Guides

Using GitHub Action

Running Bearer from the CLI is great, but if you want it integrated directly with your Git workflow there's nothing easier than a GitHub action. If you're unfamiliar with GitHub actions, here's a primer available from GitHub. You can also see how the action works directly on our Bear Publishing example app.

Getting started

You can view the action here, or follow along below.

Actions live in the .github/workflows/ directory within your repository. Start by creating a bearer.yml file in the workflows directory.

We recommend the following config in .github/workflows/bearer.yml to run Bearer's security report:

name: Bearer

on:
  push:
    branches:
      - main

permissions:
  contents: read

jobs:
  rule_check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run Report
        id: report
        uses: bearer/bearer-action@v2

This will run the security report, display the results to the action summary screen within GitHub, and flag the action as pass or fail based on whether Bearer's default rules pass or fail.

Further configuration

Just as with the CLI app, you can configure the action to meet the needs of your project. Set custom inputs and outputs using the with key. Here's an example using the config-file, skip-path, and only-rule flags:

steps:
  - uses: actions/checkout@v3
  - name: Bearer
    uses: bearer/bearer-action@v2
    with:
      config-file: '/some/path/bearer.yml'
      only-rule: 'ruby_lang_cookies,ruby_lang_http_post_insecure_with_data'
      skip-path: 'users/*.go,users/admin.sql'

The following are a list of available inputs and outputs:

Inputs

`version`

Specify the Bearer version to use. This must match a Bearer release name. (Optional)

`scanner`

Specify the comma separated scanners e.g. --scanner secrets,sast (Optional)

`config-file`

configuration file path (Optional)

`bearer-ignore-file`

bearer.ignore file path (Optional)

`only-rule`

Specify the comma-separated ids of the rules you would like to run. Skips all other rules. (Optional)

`skip-rule`

Specify the comma-separated ids of the rules you would like to skip. Runs all other rules. (Optional)

`skip-path`

Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql (Optional)

`exclude-fingerprint`

Specify the comma-separated fingerprints of the findings you would like to exclude from the report. (Optional)

`severity`

Specify which severities are included in the report as a comma separated string (Optional)

`format`

Specify which format to use for the report (json, yaml, sarif, gitlab-sast) (Optional)

`output`

Specify where to store the report (Optional)

`api-key`

For use with Bearer Cloud (Optional)

`diff`

Enable differential scanning. Only supported for pull request events (Optional)

`exit-code`

Forces the exit-code when errors are reported (Optional)

Outputs

`rule_breaches`

Details of any rule breaches that occur (Optional)

`exit_code`

exit code from binary (Optional)

Configure GitHub code scanning

Bearer CLI supports GitHub code scanning. By using the SARIF output format, you can display security report findings directly in the Security tab of your repository.

Bearer CLI results in GitHub security tab

To enable this feature, update your action configuration to include new permissions, new format and outputs, and an additional step. Here's an example configuration:

name: Bearer

on:
  push:
    branches:
      - main

permissions:
  contents: read
+ # Add the security-events permission
  security-events: write

jobs:
  rule_check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run Report
        id: report
        uses: bearer/bearer-action@v2
        with:
+         # Include these two options
          format: sarif
          output: results.sarif
+       # Add a new step to upload the SARIF file
      - name: Upload SARIF file
        if: always()
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

By setting the format and output path, and adding a new upload step, the action will upload SARIF-formatted findings to GitHub's code scanner.

Pull Request Diff

When the Bearer action is being used to check a pull request, you can tell the action to only report findings introduced within the pull request by setting the diff input parameter to true.

name: Bearer PR Check

on:
+ # Diff can only be used with pull_request events
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  contents: read

jobs:
  rule_check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run Report
        id: report
        uses: bearer/bearer-action@v2
        with:
+         # Add diff option
          diff: true

See our guide on configuring a scan for more information on differential scans.

Code Review Comments

Bearer CLI supports Reviewdog rdjson format so you can use any of the reviewdog reporters to quickly add bearer feedback directly to your pull requests.

Bearer CLI results in Github PR

name: Bearer PR Check

on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  contents: read
+ # Add the pull-requests permission
  pull-requests: write

jobs:
  rule_check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
+     # install reviewdog
      - uses: reviewdog/action-setup@v1
        with:
          reviewdog_version: latest
      - name: Run Report
        id: report
        uses: bearer/bearer-action@v2
        with:
+         # use rdjson output, and only report changes from your PR
          format: rdjson
          output: rd.json
          diff: true
+     # always run reviewdog otherwise the step will be skiped by github when a scan fails
      - name: Run reviewdog
        if: always()
        env:
          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          cat rd.json | reviewdog -f=rdjson -reporter=github-pr-review

Integrate with Defect Dojo

We can monitor findings with Defect Dojo by using the gitlab-sast format and the v2 API. Make sure to update the instance url and set the necessary secrets.

name: Bearer Defect Dojo

on:
  push:
    branches:
      - main

permissions:
  contents: read

jobs:
  rule_check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run Report
        id: report
        uses: bearer/bearer-action@v2
        with:
          format: gitlab-sast
          output: gl-sast-report.json
      - name: Defect Dojo
        if: always()
        env:
          DD_TOKEN: ${{ secrets.DD_TOKEN}}
          DD_APP: ${{ secrets.DD_APP}}
          DD_ENGAGEMENT: ${{ secrets.DD_ENGAGEMENT}}
        run: |
          curl -X POST -F "file=@gl-sast-report.json" -F "product_name=$DD_APP" -F "engagement_name=$DD_ENGAGEMENT" -F "scan_type=GitLab SAST Report" -H "Authorization: Token $DD_TOKEN" http://example.com/api/v2/import-scan/

Make the most of Bearer

For more ways to use Bearer, check out the different report types, available rules, supported data types.

Have a question or need help? Join our Discord community or open an issue on GitHub.

Ready to take the next step? Learn more about Bearer Cloud.