This section addresses common questions users may ask when using the Machine Standalone tool.
You can find the updated information about Fluid Attacks' scanner in this Knowledge Base's Use the CLI section (App Defense Alliance's documentation on the tool is outdated).
No. You only need to download the Docker image.
Please check Run scans locally and Use the scanners in CI/CD.
If this message appears at the end of the error log:
error: mounting /proc: Operation not permitted
Try running the scan with the --privileged
flag:
docker run --privileged -v /your/local/dir:/working-dir fluidattacks/sast:latest sast scan /working-dir/config.yaml
If the error message at the end of the error log is something like this:
[ERROR] Enter a valid argument,
the argument types are the path to a .yaml configuration file or the path to a directory.
Doc: https://docs.fluidattacks.com/tech/scanner/standalone
It means that the path to the config.yaml
file or the folder to scan is incorrect, or you are attempting to access a local path within the container's runtime. Therefore, you should verify that the path exists or that you are correctly mounting the volume inside the container along with the respective files.
This means you are executing a SAST scanner including APK files. APK files are only meant to be analyzed with the APK scanner (as the name implies). To remove those reports, simply add the exclude key to the "sast" section of the configuration, like so:
sast:
include:
- .
exclude:
- glob(**/*.apk)
If you encounter this message frequently:
[WARNING] File too large
It means that the tool is ignoring large files to avoid possible memory issues.
If you wish to remove this limitation, use the "file size limit" key.
If you remove the limit and encounter memory errors, we recommend splitting the scanner runs (e.g., scanning only certain folders in each run).
As we are actively improving on this topic, this strategy may become unnecessary in the future.
If your scan is taking longer than it should, we recommend the following:
Check dependency folders included: Ensure you do not include dependency folders such as node_modules
, dist
, vendor
and their equivalents in the SAST scan.
Use the recursion limit key: Consider using the "recursion limit" key to limit the search depth within a single file. We recommend setting it to 1000.
Network errors typically occur when scanner analysis is performed in an environment with restricted internet access. To ensure full functionality of all scanners—particularly the SCA scanner—we recommend running the analysis without such restrictions.
If running without restrictions is not possible, your network must at a minimum allow both inbound and outbound communication with AWS, as some scanners rely on data retrieved from AWS services (public S3 buckets).
Additionally, our scanners may connect to external services such as Bugsnag, which we use for error tracking and debugging. We do not store any sensitive information on those services, but if you prefer to disable all execution traceability, you can opt out by adding the following setting to your YAML configuration file: tracing_opt_out: True