ss
Last updated: Jul 17, 2026
ss is Fluid Attacks' native binary for secrets detection.
It scans your source code for hardcoded credentials,
API keys, tokens, and similar sensitive data.
Unlike the Docker-based scanners, ss is a single self-contained binary
that runs without Docker.
By default it runs without authenticating; you can optionally authenticate
to attribute runs to your Fluid Attacks group.
Installation
Linux and macOS
Run the one-line installer:
curl -fsSL https://public.fluidattacks.com/ss/install.sh | shThis installs the ss binary to /usr/local/bin by default.
Verify the installation
ss --versionQuick scan
To scan a directory or file without a configuration file:
ss scan /path/to/your/projectFindings are printed directly to the terminal.
Use --strict to exit with code 1 when secrets are found,
which is useful for blocking CI/CD pipelines:
ss scan /path/to/your/project --strictScan with a configuration file
For more control over paths, output format, and scan behavior,
pass a YAML configuration file with --config:
ss scan --config ss-config.yamlYou cannot combine --config and a path argument in the same command.
Authenticate (optional)
By default, ss runs without authenticating.
You can optionally authenticate so runs are attributed to your Fluid Attacks group.
Authentication is currently optional and never blocks a scan, but a future release will require it. We recommend adopting it now so your runs are attributed to your group.
Authenticate with your group's CI Gate token, supplied either way:
- Long-lived secret: set the
INTEGRATES_API_TOKENenvironment variable to a CI Gate token from Organization → Groups → GroupName → DevSecOps → Manage token in the platform. - Short-lived, via OIDC: from any system that can issue OpenID Connect tokens
(CI/CD, AWS, GCP, Kubernetes, and more), pass
--group <your-group>andssobtains one per run with no stored secret. On GitHub Actions it is fetched automatically; on any other system, expose it as theINTEGRATES_OIDC_TOKENenvironment variable.
If both are set, the stored secret takes precedence.
See Authentication for the full guide (including OIDC federation setup), and CI/CD integration for pipeline examples.
The token is used only to identify the caller; it is never printed or written to logs.
Common scenarios
Scan only specific directories (monorepo)
ss:
include:
- services/api/
- services/web/
exclude:
- services/legacy/Block the pipeline on findings
For pipeline gating with strict mode, see Distributed binaries.
Reduce false positives
Raise min_entropy to filter out low-entropy tokens:
ss:
include:
- .
min_entropy: 3.5Troubleshooting
For common installation troubleshooting (permission denied, PATH issues), see Distributed binaries.
Too many false positives
Raise the min_entropy threshold in your configuration file.
Start at 3.5 and adjust upward until the noise is acceptable.
No output file is produced
Verify that output.file_path is set in your configuration file
and that the extension is .sarif or .csv.
Any other extension causes an error.
Cannot use '--config' and a path together
--config and a positional path argument are mutually exclusive.
Use one or the other:
# Config file mode
ss scan --config ss-config.yaml
# Quick scan mode
ss scan /path/to/project