Find and fixUse the CLIUse the scannersDistributed binariescs

cs

Last updated: May 15, 2026

cs is Fluid Attacks' native binary for container scanning. It scans your docker images and identifies vulnerabilities. Unlike the Docker-based scanners, cs is a single self-contained binary — no Docker, no account, and no API key required.

Installation

Linux and macOS

Run the one-line installer:

curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh

This installs the cs binary to /usr/local/bin by default.

Verify the installation

cs --version

Quick scan

To scan a public container without a configuration file:

cs scan alpine:3.17

Findings are printed directly to the terminal. Use --strict to exit with code 1 when secrets are found, which is useful for blocking CI/CD pipelines:

cs scan --strict alpine:3.17

Scan with a configuration file

For more control over paths, output format, and scan behavior, pass a YAML configuration file with --config:

cs scan --config cs-config.yaml

You cannot combine --config and a path argument in the same command.

Common scenarios

Scan multiple images

language: EN
namespace: universe
containers_sca:
  images:
    - image_uri: alpine:3.17
    - image_uri: ubuntu:latest
sbom:
  output:
    name: test/fluid-sbom
    format: fluid-json
output:
  file_path: test/fluid-sarif.sarif
  format: SARIF

Block the pipeline on findings

Set strict: true in your configuration file, or pass --strict to the CLI when scanning without a config:

Troubleshooting

Permission denied

The installer cannot write to /usr/local/bin because it requires root access. Use a user-writable directory instead:

mkdir -p ~/.local/bin
curl -fsSL https://public.fluidattacks.com/cs/install.sh | INSTALL_DIR=~/.local/bin sh

Then make sure ~/.local/bin is on your PATH:

echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc

tar: could not chdir to '/usr/local/bin'

The install directory does not exist or is not accessible. Create it before running the installer:

mkdir -p /usr/local/bin
curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh

Or use a custom directory:

mkdir -p ~/.local/bin
curl -fsSL https://public.fluidattacks.com/cs/install.sh | INSTALL_DIR=~/.local/bin sh

cs: command not found

The install directory is not on your PATH. Add it:

echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc

No output file is produced

Verify that output.file_path is set in your configuration file and that the extension is .sarif or .csv. Any other extension causes an error.

Cannot use --config and a path together

--config and a positional path argument are mutually exclusive. Use one or the other:

# Config file mode
cs scan --config cs-config.yaml

# Quick scan mode
cs scan alpine:317

ss

Install and run the ss binary to detect hardcoded secrets and credentials in your source code without Docker or an account.

Understanding outputs

Guide to understanding security testing reports generated by the Fluid Attacks scanner when used as a standalone tool to find vulnerabilities.

On this page

InstallationLinux and macOSVerify the installationQuick scanScan with a configuration fileCommon scenariosScan multiple imagesBlock the pipeline on findingsTroubleshootingPermission deniedtar: could not chdir to '/usr/local/bin'cs: command not foundNo output file is producedCannot use --config and a path together