Distributed binaries
Last updated: Jun 25, 2026
Fluid Attacks provides native binaries for security scanning that run directly on your machine or CI runner without Docker and without asking for your account or API key. Each binary is a single self-contained executable that you install once and run anywhere.
| Binary | Scanner | Description |
|---|---|---|
| ss | Secret Scanning | Detects hardcoded credentials, API keys, and tokens |
| cs | Container Scanning | Analyzes SCA vulnerabilities for Docker images |
How it works
All binaries share the same installation model:
a one-line installer downloads the pre-compiled binary for your platform
and places it in a directory on your PATH.
Each binary supports two execution modes:
- Quick scan — pass a path directly on the command line for an immediate scan with no configuration.
- Config-driven scan — pass a YAML configuration file for full control over paths, output format, and scan behavior.
Supported platforms
| OS | Architecture |
|---|---|
| Linux | x86_64, aarch64 |
| macOS | Apple Silicon (arm64) |
Intel Mac (x86_64) is not supported. Windows is not supported natively. Windows users should install via WSL (Windows Subsystem for Linux) and follow the Linux instructions.
Installation
Run the one-line installer for the binary you want.
By default,
it installs to /usr/local/bin.
If that directory is not writable (common on macOS),
install to a user-owned directory instead:
mkdir -p ~/.local/bin
curl -fsSL <installer-url> | INSTALL_DIR=~/.local/bin shThen make sure ~/.local/bin is on your PATH:
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
source ~/.zshrcSee each binary's page for its specific installer URL and platform notes.
Pipeline gating
To block a CI/CD pipeline when vulnerabilities or secrets are found,
use strict mode.
Both cs and ss support two ways to enable it:
Set strict: true in your configuration file:
strict: trueOr pass --strict to the CLI when scanning without a config:
cs scan --strict alpine:3.17
ss scan /path/to/project --strictWhen strict mode is enabled, the scanner exits with code 1 if any findings are detected,
which causes most CI/CD systems to mark the job as failed and block the pipeline.
Common troubleshooting
Permission denied
The installer cannot write to /usr/local/bin because it requires root access.
Use a user-writable directory instead:
mkdir -p ~/.local/bin
curl -fsSL <installer-url> | INSTALL_DIR=~/.local/bin shThen make sure ~/.local/bin is on your PATH:
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
source ~/.zshrctar: could not chdir to '/usr/local/bin'
The install directory does not exist or is not accessible. Create it before running the installer:
mkdir -p /usr/local/bin
curl -fsSL <installer-url> | shOr use a custom directory:
mkdir -p ~/.local/bin
curl -fsSL <installer-url> | INSTALL_DIR=~/.local/bin sh<binary>: command not found
The install directory is not on your PATH.
Add it:
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
source ~/.zshrcReplace <installer-url> with the specific URL for the binary you installed
(ss or cs) and <binary> with its name.
See the individual binary pages for their exact installer URLs.