Using GitHub Action

Running Bearer from the CLI is great, but if you want it integrated directly with your Git workflow there's nothing easier than a GitHub action. If you're unfamiliar with GitHub actions, here's a primer available from GitHub. You can also see how the action works directly on our Bear Publishing example app.

Getting started

You can view the action here, or follow along below.

Actions live in the .github/workflows/ directory within your repository. Start by creating a bearer.yml file in the workflows directory.

We recommend the following config in .github/workflows/bearer.yml to run Bearer's security report:

name: Bearer

on:
push:
branches:
- main

permissions:
contents: read

jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Bearer
uses: bearer/bearer-action@v2

This will run the security report, show the report in the job log, and flag the action as pass or fail based on whether Bearer's default rules pass or fail.

Further configuration

Just as with the CLI app, you can configure the action to meet the needs of your project. Set custom inputs and outputs using the with key. Here's an example using the config-file, skip-path, and only-rule flags:

name: Bearer

on:
push:
branches:
- main

permissions:
contents: read

jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Bearer
uses: bearer/bearer-action@v2
with:
config-file: "/some/path/bearer.yml"
only-rule: "ruby_lang_cookies,ruby_lang_http_post_insecure_with_data"
skip-path: "users/*.go,users/admin.sql"

Inputs

Option Description Default
api-key For use with Bearer Cloud
bearer-ignore-file bearer.ignore file path
config-file configuration file path
diff Enable differential scanning. Only supported for pull request events false
exclude-fingerprint Specify the comma-separated fingerprints of the findings you would like to exclude from the report.
exit-code Forces the exit-code when errors are reported
format Specify which format to use for the report (json, yaml, sarif, gitlab-sast)
hide-progress-bar Hide progress bar from output true
only-rule Specify the comma-separated ids of the rules you would like to run. Skips all other rules.
output Specify where to store the report
path The path to scan .
quiet Suppress non-essential messages
scanner Specify the comma separated scanners e.g. --scanner secrets,sast
severity Specify which severities are included in the report as a comma separated string
skip-path Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql
skip-rule Specify the comma-separated ids of the rules you would like to skip. Runs all other rules.
version Specify the Bearer version to use. This must match a Bearer release name.

Outputs

If you want to process the output of the cli we recommend using the output input above to write a file that can be used elsewhere, but we also provide some basic outputs you can use if needed:

Option Description Default
exit_code exit code from binary
rule_breaches Details of any rule breaches that occur

Configure GitHub code scanning

Bearer CLI supports GitHub code scanning. By using the SARIF output format, you can display security report findings directly in the Security tab of your repository.

Bearer CLI results in GitHub security tab

To enable this feature, update your action configuration to include new permissions, new format and outputs, and an additional step. Here's an example configuration:

name: Bearer

on:
push:
branches:
- main

permissions:
contents: read

jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Bearer
uses: bearer/bearer-action@v2
with:
format: sarif
output: results.sarif
- name: Upload SARIF file
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif

By setting the format and output path, and adding a new upload step, the action will upload SARIF-formatted findings to GitHub's code scanner.

Pull Request Diff

When the Bearer action is being used to check a pull request, you can tell the action to only report findings introduced within the pull request by setting the diff input parameter to true.

name: Bearer PR Check

on:
pull_request:
types: [opened, synchronize, reopened]

permissions:
contents: read

jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Bearer
uses: bearer/bearer-action@v2
with:
diff: true

See our guide on configuring a scan for more information on differential scans.

Code Review Comments

Bearer CLI supports Reviewdog rdjson format so you can use any of the reviewdog reporters to quickly add bearer feedback directly to your pull requests.

Bearer CLI results in Github PR

name: Bearer PR Check

on:
pull_request:
types: [opened, synchronize, reopened]

permissions:
contents: read
pull-requests: write

jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: reviewdog/action-setup@v1
with:
reviewdog_version: latest
- name: Bearer
uses: bearer/bearer-action@v2
with:
format: rdjson
output: rd.json
diff: true
- name: Run reviewdog
if: always()
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat rd.json | reviewdog -f=rdjson -reporter=github-pr-review

Integrate with Defect Dojo

We can monitor findings with Defect Dojo by using the gitlab-sast format and the v2 API. Make sure to update the instance url and set the necessary secrets.

name: Bearer Defect Dojo

on:
push:
branches:
- main

permissions:
contents: read

jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Report
id: report
uses: bearer/bearer-action@v2
with:
format: gitlab-sast
output: gl-sast-report.json
- name: Defect Dojo
if: always()
env:
DD_TOKEN: ${{ secrets.DD_TOKEN}}
DD_APP: ${{ secrets.DD_APP}}
DD_ENGAGEMENT: ${{ secrets.DD_ENGAGEMENT}}
run: |
curl -X POST -F "file=@gl-sast-report.json" -F "product_name=$DD_APP" -F "engagement_name=$DD_ENGAGEMENT" -F "scan_type=GitLab SAST Report" -H "Authorization: Token $DD_TOKEN" http://example.com/api/v2/import-scan/

Make the most of Bearer

For more ways to use Bearer, check out the different report types, available rules, supported data types.

Have a question or need help? Join our Discord community or open an issue on GitHub.

Ready to take the next step? Learn more about Bearer Cloud.