Find and fixUse the CLIUse the scannersDistributed binariesss

ss

Last updated: May 15, 2026

ss is Fluid Attacks' native binary for secrets detection. It scans your source code for hardcoded credentials, API keys, tokens, and similar sensitive data. Unlike the Docker-based scanners, ss is a single self-contained binary — no Docker, no account, and no API key required.

Installation

Linux and macOS

Run the one-line installer:

curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh

This installs the ss binary to /usr/local/bin by default.

Verify the installation

ss --version

Quick scan

To scan a directory or file without a configuration file:

ss scan /path/to/your/project

Findings are printed directly to the terminal. Use --strict to exit with code 1 when secrets are found, which is useful for blocking CI/CD pipelines:

ss scan --strict /path/to/your/project

Scan with a configuration file

For more control over paths, output format, and scan behavior, pass a YAML configuration file with --config:

ss scan --config ss-config.yaml

You cannot combine --config and a path argument in the same command.

Common scenarios

Scan only specific directories (monorepo)

ss:
  include:
    - services/api/
    - services/web/
  exclude:
    - services/legacy/

Block the pipeline on findings

Set strict: true in your configuration file, or pass --strict to the CLI when scanning without a config:

strict: true
ss:
  include:
    - .

Reduce false positives

Raise min_entropy to filter out low-entropy tokens:

ss:
  include:
    - .
  min_entropy: 3.5

Troubleshooting

Permission denied

The installer cannot write to /usr/local/bin because it requires root access. Use a user-writable directory instead:

mkdir -p ~/.local/bin
curl -fsSL https://public.fluidattacks.com/ss/install.sh | INSTALL_DIR=~/.local/bin sh

Then make sure ~/.local/bin is on your PATH:

echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc

tar: could not chdir to '/usr/local/bin'

The install directory does not exist or is not accessible. Create it before running the installer:

mkdir -p /usr/local/bin
curl -fsSL https://public.fluidattacks.com/ss/install.sh | sh

Or use a custom directory:

mkdir -p ~/.local/bin
curl -fsSL https://public.fluidattacks.com/ss/install.sh | INSTALL_DIR=~/.local/bin sh

ss: command not found

The install directory is not on your PATH. Add it:

echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc

Too many false positives

Raise the min_entropy threshold in your configuration file. Start at 3.5 and adjust upward until the noise is acceptable.

No output file is produced

Verify that output.file_path is set in your configuration file and that the extension is .sarif or .csv. Any other extension causes an error.

Cannot use --config and a path together

--config and a positional path argument are mutually exclusive. Use one or the other:

# Config file mode
ss scan --config ss-config.yaml

# Quick scan mode
ss scan /path/to/project

Distributed binaries

Install and run Fluid Attacks' distributed binaries for security scanning without Docker or an account.

cs

Install and run the CS binary to analyze container images without an account.

On this page

InstallationLinux and macOSVerify the installationQuick scanScan with a configuration fileCommon scenariosScan only specific directories (monorepo)Block the pipeline on findingsReduce false positivesTroubleshootingPermission deniedtar: could not chdir to '/usr/local/bin'ss: command not foundToo many false positivesNo output file is producedCannot use --config and a path together