cs
Last updated: Jul 17, 2026
cs is Fluid Attacks' native binary for container scanning.
It scans your Docker images and identifies vulnerabilities.
Unlike the Docker-based scanners, cs is a single self-contained binary
that runs without Docker.
Installation
Linux and macOS
Run the one-line installer:
curl -fsSL https://public.fluidattacks.com/cs/install.sh | shThis installs the cs binary to /usr/local/bin by default.
Verify the installation
cs --versionQuick scan
To scan a public container without a configuration file:
cs scan alpine:3.17Findings are printed directly to the terminal.
Use --strict to exit with code 1 when vulnerabilities are found,
which is useful for blocking CI/CD pipelines:
cs scan --strict alpine:3.17Scan with a configuration file
For more control over paths, output format, and scan behavior,
pass a YAML configuration file with --config:
cs scan --config cs-config.yamlYou cannot combine --config and a path argument in the same command.
Authenticate (optional)
By default, cs runs without authenticating.
You can optionally authenticate so runs are attributed to your Fluid Attacks group.
Authentication is currently optional and never blocks a scan, but a future release will require it. We recommend adopting it now so your runs are attributed to your group.
Authenticate with your group's CI Gate token, supplied either way:
- Long-lived secret: set the
INTEGRATES_API_TOKENenvironment variable to a CI Gate token from Organization → Groups → GroupName → DevSecOps → Manage token in the platform. - Short-lived, via OIDC: from any system that can issue OpenID Connect tokens
(CI/CD, AWS, GCP, Kubernetes, and more), pass
--group <your-group>andcsobtains one per run with no stored secret. On GitHub Actions it is fetched automatically; on any other system, expose it as theINTEGRATES_OIDC_TOKENenvironment variable.
If both are set, the stored secret takes precedence.
See Authentication for the full guide, including OIDC federation setup.
The token is used only to identify the caller; it is never printed or written to logs.
Common scenarios
Scan multiple images
language: EN
namespace: universe
containers_sca:
images:
- image_uri: alpine:3.17
- image_uri: ubuntu:latest
sbom:
output:
name: test/fluid-sbom
format: fluid-json
output:
file_path: test/fluid-sarif.sarif
format: SARIFBlock the pipeline on findings
For pipeline gating with strict mode, see Distributed binaries.
Troubleshooting
For common installation troubleshooting (permission denied, PATH issues), see Distributed binaries.
No output file is produced
Verify that output.file_path is set in your configuration file
and that the extension is .sarif or .csv.
Any other extension causes an error.
Cannot use '--config' and a path together
--config and a positional path argument are mutually exclusive.
Use one or the other:
# Config file mode
cs scan --config cs-config.yaml
# Quick scan mode
cs scan alpine:3.17