Welcome to Fluid Asserts’s documentation!

Fluid Asserts is an engine to automate the closing of security findings over execution environments. Asserts performs Dynamic and Static Application Security Testing (DAST and SAST) and dynamic testing of many protocols (DXST).


Asserts reuses previously handcrafted attack vectors in order to automate the closing of vulnerabilities. This makes it particularly useful since this testing can be performed by end users as-is or as part of a continuous integration pipeline. Thus any changes to the Target of Evaluation (ToE) can be continuously tested against the closing of confirmed vulnerabilities.


Here are some of the things Asserts can do for you:

  • Determine the closed or open status of a known vulnerability.

  • Perform routine, generic security tests, specially in combination with…

  • Continuous Integration: Asserts fits into your CI pipeline to ensure your product is released with no open vulnerabilities.

  • Helps ethical hackers in their daily activities by automating tasks.

  • Detailed tracing: For every vulnerability check (both on SAST and DAST), Asserts prints the ToE fingerprint, thus enabling clients to pinpoint the exact moment when the vulnerability appeared.

  • Now easier to install than ever and thoroughly documented.

What kind of vulnerabilities can Asserts test?

As of Jun 18, 2020 Asserts provides 602 checks in the scenarios above. Use the search box in the sidebar, peruse the Index for a bird’s eye view of all the checks, or just dive into the Reference.

Usage data

Fluid Asserts collects some user data like public IP address, operating system, Python version and the name of the checks that you use. We do this in order to analyze what are the most common platforms and the most used functions. This helps us develop more useful tests in the future. You can disable the gathering of this information setting an environment variable named “FA_NOTRACK” and setting its value to “true”. You can enable the tracking later by deleting that environment variable or changing its value to “false”.

Fluid Asserts does not collect sensitive data like targets of evaluation (URLs, IPs) or results of the tests.