Docker in CI/CD
Last updated: May 22, 2026
Fluid Attacks' Docker containers work on any CI/CD provider that supports running Docker images.
GitHub Actions
For SAST, SCA, Secret Scan, DAST, and CI Gate, use the dedicated GitHub Actions instead of the Docker-based approach.
For scanners without a dedicated GitHub Action (APK, CSPM), use the Docker image directly in a workflow step:
# .github/workflows/apk.yml
name: APK Analysis
on: [push, pull_request]
jobs:
apkScan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/fluidattacks/apk:latest
name: apkAnalysis
with:
args: apk scan myapp.apkReplace the container URI and command with the ones for your scanner.
GitLab CI
# .gitlab-ci.yml
machineStandalone:
image: docker.io/fluidattacks/sast:latest
script:
- sast scan /dir/to/scanTravis CI
# .travis.yml
services:
- docker
before_install:
- docker pull fluidattacks/sast:latest
- docker run fluidattacks/sast:latest /bin/bash -c "cd /dir/to/scan"
script:
- sast scan .Bitbucket Pipelines
Bitbucket Pipelines requires Docker in Docker (DinD):
# bitbucket-pipelines.yml
pipelines:
default:
- step:
name: Fluid-Attacks-SAST-Scanner
services:
- docker
script:
- docker pull fluidattacks/sast:latest
- docker run -v "$PWD":/src:ro fluidattacks/sast:latest sast scan /src/config.yamlOther providers
The Docker-based scanners can run on any CI/CD provider that supports Docker images. Replace the container image and command in the examples above with those for your chosen scanner. Refer to each provider's documentation for instructions on running Docker containers in their pipelines.