The scanners are available for use as follows:
Currently, you may use these standalone scanners:
Fluid Attacks' scanners CLIs follows this structure:
CLI_NAME [GLOBAL_OPTIONS] COMMAND [OPTIONS] [ARGUMENTS]
CLI_NAME
with the scanner's identifier as follows:skims
: SAST CLIspots
: SCA CLIprobes
: DAST CLIflags
: CSPM CLIinspects
: APK CLIUse the --help
flag to get information about the tool's usage and a description of each available argument.
Examples:
skims --help
For the DAST CLI:
probes --help
Use the --strict
flag to run the scanner in strict mode. This means the execution will fail (with an exit code 1) if it finds any vulnerabilities in your targets. This is ideal for using the scanner as a CI/CD job.
Example (replace path/to/config.yaml
with the actual path to your configuration file, if using one):
skims --strict scan path/to/config.yaml
Currently, Fluid Attacks' scanners only offer one command option: scan
skims scan .
Use this to perform DAST scans with the DAST CLI:
probes scan .
Output the scan results in comma-separated values (CSV) format, creating an output.csv
file in the execution path.
Example (replace path/to/directory
with the actual path to your scanning target):
skims scan --csv path/to/directory
Output the scan results in Static Analysis Results Interchange Format (SARIF), creating an output.sarif
file in the execution path.
Example (replace path/to/directory
with the actual path to your scanning target):
skims scan --sarif path/to/directory
apk
, cspm
, sast
, sca
). Using more than one module, separate them with commas (no spaces).Example (replace path/to/config.yaml
with the actual path to your configuration file):
skims scan path/to/config.yaml --execution-module cspm,dast
This argument is the path to a YAML configuration file where you customize the vulnerability scanner's execution.
Example (replace path/to/config.yaml
with the actual path to your configuration file):
skims scan path/to/config.yaml
This argument is the path to the directory you want to scan.
Example (replace path/to/directory
with the actual path to your target):
skims scan path/to/directory
This argument is a URL. Depending on the scanner you are using, you can use the following URLs:
Git repository URL: Using Fluid Attacks' SAST or SCA CLIs to download a repository and analyze it with static application security testing (SAST) and software composition analysis (SCA). For example, for SAST scans:
skims scan https://github.com/tree-sitter/tree-sitter.git
Use this for SCA scans:
spots scan https://github.com/tree-sitter/tree-sitter.git
Page or web application URL: Using Fluid Attacks' CLI to perform dynamic application security testing (DAST), using the URL of a page or web application.
Example:
probes scan https://git-scm.com
The most flexible way to run any of Fluid Attacks' scanners is with a YAML configuration file.
namespace: myapp
output:
file_path: ./Fluid-Attacks-Results.csv
format: CSV
working_dir: .
language: EN
sast:
include:
- .
exclude:
- glob(**/node_modules/**)
- glob(**/test/**)
There are some common keys that apply to all FluidAttacks' scanners. Here is a breakdown of what each key in the configuration file represents.
