SAST scanner
Last updated: Jun 25, 2026
For common configuration file keys that apply to all scanners, see Use a configuration file.
Specific configuration file keys
The following keys are available only for the SAST scanner:
sast
This key has three configuration options:
include(optional; defaults to["."]when omitted): Paths to files or directories to analyzeexclude(optional): Files or directories to exclude from the analysisrecursion_limit(optional): An integer limit for recursion depth, which is useful if SAST execution takes too long (over 1 hour) or encounters memory/recursion errors (the recommended and default value for this option is100)file_size_limit(optional): Set tofalseto remove the default file size limit if crucial files are omitted because of it
For example:
sast:
include:
- relative/path/to/file
- relative/path/to/directory/
# Optional keys
exclude:
- glob(**/node_modules/)
recursion_limit: 100
file_size_limit: falseFor instructions on how to specify paths in the include and exclude subsections,
see Use a configuration file.
Configuration file example
Below is an example of a highly personalized configuration file:
namespace: my_app
working_dir: ./
commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38
language: EN
output:
file_path: /fluid-attacks-results.csv
format: CSV
checks:
- F052
strict: false
sast:
include:
- src/main/java/org/test/Test.java
- glob(**.py)
exclude:
- glob(src/**/test*.py)
file_size_limit: falseHave a question about the scanner or encountered a problem? Read "Scanner FAQ".
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' pentesting team, fill out this contact form.