CI/CD integration
Last updated: Apr 1, 2026
Integrating any Fluid Attacks scanner into your CI/CD pipeline enables automated security testing throughout your software development lifecycle (SDLC).
Run on GitHub Actions
SAST
The SAST scanner has a dedicated GitHub Action that requires no inputs. It auto-detects scan mode based on the trigger:
| Trigger | Mode | What is scanned |
|---|---|---|
| Push to default branch | Full scan | All files in sast.include paths |
| Push to a feature branch | Differential scan | Only files changed relative to the default branch |
| Pull request | Differential scan | Only files changed relative to the PR base branch |
Note: In differential mode, if no files within your
sast.includepaths changed, the scan is skipped and no output file is produced. This is expected behavior, not an error.
- Create
.sast.yamlin your repository root:
language: EN
strict: false
output:
file_path: results.sarif
format: SARIF
sast:
include:
- .
exclude: # Optional: paths to exclude from scanning
- node_modules
- vendor- Add the workflow file
.github/workflows/sast.yml:
name: SAST
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: fluidattacks/sast-action@1.1.0
id: scan
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: ${{ steps.scan.outputs.sarif_file }}
# Optional: use vulnerabilities_found output for conditional steps
- name: Fail if vulnerabilities found
if: steps.scan.outputs.vulnerabilities_found == 'true'
run: echo "Vulnerabilities detected!" && exit 1- Commit both files and push. The scan runs automatically.
See the Marketplace page for all configuration options and output details.
SCA
The SCA scanner also has a dedicated GitHub Action with the same zero-input, auto-detected scan mode behavior as the SAST action.
- Create
.sca.yamlin your repository root:
language: EN
strict: false
output:
file_path: results.sarif
format: SARIF
sca:
include:
- .- Add the workflow file
.github/workflows/sca.yml:
name: SCA
on:
push:
pull_request:
types: [opened, synchronize, reopened]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: fluidattacks/sca-action@1.0.0
id: scan
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: ${{ steps.scan.outputs.sarif_file }}- Commit both files and push. The scan runs automatically.
See the Marketplace page for all configuration options, output details, and troubleshooting.
Note: The Secret Scan GitHub Action is under development and will be available soon.
DAST and MAST scanners
For the scanners without a dedicated GitHub Action, use the Docker-based approach. Replace the container URI and command with the ones for the specific scanner.
# .github/workflows/dast.yml
name: DAST Analysis
on: [push, pull_request]
jobs:
machineStandalone:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/fluidattacks/probes:latest
name: dastStandaloneAnalysis
with:
args: probes scan https://myapp.comRun on GitLab CI
# .gitlab-ci.yml
machineStandalone:
image: docker.io/fluidattacks/sast:latest
script:
- sast scan /dir/to/scanRun on Travis CI
# .travis.yml
services:
- docker
before_install:
- docker pull fluidattacks/sast:latest
- docker run fluidattacks/sast:latest /bin/bash -c "cd /dir/to/scan"
script:
- sast scan .Run on Bitbucket Pipelines
Bitbucket Pipelines requires Docker in Docker (DinD):
# bitbucket-pipelines.yml
pipelines:
default:
- step:
name: Fluid-Attacks-SAST-Scanner
services:
- docker
script:
- docker pull fluidattacks/sast:latest
- docker run -v $pwd:src fluidattacks/sast:latest sast scan ./src/config.yamlOther providers
The scanners can be executed on any CI/CD provider that supports Docker images. Refer to each provider's documentation for instructions on running Docker containers in their pipelines.
General recommendations
- Trunk-based or feature-based development: We recommend integrating the scanners into trunk-based or feature-based workflows so that scans run only on changed files in a pull request or feature branch, preventing new vulnerabilities from being introduced into the codebase.
- Break the build:
To halt your CI/CD pipeline
when vulnerabilities are detected,
use the
strictoption in your configuration file. See the configuration documentation for details. - Handling false positives: If the scanner reports what you consider a false positive, use the exclusions as code feature to prevent it from being reported in future scans.
Troubleshooting
For solutions to common errors and issues encountered during the scanning process, consult the "Scanner FAQ".
Privacy: The GitHub Actions collect only anonymized programming language metadata for analytics; source code and scan results never leave your runner. See the EULA for details.
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Local run
Build security into development. Run the Fluid Attacks scanner locally as a standalone, free and open-source tool for vulnerability detection.
GitHub Actions example
Walk through a real GitHub Actions integration example using the fluidattacks/machine_flow repository, with SAST and SCA scanner configuration explained step by step.