Use standalone scanners | Fluid Attacks Help

Use standalone scanners

Fluid Attacks' scanners are AppSec testing tools that you can use to scan your source code, infrastructure, and applications, and obtain reports of the security vulnerabilities found.

The scanners are available for use as follows:

  1. Paid software as a service (SaaS): Included in Fluid Attacks' Essential and Advanced plans. In this case, Fluid Attacks handles all the configuration, continuously monitors your system's security and provides reports and analytics on Fluid Attacks' platform.
  2. Free and open-source command-line interface (CLI) tools: Using each available scanner as a standalone tool, you are in charge of its configuration. Each scanner can be configured to scan your chosen target of evaluation for vulnerabilities and reports the results directly in the CLI or in CSV or SARIF formats. Fluid Attacks provides Docker containers for these tools, available on the Docker Hub repository.

Currently, you may use these standalone scanners:

  1. Fluid Attacks' SAST CLI
  2. Fluid Attacks' SCA CLI
  3. Fluid Attacks' DAST CLI
  4. Fluid Attacks' CSPM CLI
  5. Fluid Attacks' APK CLI
Note on CLI supportIn addition to these, you can use the general Fluid Attacks' CLI to perform SAST, SCA, DAST and CSPM scans as well as APK analysis. However, Fluid Attacks no longer provides support for this image. Any new feature or patch will only be implemented in the corresponding specific image (listed above). If you are still using the general CLI's image, you should migrate to the specific image that applies to your use case.

This page guides you through configuring and using each of FluidAttacks' standalone scanners.

CLI structure

Fluid Attacks' scanners CLIs follows this structure:

CLI_NAME [GLOBAL_OPTIONS] COMMAND [OPTIONS] [ARGUMENTS]

CLI name

In the above structure, replace CLI_NAME with the scanner's identifier as follows:
  1. skimsSAST CLI
  2. spots: SCA CLI
  3. probesDAST CLI
  4. flags: CSPM CLI
  5. inspects: APK CLI

CLI global options

--help

Use the --help flag to get information about the tool's usage and a description of each available argument.

Examples:

For the SAST CLI:
skims --help

For the DAST CLI:

probes --help

--strict

Use the --strict flag to run the scanner in strict mode. This means the execution will fail (with an exit code 1) if it finds any vulnerabilities in your targets. This is ideal for using the scanner as a CI/CD job.

Example (replace path/to/config.yaml with the actual path to your configuration file, if using one):

skims --strict scan path/to/config.yaml

CLI commands

Currently, Fluid Attacks' scanners only offer one command option: scan

For example, use this command to perform SAST scans with the SAST CLI:

skims scan .

Use this to perform DAST scans with the DAST CLI:

probes scan .

scan options

InfoIn the first two options below, the files are generated in the execution path with a static name. If you need more control over where the results file is generated, use a configuration file.

--csv

Output the scan results in comma-separated values (CSV) format, creating an output.csv file in the execution path.

Example (replace path/to/directory with the actual path to your scanning target):

skims scan --csv path/to/directory

--sarif

Output the scan results in Static Analysis Results Interchange Format (SARIF), creating an output.sarif file in the execution path.

Example (replace path/to/directory with the actual path to your scanning target):

skims scan --sarif path/to/directory

--execution-module

Warning on CLI end of support
This option is only available for Fluid Attacks' general CLI tool, which does not receive any updates since April 2025.

Use this option when you have a configuration file. If the file configures multiple modules, you can select which module(s) to execute (apk, cspm, sast, sca). Using more than one module, separate them with commas (no spaces).

Example (replace path/to/config.yaml with the actual path to your configuration file):

skims scan path/to/config.yaml --execution-module cspm,dast

scan arguments

Configuration file

This argument is the path to a YAML configuration file where you customize the vulnerability scanner's execution.

Example (replace path/to/config.yaml with the actual path to your configuration file):

skims scan path/to/config.yaml

Advice on configuration file

Directory

Info on directory
This option is only available for Fluid Attacks' SAST and SCA CLIs.

This argument is the path to the directory you want to scan.

