Use standalone scanners | Fluid Attacks Help

Use standalone scanners

Warning
Starting November 1, 2025, the Fluid Attacks full CLI will become deprecated in favor of the multiple standalone scanners.
Fluid Attacks' scanners are AppSec testing tools that you can use to scan your source code, infrastructure, and applications, and obtain reports of the security vulnerabilities found.

The scanners are available for use as follows:

  1. Paid software as a service (SaaS): Included in Fluid Attacks' Essential and Advanced plans. In this case, Fluid Attacks handles all the configuration, continuously monitors your system's security and provides reports and analytics on Fluid Attacks' platform.
    2. Idea
    Continuous Hacking Essential is now available on the AWS Marketplace.
  2. Free and open-source command-line interface (CLI) tools: Using each available scanner as a standalone tool, you are in charge of its configuration. Each scanner can be configured to scan your chosen target of evaluation for vulnerabilities and reports the results directly in the CLI or in CSV or SARIF formats. Fluid Attacks provides Docker containers for these tools, available on the Docker Hub repository. To learn how you can share ideas on how to improve these tools, read Contribute to enhancing the scanners.

Currently, you may use these standalone scanners:

  1. Fluid Attacks' SAST CLI
  2. Fluid Attacks' SCA CLI
  3. Fluid Attacks' DAST CLI
  4. Fluid Attacks' CSPM CLI
  5. Fluid Attacks' APK CLI
Note on CLI supportFluid Attacks created a full scanner CLI to perform SAST, SCA, DAST and CSPM scans as well as APK analysis. However, Fluid Attacks does not provide updates for this image since April, 2025. Any new feature or patch is and will be implemented only in the corresponding specific image (listed above). If you are still using the full CLI's image, you should migrate to the specific image that applies to your use case before November 1, 2025.

Info
Development:

This page guides you through a general description of the features of Fluid Attacks' standalone scanners.

CLI structure

Fluid Attacks' scanners' CLIs follow this structure:

CLI_NAME [GLOBAL_OPTIONS] COMMAND [ARGUMENTS]

CLI name

In the above structure, replace CLI_NAME with the analysis identifier. Fluid Attacks provides five images named after the type of scan that they perform:
  1. sast
  2. sca
  3. dast
  4. cspm
  5. apk

CLI global options

--help

Use the --help flag to get information about the tool's usage and a description of each available argument.

Examples:

For the SAST CLI:
sast --help

For the DAST CLI:

dast --help

--strict

Use the --strict flag to run the scanner in strict mode. This means the execution will fail (with an exit code 1) if it finds any vulnerabilities in your targets. This is ideal for using the scanner as a CI/CD job.

Example (replace path/to/config.yaml with the actual path to your configuration file, if using one):

sast --strict scan path/to/config.yaml

CLI commands

All of Fluid Attacks' scanners have one command option: scan

As the name implies, this command allows you to execute a security scan over the evaluation targets of your choice.

For example, use this command to perform SAST scans with the SAST CLI:

sast scan /my-dir

Use this to perform DAST scans with the DAST CLI:

dast scan https://www.my-app.com

scan arguments

Directory

Info on directory
This option is only available for Fluid Attacks' SAST and SCA CLIs.

This argument is the path to the directory you want to scan.

Example (replace path/to/directory with the actual path to your target):

sca scan path/to/directory

URL

This argument is a URL. Depending on the scanner you are using, you can use the following URLs:

  1. Git repository URL: Using Fluid Attacks' SAST or SCA CLIs to download a repository and analyze it with static application security testing (SAST) and software composition analysis (SCA). For example, for SAST scans:

    sast scan https://github.com/tree-sitter/tree-sitter.git

    Use this for SCA scans:

    sca scan https://github.com/tree-sitter/tree-sitter.git

  2. Page or web application URL: Using Fluid Attacks' CLI to perform dynamic application security testing (DAST), using the URL of a page or web application.

    Example:

    dast scan https://www.google.com

Configuration file

This argument is the path to a YAML configuration file where you customize the vulnerability scanner's execution. To avoid confusion and possible problems, you should place this file in the same directory as the project you want to scan.

Example (replace path/to/config.yaml with the actual path to your configuration file):

sast scan path/to/config.yaml


Here is a simple example using the SAST CLI:

namespace: myapp
output:
  file_path: ./Fluid-Attacks-Results.csv
  format: CSV
working_dir: .
language: EN
sast:
  include:
    - .
  exclude:
    - glob(**/node_modules/**)
    - glob(**/test/**)

This is the most flexible way to run any of Fluid Attacks' scanners. Use this option in order to get the most value from the scanners.

You can see detailed documentation on how to set up a configuration file for each scanner.

Advice on scanner issues
Have a question about the scanner or encountered a problem? Read the scanner FAQ or Contribute to enhancing the scanners.
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.