ss

Last updated: Jul 17, 2026


ss is Fluid Attacks' native binary for secrets detection. It scans your source code for hardcoded credentials, API keys, tokens, and similar sensitive data. Unlike the Docker-based scanners, ss is a single self-contained binary that runs without Docker. By default it runs without authenticating; you can optionally authenticate to attribute runs to your Fluid Attacks group.

Installation

Linux and macOS

Run the one-line installer:

curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh

This installs the ss binary to /usr/local/bin by default.

Verify the installation

ss --version

Quick scan

To scan a directory or file without a configuration file:

ss scan /path/to/your/project

Findings are printed directly to the terminal. Use --strict to exit with code 1 when secrets are found, which is useful for blocking CI/CD pipelines:

ss scan /path/to/your/project --strict

Scan with a configuration file

For more control over paths, output format, and scan behavior, pass a YAML configuration file with --config:

ss scan --config ss-config.yaml

Authenticate (optional)

By default, ss runs without authenticating. You can optionally authenticate so runs are attributed to your Fluid Attacks group.

Authenticate with your group's CI Gate token, supplied either way:

  • Long-lived secret: set the INTEGRATES_API_TOKEN environment variable to a CI Gate token from Organization → Groups → GroupName → DevSecOps → Manage token in the platform.
  • Short-lived, via OIDC: from any system that can issue OpenID Connect tokens (CI/CD, AWS, GCP, Kubernetes, and more), pass --group <your-group> and ss obtains one per run with no stored secret. On GitHub Actions it is fetched automatically; on any other system, expose it as the INTEGRATES_OIDC_TOKEN environment variable.

If both are set, the stored secret takes precedence.

See Authentication for the full guide (including OIDC federation setup), and CI/CD integration for pipeline examples.

The token is used only to identify the caller; it is never printed or written to logs.

Common scenarios

Scan only specific directories (monorepo)

ss:
  include:
    - services/api/
    - services/web/
  exclude:
    - services/legacy/

Block the pipeline on findings

For pipeline gating with strict mode, see Distributed binaries.

Reduce false positives

Raise min_entropy to filter out low-entropy tokens:

ss:
  include:
    - .
  min_entropy: 3.5

Troubleshooting

For common installation troubleshooting (permission denied, PATH issues), see Distributed binaries.

Too many false positives

Raise the min_entropy threshold in your configuration file. Start at 3.5 and adjust upward until the noise is acceptable.

No output file is produced

Verify that output.file_path is set in your configuration file and that the extension is .sarif or .csv. Any other extension causes an error.

Cannot use '--config' and a path together

--config and a positional path argument are mutually exclusive. Use one or the other:

# Config file mode
ss scan --config ss-config.yaml

# Quick scan mode
ss scan /path/to/project

On this page