SCA scanner

Last updated: Jun 25, 2026

For common configuration file keys that apply to all scanners, see Use a configuration file.

Specific configuration file keys

The following key is available for the SCA scanner, and it can be used to perform SCA analysis over a repository.

sca

This key has two configuration options:

include (optional): Paths to files or directories to analyze
exclude (optional): Files or directories to exclude from the analysis

For example:

sca:
  include:
    - relative/path/to/file
    - relative/path/to/directory/
  # Optional keys
  exclude:
    - glob(**/test/)

For instructions on how to specify paths in the include and exclude subsections, see Use a configuration file.

Configuration file example

Below is an example of a highly personalized configuration file:

namespace: my_app
working_dir: ./
commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38
language: EN
output:
  file_path: /fluid-attacks-results.csv
  format: CSV
checks:
  - F052
sca:
  include:
    - src/front/package-lock.json
    - glob(*)
    - glob(**.json)
  exclude:
    - glob(src/**/test/package.json)

Analyze Docker images

This will be deprecated in the coming weeks. If you wish to scan Docker containers, please use our Containers SCA scanner.

The SCA image also has the option to analyze Docker images. For this, you must use the sbom key.

sbom

This key has the following basic options:

source_type (mandatory): Specifies the type of source to analyze. Valid values are:
- docker: A Docker image from a container registry
- docker-daemon: A locally available image via the Docker daemon (only available on Linux systems)
- ecr: An image hosted on Amazon ECR
- ecr-with-credentials: An ECR image using explicit AWS credentials
- dir: A local directory
image_uri (mandatory for Docker sources): The unique identifier of the image you want to analyze.
docker_credentials (optional): Credentials for authenticating to a container registry:
- username (optional): The username that owns the Docker image in the container registry of your choice.
- password (optional): The password or token with read access rights to the image.
- use_docker_daemon (optional): When set to true, the scan connects to your Docker daemon to analyze images. This is useful for scanning images stored locally. Please note that this option is only available on Linux systems.
aws_credentials (optional): AWS credentials for images hosted on ECR:
- region (optional): AWS region for images hosted on ECR. Defaults to us-east-1.
- access_key_id, secret_access_key, session_token (optional): AWS credentials with read access to the ECR image.

Configuration file example for Docker image analysis

This will be deprecated in the coming weeks. If you wish to scan Docker containers, please use our Containers SCA scanner.

Below is an example of a configuration file to analyze a Docker image hosted on GHCR:

language: EN
output:
  file_path: /working-dir/fluid-attacks-results.csv
  format: CSV
sbom:
  source_type: docker
  image_uri: docker://ghcr.io/myuser/my-img:latest
  docker_credentials:
    username: myuser
    password: ghp_my_secret_token

Below is an example of a configuration file to analyze a local image (only available on Linux systems):

language: EN
output:
  file_path: /working-dir/fluid-attacks-results.csv
  format: CSV
sbom:
  source_type: docker-daemon
  image_uri: alpine:3.17

Have a question about the scanner or encountered a problem? Read "Scanner FAQ".

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' pentesting team, fill out this contact form.