Run scans locally | Fluid Attacks Help

Run scans locally

Warning
Starting November 1, 2025, the Fluid Attacks full scanner will become deprecated in favor of the multiple standalone scanners.
You can run any of Fluid Attacks' scanners locally using Docker. 

First, to make sure you have the latest version available, you can execute the corresponding docker pull command for each scanner, for example for the SAST scanner:

docker pull fluidattacks/sast:latest

Fluid Attacks does not distribute tags according to versions. This tag will always contain the most up to date version of the tool thanks to Fluid Attacks' CI/CD process.

Now, to execute the scanner there are multiple options available. You need to mount the container image over a directory and then call the CLI with one of the available commands.

For example, to execute the SAST scanner over your project directory, you can use the following command: 

docker run --rm -v /dir/to/scan:/my-dir fluidattacks/sast:latest sast scan /my-dir

replacing dir/to/scan with the actual path to your project directory.

Another option would be to navigate to your project directory in your terminal and then executing:

docker run --rm -v .:/my-dir fluidattacks/sca:latest sca scan /my-dir


Advice on custom arguments
You can also pass custom arguments like URLs and configuration files. Refer to each CLI documentation for a comprehensive list of available options.

As shown in the previous examples, there is no need for a configuration file when running the SAST scan on a directory; in that case, the scanner executes all checks on the entire directory by default.

Alert
The option to run the scan on a directory is only available for the SAST and SCA scanners. 

Another option to execute a scan is using a configuration file in YAML format.
This allows you more granular control over the scanner, for example:
  1. Including or excluding certain paths for analysis.
  2. Choosing which checks to execute.
  3. Choosing special configuration options specific to each scanner.

To run a scanner using a configuration file, bind the configuration file to the Docker command as follows, replacing /dir/to/scan and /path/to/config.yaml with the appropriate paths for your scan directory and configuration file:

docker run --rm -v /dir/to/scan:/my-dir -v /path/to/config.yaml:/config.yaml fluidattacks/sast:latest sast scan /config.yaml

Another option would be to place the configuration file inside of your project directory and executing:

docker run --rm -v /dir/to/scan:/my-dir fluidattacks/sast:latest sast scan /my-dir/config.yaml

For more information, read Scan with a configuration file.

Troubleshooting

For solutions to common errors and issues encountered during the scanning process, consult the scanner FAQ.


Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.