CSPM scanner

Last updated: Jun 30, 2026


For common configuration file keys that apply to all scanners, see Use a configuration file.

Specific configuration file keys

The following key is available for the CSPM scanner, and it can be used to perform cloud security posture management analysis over AWS environments.

cspm

This key has the following configuration option:

  • aws_credentials (mandatory): A list of AWS role configurations to analyze. Each entry supports:

    • role (mandatory): The AWS role ARN to assume for the scan.
    • external_id (optional): The external ID required to assume the role, when the IAM role's trust policy specifies an external ID condition.

    Both fields support the ${VAR_NAME} syntax — see example.

Configuration file example

namespace: my_app
language: EN
output:
  file_path: /fluid-attacks-results.sarif
  format: SARIF
checks:
  - F005
cspm:
  aws_credentials:
    - role: arn:aws:iam::123456789012:role/MyRole
      external_id: my-external-id

Configuration file example with envars

namespace: my_app
language: EN
output:
  file_path: /fluid-attacks-results.sarif
  format: SARIF
checks:
  - F005
cspm:
  aws_credentials:
    - role: arn:aws:iam::123456789012:role/MyRole
      external_id: ${CSPM_AWS_EXTERNAL_ID}

On this page