Using GitHub Action

Running Bearer from the CLI is great, but if you want it integrated directly with your Git workflow there's nothing easier than a GitHub action. If you're unfamiliar with GitHub actions, here's a primer available from GitHub. You can also see how the action works directly on our Bear Publishing example app.

Getting started

You can view the action here, or follow along below.

Actions live in the .github/workflows/ directory within your repository. Start by creating a bearer.yml file in the workflows directory.

We recommend the following config in .github/workflows/bearer.yml to run Bearer's security report:

name: Bearer

on:
push:
branches:
- main

permissions:
contents: read

jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Report
id: report
uses: bearer/bearer-action@v2

This will run the security report, display the results to the action summary screen within GitHub, and flag the action as pass or fail based on whether Bearer's default rules pass or fail.

Further configuration

Just as with the CLI app, you can configure the action to meet the needs of your project. Set custom inputs and outputs using the with key. Here's an example using the config-file, skip-path, and only-rule flags:

steps:
- uses: actions/checkout@v3
- name: Bearer
uses: bearer/bearer-action@v2
with:
config-file: '/some/path/bearer.yml'
only-rule: 'ruby_lang_cookies,ruby_lang_http_post_insecure_with_data'
skip-path: 'users/*.go,users/admin.sql'

The following are a list of available inputs and outputs:

Inputs

version

Specify the Bearer version to use. This must match a Bearer release name. (Optional)

scanner

Specify the comma separated scanners e.g. --scanner secrets,sast (Optional)

config-file

configuration file path (Optional)

bearer-ignore-file

bearer.ignore file path (Optional)

only-rule

Specify the comma-separated ids of the rules you would like to run. Skips all other rules. (Optional)

skip-rule

Specify the comma-separated ids of the rules you would like to skip. Runs all other rules. (Optional)

skip-path

Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql (Optional)

exclude-fingerprint

Specify the comma-separated fingerprints of the findings you would like to exclude from the report. (Optional)

severity

Specify which severities are included in the report as a comma separated string (Optional)

format

Specify which format to use for the report (json, yaml, sarif, gitlab-sast) (Optional)

output

Specify where to store the report (Optional)

api-key

For use with Bearer Cloud (Optional)

diff

Enable differential scanning. Only supported for pull request events (Optional)

exit-code

Forces the exit-code when errors are reported (Optional)

Outputs

rule_breaches

Details of any rule breaches that occur (Optional)

exit_code

exit code from binary (Optional)

Configure GitHub code scanning

Bearer CLI supports GitHub code scanning. By using the SARIF output format, you can display security report findings directly in the Security tab of your repository.

Bearer CLI results in GitHub security tab

To enable this feature, update your action configuration to include new permissions, new format and outputs, and an additional step. Here's an example configuration:

name: Bearer

on:
push:
branches:
- main

permissions:
contents: read
+ # Add the security-events permission
security-events: write

jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Report
id: report
uses: bearer/bearer-action@v2
with:
+ # Include these two options
format: sarif
output: results.sarif
+ # Add a new step to upload the SARIF file
- name: Upload SARIF file
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif

By setting the format and output path, and adding a new upload step, the action will upload SARIF-formatted findings to GitHub's code scanner.

Pull Request Diff

When the Bearer action is being used to check a pull request, you can tell the action to only report findings introduced within the pull request by setting the diff input parameter to true.

name: Bearer PR Check

on:
+ # Diff can only be used with pull_request events
pull_request:
types: [opened, synchronize, reopened]

permissions:
contents: read

jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Report
id: report
uses: bearer/bearer-action@v2
with:
+ # Add diff option
diff: true

See our guide on configuring a scan for more information on differential scans.

Code Review Comments

Bearer CLI supports Reviewdog rdjson format so you can use any of the reviewdog reporters to quickly add bearer feedback directly to your pull requests.

Bearer CLI results in Github PR

name: Bearer PR Check

on:
pull_request:
types: [opened, synchronize, reopened]

permissions:
contents: read
+ # Add the pull-requests permission
pull-requests: write

jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
+ # install reviewdog
- uses: reviewdog/action-setup@v1
with:
reviewdog_version: latest
- name: Run Report
id: report
uses: bearer/bearer-action@v2
with:
+ # use rdjson output, and only report changes from your PR
format: rdjson
output: rd.json
diff: true
+ # always run reviewdog otherwise the step will be skiped by github when a scan fails
- name: Run reviewdog
if: always()
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat rd.json | reviewdog -f=rdjson -reporter=github-pr-review

Integrate with Defect Dojo

We can monitor findings with Defect Dojo by using the gitlab-sast format and the v2 API. Make sure to update the instance url and set the necessary secrets.

name: Bearer Defect Dojo

on:
push:
branches:
- main

permissions:
contents: read

jobs:
rule_check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Report
id: report
uses: bearer/bearer-action@v2
with:
format: gitlab-sast
output: gl-sast-report.json
- name: Defect Dojo
if: always()
env:
DD_TOKEN: ${{ secrets.DD_TOKEN}}
DD_APP: ${{ secrets.DD_APP}}
DD_ENGAGEMENT: ${{ secrets.DD_ENGAGEMENT}}
run: |
curl -X POST -F "file=@gl-sast-report.json" -F "product_name=$DD_APP" -F "engagement_name=$DD_ENGAGEMENT" -F "scan_type=GitLab SAST Report" -H "Authorization: Token $DD_TOKEN" http://example.com/api/v2/import-scan/

Make the most of Bearer

For more ways to use Bearer, check out the different report types, available rules, supported data types.

Have a question or need help? Join our Discord community or open an issue on GitHub.

Ready to take the next step? Learn more about Bearer Cloud.