Skip to main content


Everything at Fluid Attacks is Open Source. This means that you can download, inspect, modify and enhance the source code that powers it all.

Going Open Source gives our customers the confidence that what we do is transparent and secure.

In order to verify the OWASP benchmark results we'll need to:

  1. Meet the requirements for installing Fluid Attacks' scanner.

  2. Install the scanner as explained in the Fluid Attack's scanner installation guide.

  3. Clone the OWASP Benchmark 1.2.

    We are using a Fluid Attack's fork in order to add support for parsing the scanner results.

    git clone benchmark
    cd benchmark

    There is an open pull request at the OWASP Benchmark official repository in order to add support natively.

  4. Create a config file as follows:

    - F004
    - F008
    - F021
    - F034
    - F042
    - F052
    - F063
    - F089
    - F107
    - F112
    namespace: OWASP
    output: results/Benchmark_1.2-Fluid-Attacks-v2021.csv
    - .
  5. Execute:

    m gitlab:fluidattacks/[email protected] /skims scan config.yaml

    This will take some time, enough for drinking a coffee .

    When this ends, the results file will be located in the results/ folder with the name of Fluid Attacks and CSV extension.

  6. At this point you can generate a scorecard for the tool:

    mvn compile
  7. Open the results in your browser.


    firefox scorecard/OWASP_Benchmark_Home.html


    google-chrome-stable scorecard/OWASP_Benchmark_Home.html