SAST action

Last updated: Jun 25, 2026

The SAST action runs Fluid Attacks' static application security testing scanner in your GitHub Actions workflows, detecting vulnerabilities in your source code on every push and pull request.

Marketplace: fluidattacks/sast-action

Scan modes

The action automatically picks the scan mode based on the workflow trigger. The default branch is detected automatically by running git remote show origin, so any branch name (main, master, trunk, develop, etc.) works without configuration.

Trigger	Mode	What is scanned
Push to default branch	Full scan	All files in the repository
Push to a feature branch	Differential scan	Only files changed relative to the default branch
Pull request	Differential scan	Only files changed relative to the PR base branch

Note: In differential mode, if no files within your sast.include paths changed, the scan is skipped and no output file is produced. This is expected behavior, not an error.

Setup

1. Create the workflow

Add .github/workflows/sast.yml to your repository:

name: SAST
on:
  push:
  pull_request:
    types: [opened, synchronize, reopened]
  schedule:
    - cron: "0 8 * * 1" # optional: weekly full scan every Monday at 8am

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Required for differential scanning

      - uses: fluidattacks/sast-action@<version> # Use latest released version
        id: scan

      # Optional: upload findings to the GitHub Security tab
      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: ${{ steps.scan.outputs.sarif_file }}

Note: Replace <version> with the latest release tag. Find it on the Marketplace page.

fetch-depth: 0 fetches the full git history. Without it, the action cannot determine which files changed relative to the default branch, and differential scans will not work correctly. You can omit it only if you force scanner_mode: full.
upload-sarif is optional. When included, run it with if: always() so results are uploaded even when the scan step exits with a non-zero code (e.g., when strict: true).

Warning: Uploading to the Security tab requires GitHub Advanced Security. See GitHub Advanced Security for details.

Without a configuration file, the action scans the entire repository and writes results to .fluidattacks-sast-results.sarif.

2. (Optional) Add a configuration file

To customize scan paths, output format, or strict mode, create a YAML configuration file anywhere in your repository and pass its path to the action via scan_config_path:

- uses: fluidattacks/sast-action@<version>
  id: scan
  with:
    scan_config_path: .github/sast-config.yaml

The path is relative to the repository root. The job fails immediately if the file does not exist at the given path.

3. Push and run

Commit the workflow file and push. The scan runs automatically on the next push or pull request.

Configuration

When scan_config_path is provided, the action uses that file exclusively. When omitted, the action runs with built-in defaults: scans the entire repository (sast.include: [.]) and writes results to .fluidattacks-sast-results.sarif.

language: EN
strict: false
output:
  file_path: results.sarif
  format: SARIF
sast:
  include:
    - .
  exclude: # Optional: paths to exclude from scanning
    - node_modules
    - vendor

language — language for vulnerability descriptions in the output (EN for English, ES for Spanish).
strict — when false, the scanner reports findings but does not fail the pipeline. Set to true to break the build on any detected vulnerability.
output.file_path — path where the results file is written. When format is SARIF or ALL, this path is also exposed as the sarif_file action output.
output.format — SARIF produces the standard format consumed by GitHub's code scanning API. Use CSV for a spreadsheet-friendly report, or ALL to generate both results.sarif and results.csv.
sast.include — list of paths the scanner analyzes. A single . means the entire repository.
sast.exclude — optional list of paths to skip.
checks — optional list of specific check IDs to run. Omit to run all checks.

Action inputs

Input	Required	Default	Description
`scan_config_path`	No	—	Path to the YAML configuration file, relative to the repository root. When omitted, built-in defaults are used. The job fails if the file does not exist.
`scanner_mode`	No	(auto)	Override the scan mode. `full` forces a full repository scan; `diff` forces a differential scan. If omitted, the mode is set automatically.

Forcing a full scan

Use scanner_mode: full to scan the entire repository on every run regardless of the trigger. This is useful for scheduled audits:

- uses: fluidattacks/[email protected]
  id: scan
  with:
    scanner_mode: full

Action outputs

Output	Description
`sarif_file`	Path to the SARIF results file (only set when `output.format` is `SARIF` or `ALL`)
`vulnerabilities_found`	`true` if any vulnerabilities were detected, `false` otherwise

You can use these outputs in subsequent workflow steps:

- name: Comment on PR
  if: steps.scan.outputs.vulnerabilities_found == 'true'
  run: echo "Vulnerabilities detected — check the Security tab."

Common scenarios

Monorepo: scan only specific folders

sast:
  include:
    - services/api/
    - services/web/
  exclude:
    - services/legacy/

Use this option if you use the scanner mode full, but you wish to only analyze certain directories.

See the Marketplace page for all configuration options and additional troubleshooting.