CSPM scanner configuration file | Fluid Attacks Help

CSPM scanner configuration file

General configuration file keys

Here is a simple and recommended overview of the general configuration file keys. Remember that this applies to all of Fluid Attacks' scanners.

namespace: myapp
output:
  file_path: ./Fluid-Attacks-Results.csv
  format: CSV
working_dir: .
language: EN

Specific configuration file keys

Note on credentials
This scanner requires you to provide credentials for each environment.

Warning on unencrypted credentials
If using the scanner in a CI/CD provider, please remember to never expose your credentials unencrypted.
The following key is available only for the CSPM scanner.

cspm

This key has three configuration options:

  1. aws_credentials (optional): Credentials to access a AWS account for READ-ONLY requests.
  2. azure_credentials (optional): Credentials to access a AZURE account for READ-ONLY requests.
  3. gcp_credentials (optional): Credentials to access a GCP account for READ-ONLY requests.
If you want to use any of these options, you must provide at least one set of working credentials. 

Bear in mind that Fluid Attacks' scanner does not save any sensitive or private data from users. Fluid Attacks only collects information related execution errors. Even that can be disabled by using the "tracing_opt_out" key in the configuration file, so when you execute a CSPM analysis, Fluid Attacks would not receive any data from your infrastructure.

Moreover, the CSPM scanner only performs read operations using the official API of each cloud provider, so there is no risk involved when performing a scan.

cspm:
  # For AWS
  aws_credentials:
    - access_key_id: "000f"
      secret_access_key: "000f"
    - access_key_id: "000e"
      secret_access_key: "000e"
      session_token: "000e"
  # For Azure
  azure_credentials:
    - client_id: "000f"
      client_secret: "000f"
      tenant_id: "0000f"
      subscription_id: "000f"
  # For GCP
  gcp_credentials:
    - private_key: "000f"
    - private_key: "000e"

Configuration file example

Below is an example of a highly personalized configuration file:

namespace: my_app
working_dir: ./
commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38
language: EN
output:
  file_path: /fluid-attacks-results.csv
  format: CSV
checks:
  - F052
cspm:
  aws_credentials:
    - access_key_id: "f000"
      secret_access_key: "f000"

Advice on scanner issuesHave a question about the scanner or encountered a problem? Read the scanner FAQ.
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.