Local run
Last updated: Mar 24, 2026
You can run any of Fluid Attacks' scanners locally using Docker.
First, to make sure you have the latest version available, you can execute the corresponding Docker pull command for each scanner. For example, for the SAST scanner:
docker pull fluidattacks/sast:latestFluid Attacks does not distribute tags according to versions. This tag will always contain the most up-to-date version of the tool thanks to Fluid Attacks' CI/CD process.
Now, to execute the scanner, there are multiple options available. You need to mount the container image over a directory and then call the CLI with one of the available commands.
For example, to execute the SAST scanner over your project directory, you can use the following command:
docker run --rm -v /dir/to/scan:/my-dir fluidattacks/sast:latest sast scan /my-dirReplace dir/to/scan with the actual path to your project directory.
Another option would be to navigate to your project directory
in your terminal
and then execute:
docker run --rm -v .:/my-dir fluidattacks/sca:latest sca scan /my-dirYou can also pass custom arguments like URLs and configuration files.
As shown in the previous examples, there is no need for a configuration file when running the SAST scan on a directory. In that case, the scanner executes all checks on the entire directory by default.
The option to run a scan on a directory is only available for the SAST and SCA scanners.
Another option to execute a scan is using a configuration file in YAML format. This allows you more granular control over the scanner, for example:
- Including or excluding certain paths for analysis
- Choosing which checks to execute
- Choosing special configuration options specific to each scanner
To run a scanner using a configuration file,
bind the configuration file to the Docker command as follows,
replacing /dir/to/scan and /path/to/config.yaml
with the appropriate paths for your scan directory and configuration file:
docker run --rm -v /dir/to/scan:/my-dir -v /path/to/config.yaml:/config.yaml fluidattacks/sast:latest sast scan /config.yamlAnother option would be to place the configuration file inside your project directory and execute:
docker run --rm -v /dir/to/scan:/my-dir fluidattacks/sast:latest sast scan /my-dir/config.yamlFor more information, read "Scan with a configuration file".
Troubleshooting
For solutions to common errors and issues encountered during the scanning process, consult the "Scanners FAQ".
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Use the scanners
Configure the Fluid Attacks scanners to use them as standalone, free and open-source tools for vulnerability scanning in your code, apps, and infrastructure.
CI/CD integration
Run Fluid Attacks SAST, SCA, and DAST scanners in your CI/CD pipeline with GitHub Actions, GitLab CI, Bitbucket Pipelines, and other providers.