Find and fixUse the CLIUse the scannersGitHub ActionsSAST action

SAST action

Last updated: Apr 21, 2026

The SAST action runs Fluid Attacks' static application security testing scanner in your GitHub Actions workflows, detecting vulnerabilities in your source code on every push and pull request.

Marketplace: fluidattacks/sast-action

Scan modes

The action automatically picks the scan mode based on the workflow trigger. The default branch is detected automatically by running git remote show origin, so any branch name (main, master, trunk, develop, etc.) works without configuration.

TriggerModeWhat is scanned
Push to default branchFull scanAll files in the repository
Push to a feature branchDifferential scanOnly files changed relative to the default branch
Pull requestDifferential scanOnly files changed relative to the PR base branch

Note: In differential mode, if no files within your sast.include paths changed, the scan is skipped and no output file is produced. This is expected behavior, not an error.

Setup

1. Create the workflow

Add .github/workflows/sast.yml to your repository:

name: SAST
on:
  push:
  pull_request:
    types: [opened, synchronize, reopened]
  schedule:
    - cron: "0 8 * * 1" # optional: weekly full scan every Monday at 8am

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Required for differential scanning

      - uses: fluidattacks/sast-action@<version> # Use latest released version
        id: scan

      # Optional: upload findings to the GitHub Security tab
      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: ${{ steps.scan.outputs.sarif_file }}

Replace <version> with the latest release tag. Find it on the Marketplace page.

  • fetch-depth: 0 fetches the full git history. Without it, the action cannot determine which files changed relative to the default branch, and differential scans will not work correctly. You can omit it only if you force scanner_mode: full.
  • upload-sarif is optional. When included, run it with if: always() so results are uploaded even when the scan step exits with a non-zero code (e.g., when strict: true).

Restriction: Uploading to the Security tab requires GitHub Advanced Security, which is available on all public repositories and on private repositories under a GitHub Advanced Security license. On private repositories without that license, the upload step will fail.

Without a configuration file, the action scans the entire repository and writes results to .fluidattacks-sast-results.sarif.

2. (Optional) Add a configuration file

To customize scan paths, output format, or strict mode, create a YAML configuration file anywhere in your repository and pass its path to the action via scan_config_path:

- uses: fluidattacks/sast-action@<version>
  id: scan
  with:
    scan_config_path: .github/sast-config.yaml

The path is relative to the repository root. The job fails immediately if the file does not exist at the given path.

3. Push and run

Commit the workflow file and push. The scan runs automatically on the next push or pull request.

Configuration

When scan_config_path is provided, the action uses that file exclusively. When omitted, the action runs with built-in defaults: scans the entire repository (sast.include: [.]) and writes results to .fluidattacks-sast-results.sarif.

language: EN
strict: false
output:
  file_path: results.sarif
  format: SARIF
sast:
  include:
    - .
  exclude: # Optional: paths to exclude from scanning
    - node_modules
    - vendor
  • language — language for vulnerability descriptions in the output (EN for English, ES for Spanish).
  • strict — when false, the scanner reports findings but does not fail the pipeline. Set to true to break the build on any detected vulnerability.
  • output.file_path — path where the results file is written. When format is SARIF or ALL, this path is also exposed as the sarif_file action output.
  • output.formatSARIF produces the standard format consumed by GitHub's code scanning API. Use CSV for a spreadsheet-friendly report, or ALL to generate both results.sarif and results.csv.
  • sast.include — list of paths the scanner analyzes. A single . means the entire repository.
  • sast.exclude — optional list of paths to skip.
  • checks — optional list of specific check IDs to run. Omit to run all checks.

Action inputs

InputRequiredDefaultDescription
scan_config_pathNoPath to the YAML configuration file, relative to the repository root. When omitted, built-in defaults are used. The job fails if the file does not exist.
scanner_modeNo(auto)Override the scan mode. full forces a full repository scan; diff forces a differential scan. If omitted, the mode is set automatically.

Forcing a full scan

Use scanner_mode: full to scan the entire repository on every run regardless of the trigger. This is useful for scheduled audits:

- uses: fluidattacks/[email protected]
  id: scan
  with:
    scanner_mode: full

Action outputs

OutputDescription
sarif_filePath to the SARIF results file (only set when output.format is SARIF or ALL)
vulnerabilities_foundtrue if any vulnerabilities were detected, false otherwise

You can use these outputs in subsequent workflow steps:

- name: Comment on PR
  if: steps.scan.outputs.vulnerabilities_found == 'true'
  run: echo "Vulnerabilities detected — check the Security tab."

Common scenarios

Monorepo: scan only specific folders

sast:
  include:
    - services/api/
    - services/web/
  exclude:
    - services/legacy/

Use this option if you use the scanner mode full, but you wish to only analyze certain directories.

Strict mode: block merges with vulnerabilities

Set strict: true in your configuration file and enable Require status checks to pass before merging in your repository's branch protection settings.

strict: true

If you want to only break the build for vulnerabilities above a certain severity threshold, you can use the strictness_threshold

Set strictness_threshold: high in the configuration file.

strictness_threshold: high

Export results as CSV

output:
  file_path: results.csv
  format: CSV

Troubleshooting

No results appear in the Security tab

Make sure the upload step uses if: always() so it runs even when the scan finds vulnerabilities with strict: true.

Differential scan analyzes all files instead of just changes

Verify that fetch-depth: 0 is set in the actions/checkout step. Without full git history, the action cannot determine which files changed.

The action fails to detect the default branch

The action runs git remote show origin to detect the default branch. This requires fetch-depth: 0 in the checkout step so remote metadata is available.

The pipeline fails unexpectedly

If strict: true is set in your configuration file, the pipeline fails whenever vulnerabilities are found. Set strict: false to report findings without failing the pipeline.

The job fails with "not found in repository"

The path provided to scan_config_path does not exist in the repository. Verify the path is correct and relative to the repository root.

See the Marketplace page for all configuration options and additional troubleshooting.

GitHub Actions

Use Fluid Attacks' dedicated GitHub Actions for SAST, SCA, and Secret Scan to integrate automated security testing into your CI/CD pipeline.

SCA action

Run the Fluid Attacks SCA GitHub Action to find known CVEs in your third-party dependencies on every push and pull request.

On this page

Scan modesSetup1. Create the workflow2. (Optional) Add a configuration file3. Push and runConfigurationAction inputsForcing a full scanAction outputsCommon scenariosMonorepo: scan only specific foldersStrict mode: block merges with vulnerabilitiesExport results as CSVTroubleshootingNo results appear in the Security tabDifferential scan analyzes all files instead of just changesThe action fails to detect the default branchThe pipeline fails unexpectedlyThe job fails with "not found in repository"