SCA scanner configuration file
General configuration file keys
Here is a simple and recommended overview of the general configuration file keys. Remember that this applies to all of Fluid Attacks' scanners.
namespace: myapp
output:
file_path: ./Fluid-Attacks-Results.csv
format: CSV
working_dir: .
language: ENSpecific configuration file keys
The following key is available for the SCA scanner, and it can be used to perform SCA analysis over a repository.
sca
This key has two configuration options:
include(mandatory): Paths to files or directories to analyzeexclude(optional): Files or directories to exclude from the analysis
For example:
sca:
include:
- relative/path/to/file
- relative/path/to/directory/
# Optional keys
exclude: - glob(**/test/)
Specify paths in the include/exclude subsections
You can specify your paths in two different ways:
- Using a path relative to the working directory, for example:
namespace: namespace
working_dir: /test/directory
sca:
include:
- src/main/java/org/test/Test.java
- Using Unix-style globs, relative to
working_dir, for example:
namespace: namespace
working_dir: /test/directory
sca:
include:
- glob(*)
exclude:
- glob(**.java)
- glob(src/**/test*.py)
Configuration file example
Below is an example of a highly personalized configuration file:
namespace: my_app
working_dir: ./
commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38
language: EN
output:
file_path: /fluid-attacks-results.csv
format: CSV
checks:
- F052
sca:
include:
- src/front/package-lock.json
- glob(*)
- glob(**.json) exclude:
- glob(src/**/test/package.json)
Analyze Docker images
The SCA image also has the option to analyze Docker images. For this, you must use the sbom key.
sbom
This key has the following basic options:
source_type: docker(mandatory): Specifies a Docker image analysisimage_uri(mandatory): The unique identifier of the image you want to analyzeimage_config(optional): Specifies different credentials to use for the analysis, allowing the following options:docker_username(optional): The username that owns the Docker image in the container registry of your choicedocker_password(optional): The password or token with read access rights to the image.-
use_docker_daemon(optional): When set to true, the scan connects to your Docker daemon to analyze images. This is useful for scanning images stored locally. Please note that this option is only available on Linux systems. aws_region(optional): AWS region for images hosted on ECRaccess_key_id,secret_access_key,session_token(optional): AWS credentials with read access to the ECR image.
If your image is hosted on ECR, you can also use these options as part of the
image_config sub-key:Configuration file example for Docker image analysis
Below is an example of a configuration file to analyze a Docker image hosted on GHCR.
language: EN
output:
file_path: /working-dir/fluid-attacks-results.csv
format: CSV
sbom: source_type: docker
image_uri: docker://ghcr.io/myuser/my-img:latest image_config:
docker_username: myuser
docker_password: ghp_my_secret_tokenBelow is an example of a configuration file to analyze a local image (only available on Linux systems).
language: EN
output:
file_path: /working-dir/fluid-attacks-results.csv
format: CSV
sbom: source_type: docker
image_uri: alpine:3.17image_config:use_docker_daemon: true
Have a question about the scanner or encountered a problem? Read the scanner FAQ.Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.