CI/CD integration
Last updated: May 22, 2026
Integrating any Fluid Attacks scanner into your CI/CD pipeline enables automated security testing throughout your software development lifecycle (SDLC).
Choose the delivery mechanism that best fits your workflow:
- Docker containers: Works on any CI/CD provider that supports Docker images. Available for APK, CSPM, DAST, SAST, and SCA.
- GitHub Actions: Dedicated actions with native GitHub integration. Available for SAST, SCA, Secret Scan, DAST, and CI Gate.
- Standalone binaries: Single-binary install, no Docker required. Currently available for Secret Scanning and Container Scanning.
Run with standalone binaries
The ss
and cs
standalone binaries can run on any CI/CD provider
without Docker.
The pattern is always the same:
install the binary with the one-liner installer, then run the scan.
ss (secrets detection)
GitHub Actions
# .github/workflows/ss.yml
name: Secret Scan
on: [push, pull_request]
jobs:
secretScan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- name: Install ss
run: curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
- name: Run secret scan
run: ss scan --strict .GitLab CI
# .gitlab-ci.yml
secretScan:
image: ubuntu:latest
script:
- curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
- ss scan --strict .Travis CI
# .travis.yml
before_install:
- curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
script:
- ss scan --strict .Bitbucket Pipelines
# bitbucket-pipelines.yml
pipelines:
default:
- step:
name: Secret-Scan
script:
- curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
- ss scan --strict .cs (container scanning)
GitHub Actions
# .github/workflows/cs.yml
name: Container Scan
on: [push, pull_request]
jobs:
containerScan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- name: Build image
run: docker build -t myapp:latest .
- name: Install cs
run: curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
- name: Run container scan
run: cs scan --strict myapp:latestGitLab CI
# .gitlab-ci.yml
containerScan:
image: docker:latest
script:
- curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
- cs scan --strict myapp:latestTravis CI
# .travis.yml
services:
- docker
before_install:
- docker build -t myapp:latest .
- curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
script:
- cs scan --strict myapp:latestBitbucket Pipelines
# bitbucket-pipelines.yml
pipelines:
default:
- step:
name: Container-Scan
services:
- docker
script:
- docker build -t myapp:latest .
- curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
- cs scan --strict myapp:latestGeneral recommendations
- Trunk-based or feature-based development: We recommend integrating the scanners into trunk-based or feature-based workflows so that scans run only on changed files in a pull request or feature branch, preventing new vulnerabilities from being introduced into the codebase.
- Break the build:
To halt your CI/CD pipeline
when vulnerabilities are detected,
use the
strictoption in your configuration file. See the configuration documentation for details. - Handling false positives: If the scanner reports what you consider a false positive, use the exclusions as code feature to prevent it from being reported in future scans.
Troubleshooting
For solutions to common errors and issues encountered during the scanning process, consult the "Scanner FAQ".
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Docker in CI/CD
Use Fluid Attacks' Docker-based scanners in your CI/CD pipeline with GitHub Actions, GitLab CI, Travis CI, Bitbucket Pipelines, and other providers.
GitHub Actions
Use Fluid Attacks' dedicated GitHub Actions for SAST, SCA, Secret Scan, DAST, and CI Gate to integrate automated security testing into your CI/CD pipeline.