Fluid Attacks evaluates environments you have appropriately matched with source code repositories. Security testing of environments is done through dynamic application security testing (DAST), cloud security posture management (CSPM) and, exclusively in the Advanced plan, penetration testing as a service (PTaaS) and software reverse engineering. You are encouraged to have Fluid Attacks test two environments for every repository you add, provided that one of them is the production environment (read the benefits below).
To learn to add environments located in an AWS or Azure cloud, or GCP, take a look at the articles in
Use cloud integrations.
Know your environments table
Role required: User, Vulnerability Manager or Group ManagerThe table listing the environments under evaluation is found in your group's Scope section. Its columns show the following information:
- URL: The URL address of the environment
- Type: Whether the environment is located in a supported cloud, is for a mobile app, is at a URL or is for a Docker image
- Status: The inclusion or exclusion of the environment in the security testing scope; its value can be one of the following:
- Included: The environment is included for security testing
- Excluded: The environment is excluded from security testing
- Open event: A situation prevents the inclusion of the environment for security testing (an icon is provided linking to the event report on the platform)
- Secrets: Indicates the number of secrets (credentials) that you or other members have registered to access the environment
- Connection type: The custom connection through which Fluid Attacks must access the environment; its value can be one of the following:
- Connector: Environment is behind a private network; a Cloudflare tunnel is configured
- Egress: Environment is behind a private network; Fluid Attacks' egress IP addresses are whitelisted
- Legacy: Access to environment is through a VPN
- N/A: No custom connection
- Is Production: Whether or not the environment is a production environment
- Requires Authentication: Whether or not Fluid Attacks needs credentials to access the environment

Clicking the downward-facing arrow reveals more information about the environment. Namely, the date it was added, the email address of the group member who added it, and the Git root(s) to which it is associated.

Add environments
Role required: User or Group ManagerYou can add two environments per Git root to be tested, as long as one of the two corresponds to a production environment. Here is why adding the latter, with no additional cost, is recommended:
- It includes comprehensive security testing in the production stage.
- In the absence of environment parity, testing the production environment means targeting the system's behavior that is not present in pre-production environments and is what attackers would likely interact with.
- Production environments are more stable and less prone to unexpected issues than pre-production ones, which facilitates continuous testing.
Environments you have marked as 'production' (step 6) are not analyzed by the DAST scanner; they are exclusively analyzed by Fluid Attacks' security analysts in the Advanced plan.
A vulnerability found in your production environment is reported for production only when it does not also exist in the other non-production environment you have registered.
Below (step 5) are links for guidance on making environments accessible when located within a private network.To add environments to the security testing scope, follow these steps:
- Access the group's Scope section and click the URL of the active Git repository whose environment you wish to add.
- In the pop-up window, choose the Environments tab.
- Click on Add environment.
- Select the environment type and provide the required information in each case.
Here is a short definition of each of the options:
- CSPM: The environment to test is located in an AWS or Azure cloud, or GCP. This type requires you to provide the necessary credentials.
The descriptions of the further fields to fill out when choosing one of the supported cloud services, as well as the instructions to get the required information (e.g., secrets), are in dedicated pages: AWS, Azure, GCP.- Mobile: The environment to test corresponds to a mobile application. This type requires you to choose the previously added mobile app file.
- URL: The environment to test is at a URL where the application is deployed. This type requires you to provide the URL.
- If access is behind a private network, check the condition accordingly. If it is not, leave the Connector and Egress options unchecked.
- Connector: Cloudflare Tunnel is configured
- Egress: Specific IPs need to be whitelisted on your firewall
- Specify whether or not the environment is a production environment.
- Click on Confirm to add the environment.
When checking an environment, an HTTP response code 200 usually means that the request was processed correctly. If this code is not received, there may be several reasons why the environment could have problems, which include
- authentication or authorization errors;
- data validation errors;
- connection or infrastructure problems;
- internal server errors.
A status code other than 200 can indicate something is wrong with the environment you are trying to add. In this case, check that you correctly followed the above configuration steps. After verifying this, you can add your environment disregarding the platform warning. Keep in mind that the DAST scanner cannot analyze your environment if it is unreachable.
