Use the scanners in CI/CD | Fluid Attacks Help

Use the scanners in CI/CD

Integrating any Fluid Attacks scanner into your CI/CD pipeline enables automated security testing throughout your software development lifecycle (SDLC).

Below are examples of how to configure the SAST scanner on popular CI/CD providers. Replace the container URI and command with the ones from the specific scanner.

Run on GitHub Actions

# .github/workflows/dev.yml
name: Standalone CLI
on: [push, pull_request]
jobs:
   machineStandalone:
      runs-on: ubuntu-latest
      steps:
         - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
         - uses: docker://docker.io/fluidattacks/sast:latest
           name: sastStandalone
           with:
             args: sast scan /dir/to/scan

Here is an example of running the DAST scanner instead of the SAST one, so it analyzes your web application endpoint:
# .github/workflows/dev.yml
name: DAST Analysis
on: [push, pull_request]
jobs:
   machineStandalone:
      runs-on: ubuntu-latest
      steps:
         - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
         - uses: docker://docker.io/fluidattacks/probes:latest
           name: dastStandaloneAnalysis
           with:
             args: probes scan https://myapp.com

Run on GitLab CI

# .gitlab-ci.yml
machineStandalone:
image: docker.io/fluidattacks/sast:latest
script:
   - sast scan /dir/to/scan

Run on Travis CI

# .travis.yml
services:
    - docker
before_install:
    - docker pull fluidattacks/sast:latest
    - docker run fluidattacks/sast:latest /bin/bash -c "cd /dir/to/scan"
script:
    - sast scan .

Other providers

For any other provider, please refer to the documentation relevant for each case. The scanners can be executed on any CI/CD provider that supports Docker images.

In some cases, you need to use Docker in Docker (DinD) to be able to use the scanners. For example, for Bitbucket Pipelines.

Bitbucket Pipelines

# bitbucket-pipelines.yml
pipelines:
  default:
    - step:
      name: Fluid-Attacks-SAST-Scanner  
      services:
        - docker
      script:
        - docker pull fluidattacks/sast:latest
        - docker run -v $pwd:src fluidattacks/sast:latest sast scan ./src/config.yaml

General recommendations

  1. Break the build: To halt your CI/CD pipeline when vulnerabilities are detected, utilize the strict option in your configuration file. See the configuration documentation for details.
  2. Handling false positives: During development, if the scanner reports what you consider a false positive, employ the exclusions as code feature to prevent it from being reported in future scans.


Troubleshooting

For solutions to common errors and issues encountered during the scanning process, consult the scanner FAQ.


Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.