cs
Last updated: Jun 25, 2026
cs is Fluid Attacks' native binary for container scanning.
It scans your Docker images and identifies vulnerabilities.
Unlike the Docker-based scanners, cs is a single self-contained binary
that runs without Docker
and without asking for your account or API key.
Installation
Linux and macOS
Run the one-line installer:
curl -fsSL https://public.fluidattacks.com/cs/install.sh | shThis installs the cs binary to /usr/local/bin by default.
Verify the installation
cs --versionQuick scan
To scan a public container without a configuration file:
cs scan alpine:3.17Findings are printed directly to the terminal.
Use --strict to exit with code 1 when vulnerabilities are found,
which is useful for blocking CI/CD pipelines:
cs scan --strict alpine:3.17Scan with a configuration file
For more control over paths, output format, and scan behavior,
pass a YAML configuration file with --config:
cs scan --config cs-config.yamlYou cannot combine --config and a path argument in the same command.
Common scenarios
Scan multiple images
language: EN
namespace: universe
containers_sca:
images:
- image_uri: alpine:3.17
- image_uri: ubuntu:latest
sbom:
output:
name: test/fluid-sbom
format: fluid-json
output:
file_path: test/fluid-sarif.sarif
format: SARIFBlock the pipeline on findings
For pipeline gating with strict mode, see Distributed binaries.
Troubleshooting
For common installation troubleshooting (permission denied, PATH issues), see Distributed binaries.
No output file is produced
Verify that output.file_path is set in your configuration file
and that the extension is .sarif or .csv.
Any other extension causes an error.
Cannot use '--config' and a path together
--config and a positional path argument are mutually exclusive.
Use one or the other:
# Config file mode
cs scan --config cs-config.yaml
# Quick scan mode
cs scan alpine:3.17