Guides

Configure the scan to meet your needs

Bearer CLI offers a variety of ways to configure the core scan command to best meet your needs. Here are some common situations. For a full list of options, see the commands reference. For many of the command flags listed below, you can also define them in your bearer.yml config file.

Select a report type

There are a variety of report types to choose from. Bearer CLI defaults to the Security report, but you can select any other type with the --report flag.

bearer scan . --report privacy

Select a scanner type

Did you know that Bearer CLI can also detect hard-coded secrets in your code? In addition to the default SAST scanner, there's a built-in secrets scanner. Use the --scanner flag to change scanner types.

bearer scan . --scanner secrets

Skip or ignore specific rules

Sometimes you want to ignore one or more rules, either for the entire scan or for individual blocks of code. Rules are identified by their id, for example: ruby_lang_exception.

Skip rules for the entire scan

To ignore rules for the entire scan you can use the --skip-rule flag with the scan command.

Using --skip-rule:

# skip a single rule
bearer scan . --skip-rule ruby_lang_exception

# skip multiple rules
bearer scan . --skip-rule ruby_lang_exception,ruby_lang_cookies

Using bearer.yml

rule:
  skip-rule: [ruby_lang_exception, ruby_lang_cookies]

Skip rules for individual code blocks

Bearer CLI supports comment-based rule skipping using the bearer:disable comment. To ignore a block of code, place the comment immediately before the block.

In ruby:

# bearer:disable ruby_lang_logger, ruby_lang_http_insecure
Net::HTTP.start("http://my.api.com/users/search) do
  logger.warn("Searching for #{current_user.email}")
  ...
end

In javascript:

// bearer:disable javascript_lang_logger
function logUser(user) {
  log.info(user.name)
}

To ignore an individual line of code, place the comment immediately before the line.

def my_func
 # bearer:disable ruby_rails_logger
  Rails.logger(current_user.email)
end

function logUser(user) {
  log.info(user.name)
  // bearer:disable javascript_lang_logger
  log.info(user.uuid)
}

Run only specified rules

Similar to how you can skip rules, you can also tell the scan to only run specific rules. To do so, specify the rule IDs with the --only-rule flag.

bearer scan . --only-rule ruby_lang_cookies

Change the output format

Each report type has a default output format, but in general you're able to also select between json and yaml with the --format flag.

bearer scan . --format yaml

Output to a file

Sometimes you'll want to hand off the report, and while you could pipe the results to another command, we've included the --output flag to make it easier. Specify the path to the output file.

bearer scan . --report dataflow --output dataflow.json

Limit severity levels

Depending on how you're using Bearer CLI, you may want to limit the severity levels that show up in the report. This can be useful for triaging only the most critical issues. Use the --severity flag to define which levels to include from the list of critical, high, medium, low, and warning.

bearer scan . --severity critical,high

Ready to take the next step? Join the Bearer Cloud waitlist.