namespace
indicates a name for the analysis, typically the name of the repository being analyzed. For example:
namespace: my_app
working_dir
indicates the path to the repository you want to analyze. If configuring paths in the apk
, sast
, or sca
keys, write such paths relative to this directory. For example:
working_dir: /absolute/path/to/directory
Use commit
to run a specific version of the standalone scanner. Just provide the commit SHA of the version you want to use. You can find the list of commits on GitLab. For example:
commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38
language
indicates the language for the vulnerability report. Valid values are EN
(English) and ES
(Spanish). The value defaults to EN
if not specified. For example:
language: ES
output
indicates where scan results are stored and in what format. By default, vulnerability reports are displayed in the terminal. You can use these options:
file_path
: Defines the output file locationformat
: Defines the output format, which can be CSV
(comma-separated values) or SARIF
(Static Analysis Results Interchange Format)output:
- file_path: relative/path/to/file
- format: CSV
checks
specifies which types of vulnerabilities to look for. See the documentation of types in Fluid Attacks' classification, which includes detailed descriptions, to make your choice. If this key is not present, the target is checked for all types. This is generally recommended to ensure comprehensive scans. The following is an example for checking against F050 (Guessed weak credentials) and F277 ( Weak credential policy - Password Expiration):
checks:
- F050
- F277
strict
configures the scan to run in strict mode, failing the execution (breaking the build) if any vulnerabilities are found (with an exit code 1). Ideal for using the scanner as a CI/CD job. Enable strict mode as follows:
strict: true
By default, there is a file size limit to prevent long analysis times. Set file_size_limit
to false
to remove the limit if crucial files are omitted because of it:
file_size_limit: false
debug
runs the scanner in debug mode (currently only available for SAST checks). This generates two SVG files in the ./skims
directory of your home directory. This is mainly useful for developers adding SAST checks, otherwise, it is not recommended. For more details, refer to Fluid Attacks' development documentation for SAST. Below is an example of a configuration file with this option being used:
debug: true
checks:
- F001
namespace: universe
output:
file_path: skims/test/outputs/test.csv
format: CSV
sast:
include:
- skims/test/data/lib_root/f001/
sast
activates the static application security testing technique for source code analysis. This key has three configuration options:
include
(mandatory): Paths to files or directories to analyzeexclude
(optional): Files or directories to exclude from the analysisrecursion-limit
(optional): An integer limit for recursion depth, which is useful if SAST execution takes too long (over 1 hour) or encounters memory/recursion errors (the recommended value for this option is 1000
)sast:
include:
- relative/path/to/file
- relative/path/to/directory/
# Optional keys
exclude:
- glob(**/node_modules/)
recursion-limit: 1000
sca
activates software composition analysis for your source code. This key has two configuration options:
include
(mandatory): Paths to files or directories to analyzeexclude
(optional): Files or directories to exclude from the analysissca:
include:
- relative/path/to/file
- relative/path/to/directory/
# Optional keys
exclude:
- glob(**/test/)
apk
activates the reverse engineering checks for Android APKs. This key has two configuration options:
include
(mandatory): Paths to files or directories to analyzeexclude
(optional): Files or directories to exclude from the analysisapk:
include:
- relative/path/to/directory/
# Optional keys
exclude:
- glob(src/**/test*.apk)
cspm
activates cloud security posture management scans for your cloud environments. This requires you to provide credentials for each environment. Each sub-key (aws_credentials
, azure_credentials
, and gcp_credentials
) is optional, and for each one you must provide at least one set of credentials. For example:
namespace: namespace
cspm:
# For AWS
aws_credentials:
- access_key_id: "000f"
secret_access_key: "000f"
- access_key_id: "000e"
secret_access_key: "000e"
# For Azure
azure_credentials:
- client_id: "000f"
client_secret: "000f"
tenant_id: "0000f"
subscription_id: "000f"
# For GCP
gcp_credentials:
- private_key: "000f"
- private_key: "000e"
URLs to analyze
true
)true
)urls:
- https://my-app.com
- http://localhost.com
http_checks: true
ssl_checks: false
working_dir
key is defined), for example:namespace: namespace
working_dir: /test/directory
sast:
include:
- src/main/java/org/test/Test.java
working_dir
, for example:namespace: namespace
working_dir: /test/directory
sast:
include:
- glob(*)
exclude:
- glob(**.java)
- glob(src/**/test*.py)
Below is an example of a highly personalized configuration file:
namespace: my_app
working_dir: /path/to/your/repository
commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38
language: EN
output:
file_path: /path/to/results.csv
format: CSV
checks:
- F052
strict: false
file_size_limit: false
sast:
include:
- ./relative/path/to/file/or/dir
- src/main/java/org/test/Test.java
- glob(*)
- glob(**.java)
- glob(src/**/test*.py)
debug: true
Below is an example of a highly personalized configuration file:
namespace: my_app
language: EN
output:
file_path: /path/to/results.csv
format: CSV
strict: true
urls:
- https://www.my_app.com
- https://www.my_app_qa.com
ssl_checks: false