CI/CD integration
Last updated: Jul 17, 2026
Integrating any Fluid Attacks scanner into your CI/CD pipeline enables automated security testing throughout your software development lifecycle (SDLC).
Choose the delivery mechanism that best fits your workflow:
- Docker containers: Works on any CI/CD provider that supports Docker images. Available for MAST, CSPM, DAST, SAST, and SCA.
- GitHub Actions: Dedicated actions with native GitHub integration. Available for SAST, SCA, Secret Scan, DAST, and CI Gate.
- Distributed binaries: Single-binary install, no Docker required. Currently available for Secret Scanning and Container Scanning.
Run with standalone binaries
The ss
and cs
standalone binaries can run on any CI/CD provider
without Docker.
The pattern is always the same:
install the binary with the one-liner installer, then run the scan.
ss (secrets detection)
To attribute runs to your Fluid Attacks group, authenticate the scan.
Any system that can issue OpenID Connect tokens can authenticate with no stored
secret (the examples below use CI providers): name your group with --group
and expose the token as INTEGRATES_OIDC_TOKEN (on GitHub Actions ss requests
it automatically). Where OIDC is unavailable, set an INTEGRATES_API_TOKEN
secret instead. Authentication is optional and does not block the scan. See
Authentication for the full guide, including
token-less OIDC federation setup.
# .github/workflows/ss.yml
name: Secret Scan
on: [push, pull_request]
permissions:
id-token: write # allow the job to request an OIDC token
contents: read
jobs:
secretScan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- name: Install ss
run: curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
- name: Run secret scan
run: ss scan --group my-group --strict .# .gitlab-ci.yml
secretScan:
image: ubuntu:latest
id_tokens:
INTEGRATES_OIDC_TOKEN:
aud: https://app.fluidattacks.com
script:
- curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
- ss scan --group my-group --strict .# .travis.yml
# Set INTEGRATES_API_TOKEN as a secret environment variable in Travis settings.
before_install:
- curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
script:
- ss scan --strict .# bitbucket-pipelines.yml
# Set INTEGRATES_API_TOKEN as a secured repository variable.
pipelines:
default:
- step:
name: Secret-Scan
script:
- curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
- ss scan --strict .cs (container scanning)
To attribute runs to your Fluid Attacks group, authenticate the scan.
Any system that can issue OpenID Connect tokens can authenticate with no stored
secret (the examples below use CI providers): name your group with --group
and expose the token as INTEGRATES_OIDC_TOKEN (on GitHub Actions cs requests
it automatically). Where OIDC is unavailable, set an INTEGRATES_API_TOKEN
secret instead. Authentication is optional and does not block the scan. See
Authentication for the full guide, including
token-less OIDC federation setup.
# .github/workflows/cs.yml
name: Container Scan
on: [push, pull_request]
permissions:
id-token: write # allow the job to request an OIDC token
contents: read
jobs:
containerScan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- name: Build image
run: docker build -t myapp:latest .
- name: Install cs
run: curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
- name: Run container scan
run: cs scan --group my-group --strict myapp:latest# .gitlab-ci.yml
containerScan:
image: docker:latest
id_tokens:
INTEGRATES_OIDC_TOKEN:
aud: https://app.fluidattacks.com
script:
- curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
- cs scan --group my-group --strict myapp:latest# .travis.yml
# Set INTEGRATES_API_TOKEN as a secret environment variable in Travis settings.
services:
- docker
before_install:
- docker build -t myapp:latest .
- curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
script:
- cs scan --strict myapp:latest# bitbucket-pipelines.yml
# Set INTEGRATES_API_TOKEN as a secured repository variable.
pipelines:
default:
- step:
name: Container-Scan
services:
- docker
script:
- docker build -t myapp:latest .
- curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
- cs scan --strict myapp:latestGeneral recommendations
- Trunk-based or feature-based development: We recommend integrating the scanners into trunk-based or feature-based workflows so that scans run only on changed files in a pull request or feature branch, preventing new vulnerabilities from being introduced into the codebase.
- Break the build:
To halt your CI/CD pipeline
when vulnerabilities are detected,
use the
strictoption in your configuration file. See the configuration documentation for details. - Handling false positives: If the scanner reports what you consider a false positive, use the exclusions as code feature to prevent it from being reported in future scans.
Troubleshooting
For solutions to common errors and issues encountered during the scanning process, consult the "Scanner FAQ".
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' pentesting team, fill out this contact form.
Docker in CI/CD
Use Fluid Attacks' Docker-based scanners in your CI/CD pipeline with GitHub Actions, GitLab CI, Travis CI, Bitbucket Pipelines, and other providers.
GitHub Actions
Use Fluid Attacks' dedicated GitHub Actions for SAST, SCA, Secret Scan, DAST, and CI Gate to integrate automated security testing into your CI/CD pipeline.