Reference

Commands

Bearer CLI offers a number of commands to use and customize the CLI to your needs.

bearer scan: Scan a directory or file
bearer init: Generates a default config to `bearer.yml`
bearer ignore add: Add an ignored fingerprint
bearer ignore show: Show an ignored fingerprint
bearer ignore remove: Remove an ignored fingerprint
bearer ignore migrate: Migrate ignored fingerprints from bearer.yml to ignore file
bearer version: Print the version

bearer scan

Scan a directory or file

bearer scan [flags] <path>

Flags

Name	Description	Default Value	Environment Variables
`--api-key`	Use your Bearer API Key to send the report to Bearer.		BEARER_API_KEY
`--config-file`	Load configuration from the specified path.	bearer.yml	BEARER_CONFIG_FILE
`--context`	Expand context of schema classification e.g., --context=health, to include data types particular to health		BEARER_CONTEXT
`--data-subject-mapping`	Override default data subject mapping by providing a path to a custom mapping JSON file		BEARER_DATA_SUBJECT_MAPPING
`--debug`	Enable debug logs. Equivalent to --log-level=debug	false	BEARER_DEBUG
`--diff`	Only report differences in findings relative to a base branch.	false	BEARER_DIFF
`--disable-default-rules`	Disables all default and built-in rules.	false	BEARER_DISABLE_DEFAULT_RULES
`--disable-domain-resolution`	Do not attempt to resolve detected domains during classification	true	BEARER_DISABLE_DOMAIN_RESOLUTION
`--disable-version-check`	Disable Bearer version checking	false	BEARER_DISABLE_VERSION_CHECK
`--domain-resolution-timeout`	Set timeout when attempting to resolve detected domains during classification, e.g. --domain-resolution-timeout=3s	3s	BEARER_DOMAIN_RESOLUTION_TIMEOUT
`--exit-code`	Force a given exit code for the scan command. Set this to 0 (success) to always return a success exit code despite any findings from the scan.	-1	BEARER_EXIT_CODE
`--external-rule-dir`	Specify directories paths that contain .yaml files with external rules configuration	[]	BEARER_EXTERNAL_RULE_DIR
`--fail-on-severity`	Specify which severities cause the report to fail. Works in conjunction with --exit-code.	critical,high,medium,low	BEARER_FAIL_ON_SEVERITY
`--force`	Disable the cache and runs the detections again	false	BEARER_FORCE
`-f`, `--format`	Specify report format (json, yaml, sarif, gitlab-sast, rdjson, html)		BEARER_FORMAT
`-h`, `--help`	help for scan	false
`--hide-progress-bar`	Hide progress bar from output	false	BEARER_HIDE_PROGRESS_BAR
`--ignore-file`	Load ignore file from the specified path.	bearer.ignore	BEARER_IGNORE_FILE
`--internal-domains`	Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains=".*.my-company.com,private.sh"	[]	BEARER_INTERNAL_DOMAINS
`--log-level`	Set log level (error, info, debug, trace)	info	BEARER_LOG_LEVEL
`--no-color`	Disable color in output	false	BEARER_NO_COLOR
`--only-rule`	Specify the comma-separated ids of the rules you would like to run. Skips all other rules.	[]	BEARER_ONLY_RULE
`--output`	Specify the output path for the report.		BEARER_OUTPUT
`--parallel`	Specify the amount of parallelism to use during the scan	0	BEARER_PARALLEL
`--quiet`	Suppress non-essential messages	false	BEARER_QUIET
`--report`	Specify the type of report (security, privacy, dataflow).	security	BEARER_REPORT
`--scanner`	Specify which scanner to use e.g. --scanner=secrets, --scanner=secrets,sast	[sast]	BEARER_SCANNER,SCANNER
`--severity`	Specify which severities are included in the report.	critical,high,medium,low,warning	BEARER_SEVERITY
`--skip-path`	Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql	[]	BEARER_SKIP_PATH
`--skip-rule`	Specify the comma-separated ids of the rules you would like to skip. Runs all other rules.	[]	BEARER_SKIP_RULE
`--skip-test`	Disable automatic skipping of test files	true	BEARER_SKIP_TEST

Usage

  # Scan a local project, including language-specific files
  $ bearer scan /path/to/your_project

Aliases

In addition to the primary bearer scan command, you can also use s in place of it.

bearer init

Generates a default config to `bearer.yml`

bearer init [flags]

Flags

Name	Description	Default Value	Environment Variables
`-h`, `--help`	help for init	false

Aliases

In addition to the primary bearer init command, you can also use in place of it.

bearer ignore add

Add an ignored fingerprint

bearer ignore add <fingerprint> [flags]

