Use standalone scanners | Fluid Attacks Help

Use standalone scanners

Fluid Attacks' scanners are AppSec testing tools that you can use to scan your source code, infrastructure, and applications, and obtain reports of the security vulnerabilities found.

The scanners are available for use as follows:

  1. Paid software as a service (SaaS): Included in Fluid Attacks' Essential and Advanced plans. In this case, Fluid Attacks handles all the configuration, continuously monitors your system's security and provides reports and analytics on Fluid Attacks' platform.
  2. Free and open-source command-line interface (CLI) tools: Using each available scanner as a standalone tool, you are in charge of its configuration. Each scanner can be configured to scan your chosen target of evaluation for vulnerabilities and reports the results directly in the CLI or in CSV or SARIF formats. Fluid Attacks provides Docker containers for these tools, available on the Docker Hub repository.

Currently, you may use these standalone scanners:

  1. Fluid Attacks' SAST CLI
  2. Fluid Attacks' SCA CLI
  3. Fluid Attacks' DAST CLI
  4. Fluid Attacks' CSPM CLI
  5. Fluid Attacks' APK CLI
Note on CLI supportFluid Attacks used to provide a full scanner CLI to perform SAST, SCA, DAST and CSPM scans as well as APK analysis. However, Fluid Attacks no longer provides support for this image. Any new feature or patch will only be implemented in the corresponding specific image (listed above). If you are still using the full CLI's image, you should migrate to the specific image that applies to your use case.

This page guides you through a general description of the features of Fluid Attacks' standalone scanners.

CLI structure

Fluid Attacks' scanners' CLIs follow this structure:

CLI_NAME [GLOBAL_OPTIONS] COMMAND [ARGUMENTS]

CLI name

In the above structure, replace CLI_NAME with the scanner's identifier as follows:
  1. skimsSAST CLI
  2. spots: SCA CLI
  3. probesDAST CLI
  4. flags: CSPM CLI
  5. inspects: APK CLI

CLI global options

--help

Use the --help flag to get information about the tool's usage and a description of each available argument.

Examples:

For the SAST CLI:
skims --help

For the DAST CLI:

probes --help

--strict

Use the --strict flag to run the scanner in strict mode. This means the execution will fail (with an exit code 1) if it finds any vulnerabilities in your targets. This is ideal for using the scanner as a CI/CD job.

Example (replace path/to/config.yaml with the actual path to your configuration file, if using one):

skims --strict scan path/to/config.yaml

CLI commands

All of Fluid Attacks' scanners have one command option: scan

As the name implies, this command allows you to execute a security scan over the evaluation targets of your choice.

For example, use this command to perform SAST scans with the SAST CLI:

skims scan /my-dir

Use this to perform DAST scans with the DAST CLI:

probes scan https://www.my-app.com

scan arguments

Directory

Info on directory
This option is only available for Fluid Attacks' SAST and SCA CLIs.

This argument is the path to the directory you want to scan.

Example (replace path/to/directory with the actual path to your target):

skims scan path/to/directory

URL

This argument is a URL. Depending on the scanner you are using, you can use the following URLs:

  1. Git repository URL: Using Fluid Attacks' SAST or SCA CLIs to download a repository and analyze it with static application security testing (SAST) and software composition analysis (SCA). For example, for SAST scans:

    skims scan https://github.com/tree-sitter/tree-sitter.git

    Use this for SCA scans:

    spots scan https://github.com/tree-sitter/tree-sitter.git

  2. Page or web application URL: Using Fluid Attacks' CLI to perform dynamic application security testing (DAST), using the URL of a page or web application.

    Example:

    probes scan https://www.google.com

Configuration file

This argument is the path to a YAML configuration file where you customize the vulnerability scanner's execution. To avoid confusion and possible problems, you should place this file in the same directory as the project you want to scan.

Example (replace path/to/config.yaml with the actual path to your configuration file):

skims scan path/to/config.yaml

Here is a simple example using the SAST CLI:

namespace: myapp
output:
file_path: ./Fluid-Attacks-Results.csv
format: CSV
working_dir: .
language: EN
sast:
include:
- .
exclude:
- glob(**/node_modules/**)
- glob(**/test/**)

This is the most flexible way to run any of Fluid Attacks' scanners. Use this option in order to get the most value from the scanners.

You can see detailed documentation on how to set up a configuration file for each scanner.

Advice on scanner issues
Have a question about the scanner or encountered a problem? Read the scanner FAQ.
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.