{"id":46743538,"url":"https://github.com/fluidattacks/sast-action","last_synced_at":"2026-04-27T19:01:19.222Z","repository":{"id":343279559,"uuid":"1177021533","full_name":"fluidattacks/sast-action","owner":"fluidattacks","description":"Static Application Security Testing (SAST) GitHub Action by Fluid Attacks ","archived":false,"fork":false,"pushed_at":"2026-04-16T15:55:52.000Z","size":37,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-16T17:36:07.524Z","etag":null,"topics":["code-scanning-ready","github-actions","sast","security"],"latest_commit_sha":null,"homepage":"https://docs.fluidattacks.com/find-fix/use-cli/use-configuration-file/sast-scanner","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fluidattacks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-09T16:03:49.000Z","updated_at":"2026-04-16T15:55:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fluidattacks/sast-action","commit_stats":null,"previous_names":["fluidattacks/sast-action"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/fluidattacks/sast-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluidattacks%2Fsast-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluidattacks%2Fsast-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluidattacks%2Fsast-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluidattacks%2Fsast-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fluidattacks","download_url":"https://codeload.github.com/fluidattacks/sast-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluidattacks%2Fsast-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32350243,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-27T17:12:42.749Z","status":"ssl_error","status_checked_at":"2026-04-27T17:12:41.658Z","response_time":128,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-scanning-ready","github-actions","sast","security"],"created_at":"2026-03-09T18:23:52.296Z","updated_at":"2026-04-27T19:01:19.216Z","avatar_url":"https://github.com/fluidattacks.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Fluid Attacks SAST\n\nFree, open-source static application security testing (SAST) action for your GitHub repositories. No account, API key, or registration required.\n\n## Quick Start (2 minutes)\n\n### 1. Create the GitHub Actions workflow\n\nAdd the file `.github/workflows/sast.yml` to your repository:\n\n```yaml\nname: SAST\non:\n  push:\n  pull_request:\n    types: [opened, synchronize, reopened]\n  schedule:\n    - cron: '0 8 * * 1'  # optional: weekly full scan every Monday at 8am\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          # Required for differential scanning (default mode).\n          # Can be omitted if scanner_mode: full is set.\n          fetch-depth: 0\n\n      - uses: fluidattacks/sast-action@\u003cversion\u003e\n        id: scan\n```\n\nReplace `\u003cversion\u003e` with the latest release tag. Check the releases page for the current version and update whenever a new one is published.\n\nWithout a configuration file, the action runs with built-in defaults: scans the entire repository and writes results to `.fluidattacks-sast-results.sarif`.\n\n### 2. (Optional) Add a configuration file\n\nTo customize scan paths, output format, or strict mode, create a YAML file anywhere in your repository and pass its path to the action:\n\n```yaml\n- uses: fluidattacks/sast-action@\u003cversion\u003e\n  id: scan\n  with:\n    scan_config_path: .github/sast-config.yaml\n```\n\nSee [Configuration reference](#configuration-reference) for the full list of options.\n\nCommit and push. The scan will run automatically on the next push or pull request.\n\n## Prerequisites\n\n- A GitHub repository (public or private).\n- GitHub Actions enabled on the repository.\n- No account, token, or API key is needed. The action is 100% open source.\n\n## How it works\n\n### Default branch detection\n\nThe action automatically detects your repository's default branch by running `git remote show origin`. This means it works with any branch name — `main`, `master`, `trunk`, `develop`, or whatever your team uses. You don't need to configure the branch name anywhere.