Configure the tests by the standalone scanner | Fluid Attacks Help

Configure the tests by the standalone scanner

Fluid Attacks' scanner is an AppSec testing tool that scans your source code, infrastructure, and applications, then reports any security vulnerabilities it finds. You can use the scanner in two ways:

The scanner is available for use as follows:

  1. Paid Software as a Service (SaaS): Included in Fluid Attacks' Essential and Advanced plans. In this case, Fluid Attacks handles all the configuration, as the scanner continuously monitors your system's security and provides reports and analytics on Fluid Attacks' platform.
  2. Free and open-source command-line interface (CLI) tool: Using the scanner as a standalone tool, you are in charge of its configuration. It scans your chosen target of evaluation for vulnerabilities and reports the results directly in the CLI or in CSV or SARIF formats. Fluid Attacks provides Docker containers with the standalone scanner CLI, available on the Docker Hub repository.

This page guides you through configuring the standalone CLI tool.

CLI structure

Fluid Attacks' CLI follows this structure:

skims [GLOBAL_OPTIONS] COMMAND [OPTIONS] [ARGUMENTS]

CLI global options

--help

Use the --help flag to get information about the tool's usage and a description of each available argument.

Example:

skims --help

--strict

Use the --strict flag to r un the scanner in strict mode. This means the execution will fail (with an exit code 1) if it finds any vulnerabilities in your targets. This is ideal for using the scanner as a CI/CD job.

Example (replace path/to/config.yaml with the actual path to your configuration file, if using one):

skims --strict scan path/to/config.yaml

CLI command

Use this command to perform vulnerability scanning.

skims scan .

scan options

InfoIn the first two options below, the files will be generated in the execution path with a static name. The phrase "path to directory" refers to the directory you want to scan. If you need more control over where the results file is generated, use a configuration file.

--csv

Output the scan results in comma-separated values (CSV) format, creating a skims_output.csv file in the execution path.

Example (replace path/to/directory with the actual path to your scanning target):

skims scan --csv path/to/directory

--sarif

Output the scan results in Static Analysis Results Interchange Format (SARIF), creating a skims_output.sarif file in the execution path.

Example (replace path/to/directory with the actual path to your scanning target):

skims scan --sarif path/to/directory

--execution-module

Use this option when you have a configuration file. If the file configures multiple modules, you can select which module(s) to execute (apk, cspm, dast, sast, sca). Choose one or more modules, separating them with commas (no spaces).

Example (replace path/to/config.yaml with the actual path to your configuration file):

skims scan path/to/config.yaml --execution-module cspm,dast

scan arguments

Configuration file

This argument is the path to a YAML configuration file where you customize the vulnerability scanner's execution.

Example (replace path/to/config.yaml with the actual path to your configuration file):

skims scan path/to/config.yaml

Advice on configuration file

Directory

This argument is the path to the directory you want to scan.

Example (replace path/to/directory with the actual path to your target):

skims scan path/to/directory

URL

This argument is a URL. The Fluid Attacks scanner can evaluate two types of URLs:

  1. Git repository URL: If it is a URL of a Git repository, Fluid Attacks' AppSec testing tool downloads the repository and analyzes it with static application security testing (SAST) and software composition analysis (SCA).

    Example:

    skims scan https://github.com/tree-sitter/tree-sitter.git

  2. Page or web application URL: If it is the URL of a page or web application, the scanner performs dynamic application security testing (DAST).

    Example:

    skims scan https://git-scm.com

Create a configuration file

The most flexible way to run the scanner is with a YAML configuration file. Here is a simple and recommended example:

namespace: myapp
output:
  file_path: ./Fluid-Attacks-Results.csv
  format: CSV
working_dir: .
language: EN
apk:
  include:
    - glob(**/*.apk)
sast:
  include:
    - .
  exclude:
    - glob(**/node_modules/**)
    - glob(**/test/**)
sca:
  include:
    - .
  exclude:
    - glob(**/test/**)

Advice on customizing the scan
Check Configuration file keys and Specify the path for details on all the keys and path formats to utilize the scanner's full capabilities.

Configuration file keys

Here is a breakdown of what each key in the configuration file represents. All keys are optional, so you can customize scans to your needs. Therefore, the tool should function correctly even if some keys are missing from the configuration file.

namespace

namespace indicates a name for the analysis, typically the name of the repository being analyzed. For example:

namespace: my_app

working_dir

working_dir indicates the path to the repository you want to analyze. If configuring paths in the apk, dastor sca keys, write such paths relative to this directory. For example:

working_dir: /absolute/path/to/directory

commit

Use commit to run a specific version of the standalone scanner. Just provide the commit SHA of the version you want to use. You can find the list of commits on GitLab. For example:

commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38

language

language indicates the language for the vulnerability report. Valid values are EN (English) and ES (Spanish). The value defaults to EN if not specified. For example:

language: ES

output

output indicates where scan results are stored and in what format. By default, vulnerability reports are displayed in the terminal. You can use these options:

  1. file_path: Defines the output file location
  2. format: Defines the output format, which can be CSV (comma-separated values) or SARIF (Static Analysis Results Interchange Format)
For example:
    output:
      - file_path: relative/path/to/file
      - format: CSV
    Advice on scanner output
    Read Understand the scanner output for more details.

