CI/CD integration

Last updated: Jul 17, 2026


Integrating any Fluid Attacks scanner into your CI/CD pipeline enables automated security testing throughout your software development lifecycle (SDLC).

Choose the delivery mechanism that best fits your workflow:

  • Docker containers: Works on any CI/CD provider that supports Docker images. Available for MAST, CSPM, DAST, SAST, and SCA.
  • GitHub Actions: Dedicated actions with native GitHub integration. Available for SAST, SCA, Secret Scan, DAST, and CI Gate.
  • Distributed binaries: Single-binary install, no Docker required. Currently available for Secret Scanning and Container Scanning.

Run with standalone binaries

The ss and cs standalone binaries can run on any CI/CD provider without Docker. The pattern is always the same: install the binary with the one-liner installer, then run the scan.

ss (secrets detection)

To attribute runs to your Fluid Attacks group, authenticate the scan. Any system that can issue OpenID Connect tokens can authenticate with no stored secret (the examples below use CI providers): name your group with --group and expose the token as INTEGRATES_OIDC_TOKEN (on GitHub Actions ss requests it automatically). Where OIDC is unavailable, set an INTEGRATES_API_TOKEN secret instead. Authentication is optional and does not block the scan. See Authentication for the full guide, including token-less OIDC federation setup.

# .github/workflows/ss.yml
name: Secret Scan
on: [push, pull_request]
permissions:
  id-token: write # allow the job to request an OIDC token
  contents: read
jobs:
  secretScan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
      - name: Install ss
        run: curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
      - name: Run secret scan
        run: ss scan --group my-group --strict .
# .gitlab-ci.yml
secretScan:
  image: ubuntu:latest
  id_tokens:
    INTEGRATES_OIDC_TOKEN:
      aud: https://app.fluidattacks.com
  script:
    - curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
    - ss scan --group my-group --strict .
# .travis.yml
# Set INTEGRATES_API_TOKEN as a secret environment variable in Travis settings.
before_install:
  - curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
script:
  - ss scan --strict .
# bitbucket-pipelines.yml
# Set INTEGRATES_API_TOKEN as a secured repository variable.
pipelines:
  default:
    - step:
        name: Secret-Scan
        script:
          - curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh
          - ss scan --strict .

cs (container scanning)

To attribute runs to your Fluid Attacks group, authenticate the scan. Any system that can issue OpenID Connect tokens can authenticate with no stored secret (the examples below use CI providers): name your group with --group and expose the token as INTEGRATES_OIDC_TOKEN (on GitHub Actions cs requests it automatically). Where OIDC is unavailable, set an INTEGRATES_API_TOKEN secret instead. Authentication is optional and does not block the scan. See Authentication for the full guide, including token-less OIDC federation setup.

# .github/workflows/cs.yml
name: Container Scan
on: [push, pull_request]
permissions:
  id-token: write # allow the job to request an OIDC token
  contents: read
jobs:
  containerScan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
      - name: Build image
        run: docker build -t myapp:latest .
      - name: Install cs
        run: curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
      - name: Run container scan
        run: cs scan --group my-group --strict myapp:latest
# .gitlab-ci.yml
containerScan:
  image: docker:latest
  id_tokens:
    INTEGRATES_OIDC_TOKEN:
      aud: https://app.fluidattacks.com
  script:
    - curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
    - cs scan --group my-group --strict myapp:latest
# .travis.yml
# Set INTEGRATES_API_TOKEN as a secret environment variable in Travis settings.
services:
  - docker
before_install:
  - docker build -t myapp:latest .
  - curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
script:
  - cs scan --strict myapp:latest
# bitbucket-pipelines.yml
# Set INTEGRATES_API_TOKEN as a secured repository variable.
pipelines:
  default:
    - step:
        name: Container-Scan
        services:
          - docker
        script:
          - docker build -t myapp:latest .
          - curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh
          - cs scan --strict myapp:latest

General recommendations

  • Trunk-based or feature-based development: We recommend integrating the scanners into trunk-based or feature-based workflows so that scans run only on changed files in a pull request or feature branch, preventing new vulnerabilities from being introduced into the codebase.
  • Break the build: To halt your CI/CD pipeline when vulnerabilities are detected, use the strict option in your configuration file. See the configuration documentation for details.
  • Handling false positives: If the scanner reports what you consider a false positive, use the exclusions as code feature to prevent it from being reported in future scans.

Troubleshooting

For solutions to common errors and issues encountered during the scanning process, consult the "Scanner FAQ".

On this page