Run scans locally or in your CI/CD | Fluid Attacks Help

Run scans locally or in your CI/CD

The Fluid Attacks scanner can be seamlessly integrated into your development workflow, allowing you to perform security scans both locally and within your continuous integration and continuous delivery (CI/CD) pipeline.

Run the Fluid Attacks scanner locally

You can run the Docker container with the following command, replacing dir/to/scan with the actual path to your project directory:

docker run --rm -v /dir/to/scan:/my-dir fluidattacks/cli:latest skims scan /my-dir

Advice on custom arguments
You can also pass custom arguments like URLs and configuration files. Refer to the CLI documentation for a comprehensive list of available options.

As shown in the previous lines, there is no need for a configuration file when running the scan on a directory; the scanner executes all checks on the entire directory by default. Do use a configuration file for more granular control over the scanner, for example:

  1. Selecting specific techniques like SAST, SCA, etc.
  2. Including or excluding certain paths for analysis
  3. Choosing which checks to execute

To apply these settings, bind the configuration file to the Docker command as follows, replacing /dir/to/scan and /path/to/config.yaml with the appropriate paths for your scan directory and configuration file:

docker run --rm -v /dir/to/scan:/my-dir -v /path/to/config.yaml:/config.yaml fluidattacks/cli:latest skims scan /config.yaml

Run the Fluid Attacks scanner on your CI/CD provider

Integrating the Fluid Attacks scanner into your CI/CD pipeline enables automated security testing throughout your software development lifecycle (SDLC). Here are examples of how to configure the scanner on popular CI/CD providers.


Run scans on GitHub Actions

# .github/workflows/dev.yml
name: Standalone CLI
on: [push, pull_request]
jobs:
   machineStandalone:
      runs-on: ubuntu-latest
      steps:
         - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
         - uses: docker://docker.io/fluidattacks/cli:latest
           name: machineStandalone
           with:
             args: skims scan /dir/to/scan

Run scans on GitLab CI

# .gitlab-ci.yml
machineStandalone:
image: docker.io/fluidattacks/cli:latest
script:
   - skims scan /dir/to/scan

Run scans on Travis CI

# .travis.yml
services:
    - docker
before_install:
    - docker pull fluidattacks/cli:latest
    - docker run fluidattacks/cli:latest /bin/bash -c "cd /dir/to/scan"
script:
    - skims scan .

General recommendations

  1. Break the build: To halt your CI/CD pipeline when vulnerabilities are detected, utilize the strict option in your configuration file. See the configuration documentation for details.
  2. Optimize scan time: Scans taking too long? Consider using the recursion limit  option (file_size_limit in your configuration file.
  3. Handling false positives: During development, if the scanner reports what you consider a false positive, employ the exclusions as code feature to prevent it from being reported in future scans.

Troubleshooting

For solutions to common errors and issues encountered during the scanning process, consult the scanner FAQ.

Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.