    checks

    checks specifies which types of vulnerabilities to look for. See the documentation of types in Fluid Attacks' classification, which includes detailed descriptions, to make your choice. If this key is not present, the target is checked for all types. This is generally recommended to ensure comprehensive scans. The following is an example for checking against F050 (Guessed weak credentials) and F277 ( Weak credential policy - Password Expiration):

    checks:
      - F050
      - F277

    strict

    strict configures the scan to run in strict mode, failing the execution (breaking the build) if any vulnerabilities are found (with an exit code 1). Ideal for using the scanner as a CI/CD job. Enable strict mode as follows:

    strict: true

    file_size_limit

    By default, there is a file size limit to prevent long analysis times. Set file_size_limit to false to remove the limit if crucial files are omitted as a result:

    file_size_limit: false

    sast

    sast activates the static application security testing technique for source code analysis. This key has three configuration options:

    1. include (mandatory): Paths to files or directories to analyze
    2. exclude (optional): Files or directories to exclude from the analysis
    3. recursion-limit (optional): Set an integer limit for recursion depth, which is useful if SAST execution takes too long (over 1 hour) or encounters memory/recursion errors (the recommended value for this option is 1000).
    For example:
      sast:
        include:
          - /relative/path/to/file
          - relative/path/to/directory/
        # Optional keys
        exclude:
          - glob(**/node_modules/)
        recursion-limit: 1000

      Advice on the file format
      Read Specify the path for information about the path format recognized by Fluid Attacks' AppSec testing tool.

      sca

      sca activates software composition analysis for your source code. This key has two configuration options:

      1. include (mandatory): Paths to files or directories to analyze
      2. exclude (optional): Files or directories to exclude from the analysis
      For example:
        sca:
          include:
            - /relative/path/to/file
            - relative/path/to/directory/
          # Optional keys
          exclude:
            - glob(**/test/)

        apk

        apk activates the reverse engineering checks for Android APKs. This key has two configuration options:

        1. include (mandatory): Paths to files or directories to analyze
        2. exclude (optional): Files or directories to exclude from the analysis
        For example:
          apk:
            include:
              - /relative/path/to/file
              - relative/path/to/directory/
            # Optional keys
            exclude:
              - glob(src/**/test*.apk)

          cspm

          cspm activates cloud security posture management scans for your cloud environments. This requires you to provide credentials for each environment. Each sub-key (aws_credentialsazure_credentials, and gcp_credentials) is optional, and for each one you must provide at least one set of credentials. For example:

          namespace: namespace
          cspm:
            # For AWS
            aws_credentials:
              - access_key_id: "000f"
                secret_access_key: "000f"
              - access_key_id: "000e"
                secret_access_key: "000e"
            # For Azure
            azure_credentials:
              - client_id: "000f"
                client_secret: "000f"
                tenant_id: "0000f"
                subscription_id: "000f"
            # For GCP
            gcp_credentials:
              - private_key: "000f"
              - private_key: "000e"

          dast

          dast activates the evaluation of your system's endpoints through dynamic application security testing. This key has three configuration options:

          1. urls (mandatory): URLs to analyze
          2. http_checks (optional): Disable HTTP checks for the URLs (defaults to true)
          3. ssl_checks (optional): Disable SSL checks for the URLs (defaults to true)
          For example:
            dast:
              urls:
                - https://my-app.com
                - http://localhost.com
              # Optional keys
              http_checks: true
              ssl_checks: false

            debug

            debug runs the scanner in debug mode (currently only available for SAST checks). This generates two SVG files in the ./skims directory of your home directory. This is mainly useful for developers adding SAST checks, otherwise, it is not recommended. For more details, refer to Fluid Attacks' development documentation for SAST. Below is an example of a configuration file with this option being used:

            debug: true
            checks:
              - F001
            namespace: universe
            output:
              file_path: skims/test/outputs/test.csv
              format: CSV
            sast:
              include:
                - skims/test/data/lib_root/f001/


            Specify the path

            You can specify your paths in two different ways:
            1. Using a path relative to the working directory (only works if the working_dir key is defined), for example:

              2. namespace: namespace
              working_dir: /test/directory
              sast:
                include:
                  - src/main/java/org/test/Test.java
            1. Using Unix-style globs, relative to working_dir, for example:

              2. namespace: namespace
              working_dir: /test/directory
              sast:
                include:
                  - glob(*)
                exclude:
                  - glob(**.java)
                  - glob(src/**/test*.py)

            Configuration file example

            Below is an example of a highly personalized configuration file.

            namespace: my_app
            working_dir: /path/to/your/repository
            commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38
            language: EN
            output:
              file_path: /path/to/results.csv
              format: CSV
            checks:
              - F052
            strict: false
            file_size_limit: false
            sast:
              include:
                - ./relative/path/to/file/or/dir
                - src/main/java/org/test/Test.java
                - glob(*)
                - glob(**.java)
                - glob(src/**/test*.py)
            sca:
              include:
                - .
            apk:
              include:
                - ./relative/path/to/build/awesome-app-v1.0.apk
                - build/awesome-app-v1.0.apk
            cspm:
              aws_credentials:
                - access_key_id: "000f"
                  secret_access_key: "000f"
            dast:
              urls:
                - https://localhost.com
                - https://localhost.com:443
              ssl_checks: true
              http_checks: true
            debug: true

            Advice on scanner issues
            Have a question about the scanner or encountered a problem? Read the scanner FAQ.
            Free trial message
            Free trial
            Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.