Run Bearer as a GitHub Action.
steps:
- uses: actions/checkout@v3
- uses: bearer/bearer-action@v2
steps:
- uses: actions/checkout@v3
- name: Bearer
uses: bearer/bearer-action@v2
with:
path: 'some-path-to-scan'
config-file: '/some/path/bearer.yml'
only-rule: 'ruby_lang_cookies,ruby_lang_http_post_insecure_with_data'
skip-path: 'users/*.go,users/admin.sql'
name: Bearer
on:
push:
branches:
- main
permissions:
contents: read
jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Report
id: report
uses: bearer/bearer-action@v2
you can see this workflow in action on our demo repo
When the Bearer action is being used to check a pull request, you can tell the
action to only report findings introduced within the pull request by setting
the diff
input parameter to true
.
name: Bearer PR Check
on:
pull_request:
types: [opened, synchronize, reopened]
permissions:
contents: read
jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Report
id: report
uses: bearer/bearer-action@v2
with:
diff: true
See our guide on configuring a scan for more information on differential scans.
Using Reviewdog for PR review comments with Bearer
name: Bearer PR Check
on:
pull_request:
types: [opened, synchronize, reopened]
permissions:
contents: read
pull-requests: write
jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: reviewdog/action-setup@v1
with:
reviewdog_version: latest
- name: Run Report
id: report
uses: bearer/bearer-action@v2
with:
format: rdjson
output: rd.json
diff: true
- name: Run reviewdog
if: always()
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat rd.json | reviewdog -f=rdjson -reporter=github-pr-review
Using Defect Dojo to monitor findings
name: Bearer Defect Dojo
on:
push:
branches:
- main
permissions:
contents: read
jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Report
id: report
uses: bearer/bearer-action@v2
with:
format: gitlab-sast
output: gl-sast-report.json
- name: Defect Dojo
if: always()
env:
DD_TOKEN: ${{ secrets.DD_TOKEN}}
DD_APP: ${{ secrets.DD_APP}}
DD_ENGAGEMENT: ${{ secrets.DD_ENGAGEMENT}}
run: |
curl -X POST -F "file=@gl-sast-report.json" -F "product_name=$DD_APP" -F "engagement_name=$DD_ENGAGEMENT" -F "scan_type=GitLab SAST Report" -H "Authorization: Token $DD_TOKEN" http://example.com/api/v2/import-scan/
Optional Specify the Bearer version to use. This must match a Bearer release name.
Optional Specify the comma-separated scanner to use e.g. sast,secrets
Optional configuration file path
Optional Specify the comma-separated IDs of the rules to run; skips all other rules.
Optional Specify the comma-separated IDs of the rules to skip; runs all other rules.
Optional Specify the comma-separated paths to skip. Supports wildcard syntax, e.g. users/*.go,users/admin.sql
Optional Specify the comma-separated fingerprints of the findings you would like to exclude from the report.
Optional Specify which severities are included in the report as a comma separated string, e.g. critical,medium
Optional Specify which format to use, e.g. json
Optional Specify where to store the report, e.g. results.sarif
Optional Force the exit code when findings are detected. Set this to 0 (success), for example, for the action to always pass
Details of any rule breaches that occur. This is URL encoded to work round GitHub issues with multiline outputs.
Exit code of the binary, 0 indicates a pass