Integrate scanners into CI/CD pipelines
Last updated: Mar 16, 2026
Integrating any Fluid Attacks scanner into your CI/CD pipeline enables automated security testing throughout your software development lifecycle (SDLC).
Run on GitHub Actions
SAST
The SAST scanner has a dedicated GitHub Action that requires no inputs. It auto-detects scan mode: full scan on pushes to the default branch, differential scan on feature branches and pull requests.
- Create
.sast.yamlin your repository root:
language: EN
strict: false
output:
file_path: results.sarif
format: SARIF
sast:
include:
- .- Add the workflow file
.github/workflows/sast.yml:
name: SAST
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: fluidattacks/sast-action@1.0.0
id: scan
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif_file }}- Commit both files and push. The scan runs automatically.
See the Marketplace page for all configuration options and output details.
SCA
The SCA scanner also has a dedicated GitHub Action with the same zero-input, auto-detected scan mode behavior as the SAST action.
- Create
.sca.yamlin your repository root:
language: EN
strict: false
output:
file_path: results.sarif
format: SARIF
sca:
include:
- .- Add the workflow file
.github/workflows/sca.yml:
name: SCA
on:
push:
pull_request:
types: [opened, synchronize, reopened]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: fluidattacks/sca-action@1.0.0
id: scan
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: ${{ steps.scan.outputs.sarif_file }}- Commit both files and push. The scan runs automatically.
See the Marketplace page for all configuration options, output details, and troubleshooting.
DAST and MAST scanners
For the scanners without a dedicated GitHub Action, use the Docker-based approach. Replace the container URI and command with the ones for the specific scanner.
# .github/workflows/dast.yml
name: DAST Analysis
on: [push, pull_request]
jobs:
machineStandalone:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/fluidattacks/probes:latest
name: dastStandaloneAnalysis
with:
args: probes scan https://myapp.comRun on GitLab CI
# .gitlab-ci.yml
machineStandalone:
image: docker.io/fluidattacks/sast:latest
script:
- sast scan /dir/to/scanRun on Travis CI
# .travis.yml
services:
- docker
before_install:
- docker pull fluidattacks/sast:latest
- docker run fluidattacks/sast:latest /bin/bash -c "cd /dir/to/scan"
script:
- sast scan .Run on Bitbucket Pipelines
Bitbucket Pipelines requires Docker in Docker (DinD):
# bitbucket-pipelines.yml
pipelines:
default:
- step:
name: Fluid-Attacks-SAST-Scanner
services:
- docker
script:
- docker pull fluidattacks/sast:latest
- docker run -v $pwd:src fluidattacks/sast:latest sast scan ./src/config.yamlOther providers
The scanners can be executed on any CI/CD provider that supports Docker images. Refer to each provider’s documentation for instructions on running Docker containers in their pipelines.
General recommendations
- Break the build:
To halt your CI/CD pipeline
when vulnerabilities are detected,
use the
strictoption in your configuration file. See the configuration documentation for details. - Handling false positives: If the scanner reports what you consider a false positive, use the exclusions as code feature to prevent it from being reported in future scans.
Troubleshooting
For solutions to common errors and issues encountered during the scanning process, consult the “Scanner FAQ ”.
Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .