Guides

Using the GitHub Action

Running Bearer from the CLI is great, but if you want it integrated directly with your Git workflow there's nothing easier than a GitHub action. If you're unfamiliar with GitHub actions, here's a primer available from GitHub. You can also see how the action works directly on our Bear Publishing example app.

Getting started

You can view the action here, or follow along below.

Actions live in the .github/workflows/ directory within your repository. Start by creating a bearer.yml file in the workflows directory.

We recommend the following config in .github/workflows/bearer.yml to run Bearer's security report:

name: Bearer

on:
  push:
    branches:
      - main

permissions:
  contents: read

jobs:
  rule_check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run Report
        id: report
        uses: bearer/bearer-action@v1.0
      - id: summary
        name: Display Summary
        uses: actions/github-script@v6
        with:
          script: |
            // github does not support multiline outputs so report is encoded
            const report = decodeURIComponent(`$`);
            const passed = `$` == "0";
            if(!passed){ core.setFailed(report); }

This will run the security report, display the results to the action summary screen within GitHub, and flag the action as pass or fail based on whether Bearer's default rules pass or fail.

Further configuration

Just as with the CLI app, you can configure the action to meet the needs of your project. Set custom inputs and outputs using the with key. Here's an example using the config-file, skip-path, and only-rule flags:

steps:
  - uses: actions/checkout@v3
  - name: Bearer
    uses: bearer/bearer-action@v1.0
    with:
      config-file: '/some/path/bearer.yml'
      only-rule: 'ruby_lang_cookies,ruby_lang_http_post_insecure_with_data'
      skip-path: 'users/*.go,users/admin.sql'

The following are a list of available inputs and outputs:

Inputs

`scanner`

Optional Specify the comma-separated scanner to use e.g. sast,secrets

`config-file`

Optional Bearer configuration file path

`only-rule`

Optional Specify the comma-separated IDs of the rules to run; skips all other rules.

`skip-rule`

Optional Specify the comma-separated IDs of the rules to skip; runs all other rules.

`skip-path`

Optional Specify the comma-separated paths to skip. Supports wildcard syntax, e.g. users/*.go,users/admin.sql

Outputs

`rule_breaches`

Details of any rule breaches that occur. This is URL encoded to work round GitHub issues with multiline outputs.

`exit_code`

Exit code of the bearer binary, 0 indicates a pass

Make the most of Bearer

For more ways to use Bearer, check out the different report types, available rules, supported data types.

Have a question or need help? Join our Discord community or open an issue on GitHub.