending on the selected format.
  • format (optional): Report format. Accepted values: SARIF (default) or CSV.
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF

SBOM output

Use the sbom key to export a Software Bill of Materials (SBOM):

  • output.name (optional): Path where the SBOM will be written.
  • output.format (optional): SBOM format. Accepted values: fluid-json (default), cyclonedx-json, cyclonedx-xml, spdx-json, or spdx-xml.

Note: cyclonedx-* and spdx-* formats are incompatible with the vulnerability output key and cannot be used together in the same configuration file.

sbom:
  output:
    name: /results/fluid-sbom.json
    format: fluid-json

Configuration file examples

Scanning a public image

language: EN
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF
containers_sca:
  images:
    - image_uri: alpine:3.17

Scanning an image from a private registry

language: EN
output:
  file_path: /results/fluid-attacks-results.csv
  format: CSV
containers_sca:
  images:
    - image_uri: registry.example.com/myapp:latest
      image_config:
        docker_credentials:
          docker_username: user
          docker_password: token

Scanning an ECR image with static credentials

language: EN
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF
containers_sca:
  images:
    - image_uri: 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest
      image_config:
        ecr_credentials:
          access_key_id: access_key_id
          secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
          aws_region: us-east-1

Scanning an ECR image via IAM role assumption

language: EN
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF
containers_sca:
  images:
    - image_uri: 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest
      image_config:
        ecr_credentials:
          role_arn: arn:aws:iam::123456789012:role/MyECRReadRole
          external_id: my-external-id
          aws_region: us-east-1

Scanning a locally stored image (Linux only)

language: EN
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF
containers_sca:
  images:
    - image_uri: myapp:local
      image_config:
        use_docker_daemon: true

Scanning multiple images with SBOM export

namespace: my_app
language: EN
output:
  file_path: /results/fluid-attacks-results.sarif
  format: SARIF
sbom:
  output:
    name: /results/fluid-sbom.json
    format: fluid-json
containers_sca:
  images:
    - image_uri: alpine:3.17
    - image_uri: 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest
      image_config:
        ecr_credentials:
          role_arn: arn:aws:iam::123456789012:role/MyECRReadRole
          external_id: my-external-id

SCA scanner

Learn to configure the scans of the Fluid Attacks SCA scanner.

Secrets scanner

Learn to configure the scans of the Fluid Attacks secrets scanner.

On this page

Quick scan vs. configuration fileGeneral configuration file keysSpecific configuration file keyscontainers_scaimage_config optionsOutput configurationVulnerability reportSBOM outputConfiguration file examplesScanning a public imageScanning an image from a private registryScanning an ECR image with static credentialsScanning an ECR image via IAM role assumptionScanning a locally stored image (Linux only)Scanning multiple images with SBOM export