Example (replace path/to/directory with the actual path to your target):

skims scan path/to/directory

URL

This argument is a URL. Depending on the scanner you are using, you can use the following URLs:

  1. Git repository URL: Using Fluid Attacks' SAST or SCA CLIs to download a repository and analyze it with static application security testing (SAST) and software composition analysis (SCA). For example, for SAST scans:

    skims scan https://github.com/tree-sitter/tree-sitter.git

    Use this for SCA scans:

    spots scan https://github.com/tree-sitter/tree-sitter.git

  2. Page or web application URL: Using Fluid Attacks' CLI to perform dynamic application security testing (DAST), using the URL of a page or web application.

    Example:

    probes scan https://git-scm.com

Create a configuration file

The most flexible way to run any of Fluid Attacks' scanners is with a YAML configuration file.

Here is a simple and recommended example for the SAST CLI:

namespace: myapp
output:
  file_path: ./Fluid-Attacks-Results.csv
  format: CSV
working_dir: .
language: EN
sast:
  include:
    - .
  exclude:
    - glob(**/node_modules/**)
    - glob(**/test/**)

Advice on customizing the scan
Check Configuration file keys and Specify paths in the include/exclude subsections for details on all the keys and path formats to utilize the scanner's full capabilities.

Common configuration file keys

There are some common keys that apply to all FluidAttacks' scanners. Here is a breakdown of what each key in the configuration file represents.

All keys are optional, so you can customize scans to your needs. Therefore, the tool should function correctly even if some keys are missing from the configuration file.

namespace

namespace indicates a name for the analysis, typically the name of the repository being analyzed. For example:

namespace: my_app

working_dir

working_dir indicates the path to the repository you want to analyze. If configuring paths in the apk, sast, or sca keys, write such paths relative to this directory. For example:

working_dir: /absolute/path/to/directory

commit

Use commit to run a specific version of the standalone scanner. Just provide the commit SHA of the version you want to use. You can find the list of commits on GitLab. For example:

commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38

language

language indicates the language for the vulnerability report. Valid values are EN (English) and ES (Spanish). The value defaults to EN if not specified. For example:

language: ES

output

output indicates where scan results are stored and in what format. By default, vulnerability reports are displayed in the terminal. You can use these options:

  1. file_path: Defines the output file location
  2. format: Defines the output format, which can be CSV (comma-separated values) or SARIF (Static Analysis Results Interchange Format)
For example:
    output:
      - file_path: relative/path/to/file
      - format: CSV
    Advice on scanner output
    Read Understand the scanner output for more details.

    checks

    checks specifies which types of vulnerabilities to look for. See the documentation of types in Fluid Attacks' classification, which includes detailed descriptions, to make your choice. If this key is not present, the target is checked for all types. This is generally recommended to ensure comprehensive scans. The following is an example for checking against F050 (Guessed weak credentials) and F277 ( Weak credential policy - Password Expiration):

    checks:
      - F050
      - F277

    strict

    strict configures the scan to run in strict mode, failing the execution (breaking the build) if any vulnerabilities are found (with an exit code 1). Ideal for using the scanner as a CI/CD job. Enable strict mode as follows:

    strict: true

    Configuration file keys for the SAST scanner

    file_size_limit

    By default, there is a file size limit to prevent long analysis times. Set file_size_limit to false to remove the limit if crucial files are omitted because of it:

    file_size_limit: false

    debug

    debug runs the scanner in debug mode (currently only available for SAST checks). This generates two SVG files in the ./skims directory of your home directory. This is mainly useful for developers adding SAST checks, otherwise, it is not recommended. For more details, refer to Fluid Attacks' development documentation for SAST. Below is an example of a configuration file with this option being used:

    debug: true
    checks:
      - F001
    namespace: universe
    output:
      file_path: skims/test/outputs/test.csv
      format: CSV
    sast:
      include:
        - skims/test/data/lib_root/f001/

    sast

    sast activates the static application security testing technique for source code analysis. This key has three configuration options:

    1. include (mandatory): Paths to files or directories to analyze
    2. exclude (optional): Files or directories to exclude from the analysis
    3. recursion-limit (optional): An integer limit for recursion depth, which is useful if SAST execution takes too long (over 1 hour) or encounters memory/recursion errors (the recommended value for this option is 1000)
    For example:
      sast:
        include:
          - relative/path/to/file
          - relative/path/to/directory/
        # Optional keys
        exclude:
          - glob(**/node_modules/)
        recursion-limit: 1000

      Advice on the file format
      Read Specify the path for information about the path format recognized by Fluid Attacks' AppSec testing tools.