\n\n### Scan types\n\nThe action determines the scan type based on context:\n\n| Trigger | Scan type | What it analyzes |\n|---|---|---|\n| Push to default branch | Full scan | All files in the repository |\n| Push to any other branch | Differential scan | Only files changed vs. default branch |\n| Pull request | Differential scan | Only files changed vs. PR base branch |\n\nBoth differential scan modes compare against the full default branch (not just the previous commit), so even if a push contains multiple commits, all changes relative to the default branch are analyzed. This keeps your CI fast while ensuring nothing slips through.\n\nAny other event that does not have any base line for comparison will trigger a full scan.\n\nYou can force a full scan on every run with `scanner_mode: full` — see [Action inputs](#action-inputs).\n\n### Why `fetch-depth: 0`?\n\nThe `actions/checkout` step uses `fetch-depth: 0` to download the full git history. This is necessary for the differential scan to compare your current changes against the PR base. Without it, the action would not have enough context to determine what changed.\n\nIf you set `scanner_mode: full`, the action skips all git comparisons entirely, so a default shallow checkout is sufficient — `fetch-depth: 0` is not needed.\n\n## Viewing results\n\nAfter the workflow runs, results are written to the path configured in `output.file_path` (e.g. `results.sarif`), or to `.fluidattacks-sast-results.sarif` when no configuration file is provided.\n\n### SARIF file\n\nThe raw SARIF file is always available in your workspace. You can download it as an artifact, process it with other tools, or upload it to a third-party platform.\n\n### GitHub Security tab (optional)\n\nYou can upload the SARIF file to GitHub's Security tab so findings appear as **Code scanning alerts** with inline PR annotations:\n\n```yaml\n- name: Upload results to GitHub Security tab\n  if: always()\n  uses: github/codeql-action/upload-sarif@v4\n  with:\n    sarif_file: ${{ steps.scan.outputs.sarif_file }}\n```\n\n\u003e **Restrictions:** SARIF upload to the Security tab requires **GitHub Advanced Security**, which is available on all public repositories and on private repositories under a GitHub Advanced Security license. On private repositories without that license, the upload step will fail. See [GitHub's documentation](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github) for details.\n\n## Configuration reference\n\nWhen `scan_config_path` is provided, the action uses that file exclusively. When omitted, the action runs with built-in defaults: scans the entire repository (`sast.include: [.]`) or only modified files (Depending on the scanner_mode selected), and writes results to `.fluidattacks-sast-results.sarif`.\n\n### Minimal configuration\n\n```yaml\nlanguage: EN\nstrict: false\noutput:\n  file_path: results.sarif\n  format: SARIF\nsast:\n  include:\n    - .\n  exclude:\n    - test/\n```\n\n### Full configuration example\n\n```yaml\n# Language for vulnerability descriptions: EN or ES\nlanguage: EN\n\n# If true, the pipeline fails when vulnerabilities are found\n# Set to true for stricter enforcement\nstrict: false\n\noutput:\n  # Path where the results file will be written\n  file_path: results.sarif\n  # Format: SARIF, CSV, or ALL\n  format: SARIF\n\nsast:\n  # Paths to include in the scan (relative to repo root)\n  include:\n    - src/\n    - lib/\n\n  # Paths to exclude from the scan\n  exclude:\n    - src/vendor/\n    - \"**/*.test.js\"\n\n# Specific checks to enable (omit to run all checks)\nchecks:\n  - F008   # Remote command execution\n  - F027   # Insecure File Upload\n```\n\n### Configuration options\n\n| Option | Required | Default | Description |\n|---|---|---|---|\n| `language` | No | `EN` | Language for descriptions (`EN` or `ES`) |\n| `strict` | No | `false` | Fail the pipeline if vulnerabilities are found |\n| `output.file_path` | No | `.fluidattacks-sast-results.sarif` | Path for the output file |\n| `output.format` | No | `SARIF` | Output format: `SARIF`, `CSV`, or `ALL` |\n| `sast.include` | No | `[.]