Find and fixUse the CLIUse the scannersCI/CD integration

CI/CD integration

Last updated: Apr 24, 2026

Integrating any Fluid Attacks scanner into your CI/CD pipeline enables automated security testing throughout your software development lifecycle (SDLC).

Run on GitHub Actions

Fluid Attacks provides dedicated GitHub Actions for SAST, SCA, Secret Scan, and DAST. See the GitHub Actions section for setup guides, configuration options, and troubleshooting.

CSPM and MAST scanners

For the scanners without a dedicated GitHub Action, use the Docker-based approach. Replace the container URI and command with the ones for the specific scanner.

# .github/workflows/dast.yml
name: DAST Analysis
on: [push, pull_request]
jobs:
  machineStandalone:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
      - uses: docker://docker.io/fluidattacks/mast:latest
        name: mastStandaloneAnalysis
        with:
          args: mast scan myapp.apk

Run on GitLab CI

# .gitlab-ci.yml
machineStandalone:
  image: docker.io/fluidattacks/sast:latest
  script:
    - sast scan /dir/to/scan

Run on Travis CI

# .travis.yml
services:
  - docker
before_install:
  - docker pull fluidattacks/sast:latest
  - docker run fluidattacks/sast:latest /bin/bash -c "cd /dir/to/scan"
script:
  - sast scan .

Run on Bitbucket Pipelines

Bitbucket Pipelines requires Docker in Docker (DinD):

# bitbucket-pipelines.yml
pipelines:
  default:
    - step:
        name: Fluid-Attacks-SAST-Scanner
        services:
          - docker
        script:
          - docker pull fluidattacks/sast:latest
          - docker run -v $pwd:src fluidattacks/sast:latest sast scan ./src/config.yaml

Other providers

The scanners can be executed on any CI/CD provider that supports Docker images. Refer to each provider's documentation for instructions on running Docker containers in their pipelines.

General recommendations

  • Trunk-based or feature-based development: We recommend integrating the scanners into trunk-based or feature-based workflows so that scans run only on changed files in a pull request or feature branch, preventing new vulnerabilities from being introduced into the codebase.
  • Break the build: To halt your CI/CD pipeline when vulnerabilities are detected, use the strict option in your configuration file. See the configuration documentation for details.
  • Handling false positives: If the scanner reports what you consider a false positive, use the exclusions as code feature to prevent it from being reported in future scans.

Troubleshooting

For solutions to common errors and issues encountered during the scanning process, consult the "Scanner FAQ".

Local run

Build security into development. Run the Fluid Attacks scanner locally as a standalone, free and open-source tool for vulnerability detection.

GitHub Actions

Use Fluid Attacks' dedicated GitHub Actions for SAST, SCA, and Secret Scan to integrate automated security testing into your CI/CD pipeline.

On this page

Run on GitHub ActionsCSPM and MAST scannersRun on GitLab CIRun on Travis CIRun on Bitbucket PipelinesOther providersGeneral recommendationsTroubleshooting