SCA scanner

Last updated: Mar 24, 2026

General configuration file keys

Here is an overview of the general configuration file keys. Remember that this applies to all of Fluid Attacks' scanners.

namespace: myapp
output:
  file_path: ./Fluid-Attacks-Results.csv
  format: CSV
working_dir: .
language: EN

Specific configuration file keys

The following key is available for the SCA scanner, and it can be used to perform SCA analysis over a repository.

sca

This key has two configuration options:

include (mandatory): Paths to files or directories to analyze
exclude (optional): Files or directories to exclude from the analysis

For example:

sca:
  include:
    - relative/path/to/file
    - relative/path/to/directory/
  # Optional keys
  exclude:
    - glob(**/test/)

Specify paths in the include/exclude subsections

You can specify your paths in two different ways:

Using a path relative to the working directory, for example:

namespace: namespace
working_dir: /test/directory
sca:
  include:
    - src/main/java/org/test/Test.java

Using Unix-style globs, relative to working_dir, for example:

namespace: namespace
working_dir: /test/directory
sca:
  include:
    - glob(*)
  exclude:
    - glob(**.java)
    - glob(src/**/test*.py)

Configuration file example

Below is an example of a highly personalized configuration file:

namespace: my_app
working_dir: ./
commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38
language: EN
output:
  file_path: /fluid-attacks-results.csv
  format: CSV
checks:
  - F052
sca:
  include:
    - src/front/package-lock.json
    - glob(*)
    - glob(**.json)
  exclude:
    - glob(src/**/test/package.json)

Analyze Docker images

The SCA image also has the option to analyze Docker images. For this, you must use the sbom key.

sbom

This key has the following basic options:

source_type: docker (mandatory): Specifies a Docker image analysis.
image_uri (mandatory): The unique identifier of the image you want to analyze.
image_config (optional): Specifies different credentials to use for the analysis, allowing the following options:
- docker_username (optional): The username that owns the Docker image in the container registry of your choice.
- docker_password (optional): The password or token with read access rights to the image.
- use_docker_daemon (optional): When set to true, the scan connects to your Docker daemon to analyze images. This is useful for scanning images stored locally. Please note that this option is only available on Linux systems.
If your image is hosted on ECR, you can also use these options as part of the image_config sub-key:
- aws_region (optional): AWS region for images hosted on ECR.
- access_key_id, secret_access_key, session_token (optional): AWS credentials with read access to the ECR image.

Configuration file example for Docker image analysis

Below is an example of a configuration file to analyze a Docker image hosted on GHCR:

language: EN
output:
  file_path: /working-dir/fluid-attacks-results.csv
  format: CSV
sbom:
  source_type: docker
  image_uri: docker://ghcr.io/myuser/my-img:latest
  image_config:
    docker_username: myuser
    docker_password: ghp_my_secret_token

Below is an example of a configuration file to analyze a local image (only available on Linux systems):

language: EN
output:
  file_path: /working-dir/fluid-attacks-results.csv
  format: CSV
sbom:
  source_type: docker
  image_uri: alpine:3.17
  image_config:
    use_docker_daemon: true

Have a question about the scanner or encountered a problem? Read "Scanner FAQ".

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

SCA scanner

On this page