cs

Last updated: Jul 17, 2026


cs is Fluid Attacks' native binary for container scanning. It scans your Docker images and identifies vulnerabilities. Unlike the Docker-based scanners, cs is a single self-contained binary that runs without Docker.

Installation

Linux and macOS

Run the one-line installer:

curl -fsSL https://public.fluidattacks.com/cs/install.sh | sh

This installs the cs binary to /usr/local/bin by default.

Verify the installation

cs --version

Quick scan

To scan a public container without a configuration file:

cs scan alpine:3.17

Findings are printed directly to the terminal. Use --strict to exit with code 1 when vulnerabilities are found, which is useful for blocking CI/CD pipelines:

cs scan --strict alpine:3.17

Scan with a configuration file

For more control over paths, output format, and scan behavior, pass a YAML configuration file with --config:

cs scan --config cs-config.yaml

Authenticate (optional)

By default, cs runs without authenticating. You can optionally authenticate so runs are attributed to your Fluid Attacks group.

Authenticate with your group's CI Gate token, supplied either way:

  • Long-lived secret: set the INTEGRATES_API_TOKEN environment variable to a CI Gate token from Organization → Groups → GroupName → DevSecOps → Manage token in the platform.
  • Short-lived, via OIDC: from any system that can issue OpenID Connect tokens (CI/CD, AWS, GCP, Kubernetes, and more), pass --group <your-group> and cs obtains one per run with no stored secret. On GitHub Actions it is fetched automatically; on any other system, expose it as the INTEGRATES_OIDC_TOKEN environment variable.

If both are set, the stored secret takes precedence.

See Authentication for the full guide, including OIDC federation setup.

The token is used only to identify the caller; it is never printed or written to logs.

Common scenarios

Scan multiple images

language: EN
namespace: universe
containers_sca:
  images:
    - image_uri: alpine:3.17
    - image_uri: ubuntu:latest
sbom:
  output:
    name: test/fluid-sbom
    format: fluid-json
output:
  file_path: test/fluid-sarif.sarif
  format: SARIF

Block the pipeline on findings

For pipeline gating with strict mode, see Distributed binaries.

Troubleshooting

For common installation troubleshooting (permission denied, PATH issues), see Distributed binaries.

No output file is produced

Verify that output.file_path is set in your configuration file and that the extension is .sarif or .csv. Any other extension causes an error.

Cannot use '--config' and a path together

--config and a positional path argument are mutually exclusive. Use one or the other:

# Config file mode
cs scan --config cs-config.yaml

# Quick scan mode
cs scan alpine:3.17

On this page