      Configuration file keys for the SCA scanner

      sca

      sca activates software composition analysis for your source code. This key has two configuration options:

      1. include (mandatory): Paths to files or directories to analyze
      2. exclude (optional): Files or directories to exclude from the analysis
      For example:
        sca:
          include:
            - relative/path/to/file
            - relative/path/to/directory/
          # Optional keys
          exclude:
            - glob(**/test/)

        Configuration file keys for the APK scanner

        apk

        apk activates the reverse engineering checks for Android APKs. This key has two configuration options:

        1. include (mandatory): Paths to files or directories to analyze
        2. exclude (optional): Files or directories to exclude from the analysis
        For example:
          apk:
            include:
              - relative/path/to/directory/
            # Optional keys
            exclude:
              - glob(src/**/test*.apk)

          Configuration file keys for the CSPM scanner

          cspm

          cspm activates cloud security posture management scans for your cloud environments. This requires you to provide credentials for each environment. Each sub-key (aws_credentialsazure_credentials, and gcp_credentials) is optional, and for each one you must provide at least one set of credentials. For example:

          namespace: namespace
          cspm:
            # For AWS
            aws_credentials:
              - access_key_id: "000f"
                secret_access_key: "000f"
              - access_key_id: "000e"
                secret_access_key: "000e"
            # For Azure
            azure_credentials:
              - client_id: "000f"
                client_secret: "000f"
                tenant_id: "0000f"
                subscription_id: "000f"
            # For GCP
            gcp_credentials:
              - private_key: "000f"
              - private_key: "000e"

          Configuration file keys for the DAST scanner

          urls

          URLs to analyze

          http_checks

          A boolean that indicates if you want to enable HTTP checks for the URLs (defaults to true)

          ssl_checks

          A boolean that indicates if you want to enable SSL checks for the URLs (defaults to true)

          For example, to enable only HTTP checks for the scan:
            urls:
              - https://my-app.com
              - http://localhost.com
            http_checks: true
            ssl_checks: false

            Specify paths in the include/exclude subsections

            You can specify your paths in two different ways:
            1. Using a path relative to the working directory (only works if the working_dir key is defined), for example:

              2. namespace: namespace
              working_dir: /test/directory
              sast:
                include:
                  - src/main/java/org/test/Test.java
            1. Using Unix-style globs, relative to working_dir, for example:

              2. namespace: namespace
              working_dir: /test/directory
              sast:
                include:
                  - glob(*)
                exclude:
                  - glob(**.java)
                  - glob(src/**/test*.py)

            Configuration file example

            Configuration file for the SAST CLI

            Below is an example of a highly personalized configuration file:

            namespace: my_app
            working_dir: /path/to/your/repository
            commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38
            language: EN
            output:
              file_path: /path/to/results.csv
              format: CSV
            checks:
              - F052
            strict: false
            file_size_limit: false
            sast:
              include:
                - ./relative/path/to/file/or/dir
                - src/main/java/org/test/Test.java
                - glob(*)
                - glob(**.java)
                - glob(src/**/test*.py)
            debug: true

            Configuration file for the DAST CLI

            Below is an example of a highly personalized configuration file:

            namespace: my_app
            language: EN
            output:
              file_path: /path/to/results.csv
              format: CSV
            strict: true
            urls:
              - https://www.my_app.com
              - https://www.my_app_qa.com
            ssl_checks: false

            Advice on scanner issues
            Have a question about the scanner or encountered a problem? Read the scanner FAQ.
            Free trial message
            Free trial
            Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.