Flags

Name	Description	Default Value	Environment Variables
`--api-key`	Use your Bearer API Key to send the report to Bearer.		BEARER_API_KEY
`-a`, `--author`	Add author information to this ignored finding. (default output of "git config user.name")		BEARER_AUTHOR
`--comment`	Add a comment to this ignored finding.		BEARER_COMMENT
`--config-file`	Load configuration from the specified path.	bearer.yml	BEARER_CONFIG_FILE
`--debug`	Enable debug logs. Equivalent to --log-level=debug	false	BEARER_DEBUG
`--disable-version-check`	Disable Bearer version checking	false	BEARER_DISABLE_VERSION_CHECK
`--false-positive`	Mark an this ignored finding as false positive.	false	BEARER_FALSE_POSITIVE
`--force`	Overwrite an existing ignored finding.	false	BEARER_FORCE
`-h`, `--help`	help for add	false
`--ignore-file`	Load ignore file from the specified path.	bearer.ignore	BEARER_IGNORE_FILE
`--log-level`	Set log level (error, info, debug, trace)	info	BEARER_LOG_LEVEL
`--no-color`	Disable color in output	false	BEARER_NO_COLOR

Usage

# Add an ignored fingerprint to your ignore file
$ bearer ignore add <fingerprint> --author Mish --comment "Possible false positive"

Aliases

In addition to the primary bearer ignore add command, you can also use in place of it.

bearer ignore show

Show an ignored fingerprint

bearer ignore show <fingerprint> [flags]

Flags

Name	Description	Default Value	Environment Variables
`--all`	Show all ignored fingerprints.	false	BEARER_ALL
`--api-key`	Use your Bearer API Key to send the report to Bearer.		BEARER_API_KEY
`--config-file`	Load configuration from the specified path.	bearer.yml	BEARER_CONFIG_FILE
`--debug`	Enable debug logs. Equivalent to --log-level=debug	false	BEARER_DEBUG
`--disable-version-check`	Disable Bearer version checking	false	BEARER_DISABLE_VERSION_CHECK
`-h`, `--help`	help for show	false
`--ignore-file`	Load ignore file from the specified path.	bearer.ignore	BEARER_IGNORE_FILE
`--log-level`	Set log level (error, info, debug, trace)	info	BEARER_LOG_LEVEL
`--no-color`	Disable color in output	false	BEARER_NO_COLOR

Usage

# Show the details of an ignored fingerprint from your ignore file
$ bearer ignore show <fingerprint>

Aliases

In addition to the primary bearer ignore show command, you can also use in place of it.

bearer ignore remove

Remove an ignored fingerprint

bearer ignore remove <fingerprint> [flags]

Flags

Name	Description	Default Value	Environment Variables
`--api-key`	Use your Bearer API Key to send the report to Bearer.		BEARER_API_KEY
`--config-file`	Load configuration from the specified path.	bearer.yml	BEARER_CONFIG_FILE
`--debug`	Enable debug logs. Equivalent to --log-level=debug	false	BEARER_DEBUG
`--disable-version-check`	Disable Bearer version checking	false	BEARER_DISABLE_VERSION_CHECK
`-h`, `--help`	help for remove	false
`--ignore-file`	Load ignore file from the specified path.	bearer.ignore	BEARER_IGNORE_FILE
`--log-level`	Set log level (error, info, debug, trace)	info	BEARER_LOG_LEVEL
`--no-color`	Disable color in output	false	BEARER_NO_COLOR

Usage

# Remove an ignored fingerprint from your ignore file
$ bearer ignore remove <fingerprint>

Aliases

In addition to the primary bearer ignore remove command, you can also use in place of it.

bearer ignore migrate

Migrate ignored fingerprints from bearer.yml to ignore file

bearer ignore migrate [flags]

Flags

Name	Description	Default Value	Environment Variables
`--api-key`	Use your Bearer API Key to send the report to Bearer.		BEARER_API_KEY
`--config-file`	Load configuration from the specified path.	bearer.yml	BEARER_CONFIG_FILE
`--debug`	Enable debug logs. Equivalent to --log-level=debug	false	BEARER_DEBUG
`--disable-version-check`	Disable Bearer version checking	false	BEARER_DISABLE_VERSION_CHECK
`--force`	Overwrite an existing ignored finding.	false	BEARER_FORCE
`-h`, `--help`	help for migrate	false
`--ignore-file`	Load ignore file from the specified path.	bearer.ignore	BEARER_IGNORE_FILE
`--log-level`	Set log level (error, info, debug, trace)	info	BEARER_LOG_LEVEL
`--no-color`	Disable color in output	false	BEARER_NO_COLOR

Usage

# Migrate existing ignored (excluded) fingerprints from bearer.yml file to ignore file
$ bearer ignore migrate

Aliases

In addition to the primary bearer ignore migrate command, you can also use in place of it.

bearer version

Print the version

bearer version [flags]

Flags

Name	Description	Default Value	Environment Variables
`--api-key`	Use your Bearer API Key to send the report to Bearer.		BEARER_API_KEY
`--config-file`	Load configuration from the specified path.	bearer.yml	BEARER_CONFIG_FILE
`--debug`	Enable debug logs. Equivalent to --log-level=debug	false	BEARER_DEBUG
`--disable-version-check`	Disable Bearer version checking	false	BEARER_DISABLE_VERSION_CHECK
`-h`, `--help`	help for version	false
`--ignore-file`	Load ignore file from the specified path.	bearer.ignore	BEARER_IGNORE_FILE
`--log-level`	Set log level (error, info, debug, trace)	info	BEARER_LOG_LEVEL
`--no-color`	Disable color in output	false	BEARER_NO_COLOR

Aliases

In addition to the primary bearer version command, you can also use in place of it.