` | List of paths to scan |\n| `sast.exclude` | No | — | List of paths to exclude |\n| `checks` | No | All | List of specific [checks](https://db.fluidattacks.com/wek/) to run |\n\n## Action inputs\n\n| Input | Required | Default | Description |\n|---|---|---|---|\n| `scan_config_path` | No | — | Path to the YAML configuration file, relative to the repository root. When omitted, the action runs with built-in defaults. The job fails if the file does not exist at the given path. |\n| `scanner_mode` | No | _(auto)_ | Override the scan mode. `full` forces a full repository scan. If omitted, the mode is determined automatically based on the event and branch. |\n\n### `scan_config_path`\n\nPoint the action at your configuration file:\n\n```yaml\n- uses: fluidattacks/sast-action@\u003cversion\u003e\n  id: scan\n  with:\n    scan_config_path: .github/sast-config.yaml\n```\n\nThe path is relative to the repository root. The job fails immediately if the file does not exist.\n\n### `scanner_mode: full`\n\nForces a full repository scan regardless of the event. Useful for scheduled audits or when you want every run to cover the entire codebase.\n\n```yaml\n- uses: fluidattacks/sast-action@1.1.0\n  id: scan\n  with:\n    scanner_mode: full\n```\n\n## Action outputs\n\n| Output | Description |\n|---|---|\n| `sarif_file` | Path to the SARIF results file (when format is `SARIF` or `ALL`) |\n| `vulnerabilities_found` | `true` if any vulnerabilities were detected, `false` otherwise |\n\nYou can use these outputs in subsequent workflow steps. For example, to add a conditional step:\n\n```yaml\n- name: Comment on PR\n  if: steps.scan.outputs.vulnerabilities_found == 'true'\n  run: echo \"Vulnerabilities were found. Check the Security tab for details.\"\n```\n\n## Common scenarios\n\n### Monorepo: scan only specific folders\n\nIf your repository contains multiple projects, you can limit the scan to specific directories:\n\n```yaml\nsast:\n  include:\n    - services/api/\n    - services/web/\n  exclude:\n    - services/legacy/\n```\n\nThe included paths are only used on full scanners.\nOn diff scanners, all modified files are scanned.\n\n### Strict mode: block merges with vulnerabilities\n\nSet `strict: true` in your configuration file and enable **Require status checks to pass before merging** in your repository's branch protection settings. This prevents vulnerable code from being merged:\n\n```yaml\nstrict: true\n```\n\n### Export results as CSV\n\nIf you want a CSV report instead of (or in addition to) SARIF:\n\n```yaml\noutput:\n  file_path: results.csv\n  format: CSV\n```\n\n## Troubleshooting\n\n### The scan runs but no results appear in the Security tab\n\nMake sure the \"Upload SARIF\" step is included in your workflow and uses `if: always()` so it runs even if the scan finds vulnerabilities with `strict: true`.\n\n### The differential scan analyzes all files instead of just changes\n\nVerify that `fetch-depth: 0` is set in the `actions/checkout` step. Without full git history, the action cannot determine which files changed.\n\n### The action doesn't detect my default branch\n\nThe action runs `git remote show origin` to detect the default branch. This requires `fetch-depth: 0` in the checkout step so the remote metadata is available. If detection fails, verify that the `origin` remote is correctly configured in your repository.\n\n### The pipeline fails unexpectedly\n\nIf `strict: true` is set in your configuration file, the pipeline will fail whenever vulnerabilities are found. This is intentional. Set `strict: false` if you want the scan to report vulnerabilities without failing the pipeline.\n\n### The job fails with \"not found in repository\"\n\nThe path provided to `scan_config_path` does not exist in the repository. Verify the path is correct and relative to the repository root.\n\n## More information\n\n- [Source code on GitHub](https://github.com/fluidattacks/sast-action)\n- [Vulnerability database](https://db.fluidattacks.com)\n- [Fluid Attacks documentation](https://docs.fluidattacks.com)\n- [SARIF format specification](https://sarifweb.azurewebsites.net/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffluidattacks%2Fsast-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffluidattacks%2Fsast-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffluidattacks%2Fsast-action/lists"}