Manage environment secrets
Role required: User, Vulnerability Manager or Group ManagerOn the platform, you can securely manage secrets (credentials) that grant Fluid Attacks access to environments in order to test them. Follow these steps to add secrets:
- Access the group's Scope section and click the environment's URL.
- Click the Add secret button.
- Add as Key the kind of secret it is (e.g., token) and as Value the actual secret. Optionally, provide a description that can help its use.
- Click on Confirm.
The environment secret is added to the table and made available for Fluid Attacks to view. You can view, edit or remove only the secrets you added.
Edit environments
Role required: User, Vulnerability Manager or Group ManagerYou may edit the information on connection type and whether the environment is a production environment. These are the steps: - Access the group's Scope section and click the URL of the active Git repository whose environment you wish to edit.
- Switch to the Environments tab.
- From the Actions column, click on the edit icon.
- Make the desired changes and click on Confirm.
Remove environments
Role required: Group ManagerIn order to remove an environment, follow these steps:
- Click on the Git repository to which the environment is linked.
- Switch to the Environments tab.
- From the Actions column, click the trash can icon corresponding to the environment you wish to delete.
- Confirm removal.
Move environments
Role required: Group ManagerYou can move environments across Git roots within the same group or in a different one. These are the steps:
- Access the group's Scope section and click the URL of the active Git repository whose environment you wish to move.
- Switch to the Environments tab.
- From the Actions column, click on the move icon.
- Select the target group.
- Type in the search box either part of the target root's URL, branch or nickname, to activate the dropdown menu from which you can choose the root.
- Click Confirm.
Exclude Environments
Role required: User or Group ManagerWarnings:
- Excluding a subpath implies it is not considered in vulnerability analysis.
- Excluding a main path automatically excludes all of its subpaths.
- You cannot activate a subpath if its main environment is inactive.
If you want to exclude from security testing a subpath of a specific environment, follow the steps below:
- Go to your group's Scope section.
- Add the subpath you wish to exclude as you would add an environment to test. To learn how to do the latter, read Add environments.
- Click Confirm.
- In the table, locate the added subpath and switch the corresponding toggle in the Exclusion status column to off.
- Click on Confirm to apply the exclusion.
Note: Make sure the main path exists before excluding a specific path.
Manage mobile apps
Role required: User, Vulnerability Manager or Group ManagerAdd mobile apps to test
To add mobile apps for testing, you need to first add the mobile app file (e.g., .aab, .ipa, .apk) and then add an environment linking to that file. Here are the steps:
- Access the group's Scope section and scroll down to Files.
- Click on Add.
- Click on the Add file button and choose the mobile app file. Its size must not exceed 5GB.
- Click on Confirm. Your file should now be visible in the table.
- Scroll up to Git roots. If you have not yet added the repository related to the mobile app in question, do it following the steps in Add a new Git Root.
- Click on the repository URL and choose Environments > Add environment.
- Choose Mobile App as Environment type, then select the corresponding file from Mobile App file and specify if it is a production environment.
- Click on Confirm.
Update mobile app file
The platform does not allow replacing a file with one of a different extension.
Follow these steps to add a newer version of your mobile app. Do not delete the file, as this causes the platform to mark any 'Open' vulnerabilities found in the app as 'Closed' (this is undesirable, as you want us to continue testing the app).
- Go to Scope > Files.
- Click on the mobile app file.
- Click on Add file and upload the newer app version.
- Click on Replace file.
- Read the warning message. You acknowledge that the file is linked to an environment, vulnerabilities found in the older file can refer to the newer file, and the latter corresponds to the same mobile app. If you wish to proceed, click on Confirm.
Remove mobile app file
Removal causes 'Open' vulnerabilities found in the file to be marked as 'Closed'. Please ensure that you would not rather
update the file.
If you are removing a file associated to an environment, you get the following message after step 3 below.
In this case, follow the steps described in Remove environments instead. This should be done by a Group Manager. As the message says, removing the environment removes also the mobile app file.
If the file is not associated to an environment, do the following:
- Go to Scope > Files.
- Click on the file to be removed.
- Click on Remove.
- Click on Confirm.
Free trial