CI/CD integration
Last updated: May 15, 2026
Integrating any Fluid Attacks scanner into your CI/CD pipeline enables automated security testing throughout your software development lifecycle (SDLC).
Run on GitHub Actions
Fluid Attacks provides dedicated GitHub Actions for SAST, SCA, Secret Scan, and DAST. See the GitHub Actions section for setup guides, configuration options, and troubleshooting.
CSPM and MAST scanners
For the scanners without a dedicated GitHub Action, use the Docker-based approach. Replace the container URI and command with the ones for the specific scanner.
# .github/workflows/dast.yml
name: DAST Analysis
on: [push, pull_request]
jobs:
machineStandalone:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/fluidattacks/mast:latest
name: mastStandaloneAnalysis
with:
args: mast scan myapp.apkRun on GitLab CI
# .gitlab-ci.yml
machineStandalone:
image: docker.io/fluidattacks/sast:latest
script:
- sast scan /dir/to/scanRun on Travis CI
# .travis.yml
services:
- docker
before_install:
- docker pull fluidattacks/sast:latest
- docker run fluidattacks/sast:latest /bin/bash -c "cd /dir/to/scan"
script:
- sast scan .Run on Bitbucket Pipelines
Bitbucket Pipelines requires Docker in Docker (DinD):
# bitbucket-pipelines.yml
pipelines:
default:
- step:
name: Fluid-Attacks-SAST-Scanner
services:
- docker
script:
- docker pull fluidattacks/sast:latest
- docker run -v $pwd:src fluidattacks/sast:latest sast scan ./src/config.yamlRun with standalone binaries
The ss
and cs
standalone binaries can run on any CI/CD provider
without Docker.
The pattern is always the same:
install the binary with the one-liner installer, then run the scan.
ss (secrets detection)
GitHub Actions
# .github/workflows/ss.yml
name: Secret Scan
on: [push, pull_request]
jobs:
secretScan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- name: Install ss
run: curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
- name: Run secret scan
run: ss scan --strict .GitLab CI
# .gitlab-ci.yml
secretScan:
image: ubuntu:latest
script:
- curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
- ss scan --strict .Travis CI
# .travis.yml
before_install:
- curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
script:
- ss scan --strict .Bitbucket Pipelines
# bitbucket-pipelines.yml
pipelines:
default:
- step:
name: Secret-Scan
script:
- curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
- ss scan --strict .cs (container scanning)
cs scans container images
GitHub Actions
# .github/workflows/cs.yml
name: Container Scan
on: [push, pull_request]
jobs:
containerScan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- name: Build image
run: docker build -t myapp:latest .
- name: Install cs
run: curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
- name: Run container scan
run: cs scan --strict myapp:latestGitLab CI
# .gitlab-ci.yml
containerScan:
image: docker:latest
script:
- curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
- cs scan --strict myapp:latestTravis CI
# .travis.yml
services:
- docker
before_install:
- docker build -t myapp:latest .
- curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
script:
- cs scan --strict myapp:latestBitbucket Pipelines
# bitbucket-pipelines.yml
pipelines:
default:
- step:
name: Container-Scan
services:
- docker
script:
- docker build -t myapp:latest .
- curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
- cs scan --strict myapp:latestOther providers
The Docker-based scanners can be executed
on any CI/CD provider that supports Docker images.
The ss and cs standalone binaries can run on any provider
that supports shell commands — no Docker required.
Refer to each provider's documentation
for instructions on running shell scripts or Docker containers
in their pipelines.
General recommendations
- Trunk-based or feature-based development: We recommend integrating the scanners into trunk-based or feature-based workflows so that scans run only on changed files in a pull request or feature branch, preventing new vulnerabilities from being introduced into the codebase.
- Break the build:
To halt your CI/CD pipeline
when vulnerabilities are detected,
use the
strictoption in your configuration file. See the configuration documentation for details. - Handling false positives: If the scanner reports what you consider a false positive, use the exclusions as code feature to prevent it from being reported in future scans.
Troubleshooting
For solutions to common errors and issues encountered during the scanning process, consult the "Scanner FAQ".
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Local run
Build security into development. Run the Fluid Attacks scanner locally as a standalone, free and open-source tool for vulnerability detection.
GitHub Actions
Use Fluid Attacks' dedicated GitHub Actions for SAST, SCA, and Secret Scan to integrate automated security testing into your CI/CD pipeline.