Commands
Bearer CLI offers a number of commands to use and customize the CLI to your needs.
- scan: Scan a directory or file
- init: Generates a default config to `bearer.yml`
- ignore add: Add an ignored fingerprint
- ignore show: Show an ignored fingerprint
- ignore remove: Remove an ignored fingerprint
- ignore pull: Pull ignored fingerprints from Cloud
- ignore migrate: Migrate ignored fingerprints from bearer.yml to ignore file
- version: Print the version
bearer scan
Scan a directory or file
bearer scan [flags] <path>
Flags
Name | Description | Default Value |
---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | |
--config-file
|
Load configuration from the specified path. | bearer.yml |
--context
|
Expand context of schema classification e.g., --context=health, to include data types particular to health | |
--data-subject-mapping
|
Override default data subject mapping by providing a path to a custom mapping JSON file | |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false |
--debug-profile
|
Generate profiling data for debugging | false |
--disable-default-rules
|
Disables all default and built-in rules. | false |
--disable-domain-resolution
|
Do not attempt to resolve detected domains during classification | true |
--disable-version-check
|
Disable Bearer version checking | false |
--domain-resolution-timeout
|
Set timeout when attempting to resolve detected domains during classification, e.g. --domain-resolution-timeout=3s | 3s |
--exclude-fingerprint
|
Specify the comma-separated fingerprints of the findings you would like to exclude from the report. | [] |
--exit-code
|
Force a given exit code for the scan command. Set this to 0 (success) to always return a success exit code despite any findings from the scan. | -1 |
--external-rule-dir
|
Specify directories paths that contain .yaml files with external rules configuration | [] |
--force
|
Disable the cache and runs the detections again | false |
-f ,
--format
|
Specify report format (json, yaml, sarif, gitlab-sast, rdjson, html) | |
-h ,
--help
|
help for scan | false |
--host
|
Specify the Host for sending the report. | my.bearer.sh |
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore |
--internal-domains
|
Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains=".*.my-company.com,private.sh" | [] |
--log-level
|
Set log level (error, info, debug, trace) | info |
--no-color
|
Disable color in output | false |
--only-rule
|
Specify the comma-separated ids of the rules you would like to run. Skips all other rules. | [] |
--output
|
Specify the output path for the report. | |
--parallel
|
Specify the amount of parallelism to use during the scan | 0 |
--quiet
|
Suppress non-essential messages | false |
--report
|
Specify the type of report (security, privacy, dataflow). | security |
--scanner
|
Specify which scanner to use e.g. --scanner=secrets, --scanner=secrets,sast | [sast] |
--severity
|
Specify which severities are included in the report. | critical,high,medium,low,warning |
--skip-path
|
Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql | [] |
--skip-rule
|
Specify the comma-separated ids of the rules you would like to skip. Runs all other rules. | [] |
Usage
# Scan a local project, including language-specific files
$ bearer scan /path/to/your_project
Aliases
In addition to the primary scan
command, you can also use s
in place of it.
bearer init
Generates a default config to `bearer.yml`
bearer init [flags]
Flags
Name | Description | Default Value |
---|---|---|
-h ,
--help
|
help for init | false |
bearer ignore add
Add an ignored fingerprint
bearer ignore add <fingerprint> [flags]
Flags
Name | Description | Default Value |
---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | |
-a ,
--author
|
Add author information to this ignored finding. (default output of "git config user.name") | |
--comment
|
Add a comment to this ignored finding. | |
--config-file
|
Load configuration from the specified path. | bearer.yml |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false |
--debug-profile
|
Generate profiling data for debugging | false |
--disable-version-check
|
Disable Bearer version checking | false |
--false-positive
|
Mark an this ignored finding as false positive. | false |
--force
|
Overwrite an existing ignored finding. | false |
-h ,
--help
|
help for add | false |
--host
|
Specify the Host for sending the report. | my.bearer.sh |
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore |
--log-level
|
Set log level (error, info, debug, trace) | info |
--no-color
|
Disable color in output | false |
Usage
# Add an ignored fingerprint to your ignore file
$ bearer ignore add <fingerprint> --author Mish --comment "Possible false positive"
bearer ignore show
Show an ignored fingerprint
bearer ignore show <fingerprint> [flags]
Flags
Name | Description | Default Value |
---|---|---|
--all
|
Show all ignored fingerprints. | false |
--api-key
|
Use your Bearer API Key to send the report to Bearer. | |
--config-file
|
Load configuration from the specified path. | bearer.yml |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false |
--debug-profile
|
Generate profiling data for debugging | false |
--disable-version-check
|
Disable Bearer version checking | false |
-h ,
--help
|
help for show | false |
--host
|
Specify the Host for sending the report. | my.bearer.sh |
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore |
--log-level
|
Set log level (error, info, debug, trace) | info |
--no-color
|
Disable color in output | false |
Usage
# Show the details of an ignored fingerprint from your ignore file
$ bearer ignore show <fingerprint>
bearer ignore remove
Remove an ignored fingerprint
bearer ignore remove <fingerprint> [flags]
Flags
Name | Description | Default Value |
---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | |
--config-file
|
Load configuration from the specified path. | bearer.yml |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false |
--debug-profile
|
Generate profiling data for debugging | false |
--disable-version-check
|
Disable Bearer version checking | false |
-h ,
--help
|
help for remove | false |
--host
|
Specify the Host for sending the report. | my.bearer.sh |
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore |
--log-level
|
Set log level (error, info, debug, trace) | info |
--no-color
|
Disable color in output | false |
Usage
# Remove an ignored fingerprint from your ignore file
$ bearer ignore remove <fingerprint>
bearer ignore pull
Pull ignored fingerprints from Cloud
bearer ignore pull <path> [flags]
Flags
Name | Description | Default Value |
---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | |
--config-file
|
Load configuration from the specified path. | bearer.yml |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false |
--debug-profile
|
Generate profiling data for debugging | false |
--disable-version-check
|
Disable Bearer version checking | false |
-h ,
--help
|
help for pull | false |
--host
|
Specify the Host for sending the report. | my.bearer.sh |
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore |
--log-level
|
Set log level (error, info, debug, trace) | info |
--no-color
|
Disable color in output | false |
Usage
# Pull ignored fingerprints from the Cloud (requires API key)
$ bearer ignore pull /path/to/your_project --api-key=XXXXX
bearer ignore migrate
Migrate ignored fingerprints from bearer.yml to ignore file
bearer ignore migrate [flags]
Flags
Name | Description | Default Value |
---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | |
--config-file
|
Load configuration from the specified path. | bearer.yml |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false |
--debug-profile
|
Generate profiling data for debugging | false |
--disable-version-check
|
Disable Bearer version checking | false |
--force
|
Overwrite an existing ignored finding. | false |
-h ,
--help
|
help for migrate | false |
--host
|
Specify the Host for sending the report. | my.bearer.sh |
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore |
--log-level
|
Set log level (error, info, debug, trace) | info |
--no-color
|
Disable color in output | false |
Usage
# Migrate existing ignored (excluded) fingerprints from bearer.yml file to ignore file
$ bearer ignore migrate
bearer version
Print the version
bearer version [flags]
Flags
Name | Description | Default Value |
---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | |
--config-file
|
Load configuration from the specified path. | bearer.yml |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false |
--debug-profile
|
Generate profiling data for debugging | false |
--disable-version-check
|
Disable Bearer version checking | false |
-h ,
--help
|
help for version | false |
--host
|
Specify the Host for sending the report. | my.bearer.sh |
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore |
--log-level
|
Set log level (error, info, debug, trace) | info |
--no-color
|
Disable color in output | false |
Ready to take the next step? Learn more about Bearer Cloud.