Commands

Bearer CLI offers a number of commands to use and customize the CLI to your needs.

bearer scan

Scan a directory or file

bearer scan [flags] <path>

Flags

Name Description Default Value Environment Variables
--api-key Use your Bearer API Key to send the report to Bearer. BEARER_API_KEY
--config-file Load configuration from the specified path. bearer.yml BEARER_CONFIG_FILE
--context Expand context of schema classification e.g., --context=health, to include data types particular to health BEARER_CONTEXT
--data-subject-mapping Override default data subject mapping by providing a path to a custom mapping JSON file BEARER_DATA_SUBJECT_MAPPING
--debug Enable debug logs. Equivalent to --log-level=debug false BEARER_DEBUG
--diff Only report differences in findings relative to a base branch. false BEARER_DIFF
--disable-default-rules Disables all default and built-in rules. false BEARER_DISABLE_DEFAULT_RULES
--disable-domain-resolution Do not attempt to resolve detected domains during classification true BEARER_DISABLE_DOMAIN_RESOLUTION
--disable-version-check Disable Bearer version checking false BEARER_DISABLE_VERSION_CHECK
--domain-resolution-timeout Set timeout when attempting to resolve detected domains during classification, e.g. --domain-resolution-timeout=3s 3s BEARER_DOMAIN_RESOLUTION_TIMEOUT
--exit-code Force a given exit code for the scan command. Set this to 0 (success) to always return a success exit code despite any findings from the scan. -1 BEARER_EXIT_CODE
--external-rule-dir Specify directories paths that contain .yaml files with external rules configuration [] BEARER_EXTERNAL_RULE_DIR
--fail-on-severity Specify which severities cause the report to fail. Works in conjunction with --exit-code. critical,high,medium,low BEARER_FAIL_ON_SEVERITY
--force Disable the cache and runs the detections again false BEARER_FORCE
-f, --format Specify report format (json, yaml, sarif, gitlab-sast, rdjson, html) BEARER_FORMAT
-h, --help help for scan false
--hide-progress-bar Hide progress bar from output false BEARER_HIDE_PROGRESS_BAR
--ignore-file Load ignore file from the specified path. bearer.ignore BEARER_IGNORE_FILE
--internal-domains Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains=".*.my-company.com,private.sh" [] BEARER_INTERNAL_DOMAINS
--log-level Set log level (error, info, debug, trace) info BEARER_LOG_LEVEL
--no-color Disable color in output false BEARER_NO_COLOR
--only-rule Specify the comma-separated ids of the rules you would like to run. Skips all other rules. [] BEARER_ONLY_RULE
--output Specify the output path for the report. BEARER_OUTPUT
--parallel Specify the amount of parallelism to use during the scan 0 BEARER_PARALLEL
--quiet Suppress non-essential messages false BEARER_QUIET
--report Specify the type of report (security, privacy, dataflow). security BEARER_REPORT
--scanner Specify which scanner to use e.g. --scanner=secrets, --scanner=secrets,sast [sast] BEARER_SCANNER,SCANNER
--severity Specify which severities are included in the report. critical,high,medium,low,warning BEARER_SEVERITY
--skip-path Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql [] BEARER_SKIP_PATH
--skip-rule Specify the comma-separated ids of the rules you would like to skip. Runs all other rules. [] BEARER_SKIP_RULE
--skip-test Disable automatic skipping of test files true BEARER_SKIP_TEST

Usage

  # Scan a local project, including language-specific files
  $ bearer scan /path/to/your_project

Aliases

In addition to the primary bearer scan command, you can also use s in place of it.

bearer init

Generates a default config to `bearer.yml`

bearer init [flags]

Flags

Name Description Default Value Environment Variables
-h, --help help for init false

Aliases

In addition to the primary bearer init command, you can also use in place of it.

bearer ignore add

Add an ignored fingerprint

bearer ignore add <fingerprint> [flags]

Flags

Name Description Default Value Environment Variables
--api-key Use your Bearer API Key to send the report to Bearer. BEARER_API_KEY
-a, --author Add author information to this ignored finding. (default output of "git config user.name") BEARER_AUTHOR
--comment Add a comment to this ignored finding. BEARER_COMMENT
--config-file Load configuration from the specified path. bearer.yml BEARER_CONFIG_FILE
--debug Enable debug logs. Equivalent to --log-level=debug false BEARER_DEBUG
--disable-version-check Disable Bearer version checking false BEARER_DISABLE_VERSION_CHECK
--false-positive Mark an this ignored finding as false positive. false BEARER_FALSE_POSITIVE
--force Overwrite an existing ignored finding. false BEARER_FORCE
-h, --help help for add false
--ignore-file Load ignore file from the specified path. bearer.ignore BEARER_IGNORE_FILE
--log-level Set log level (error, info, debug, trace) info BEARER_LOG_LEVEL
--no-color Disable color in output false BEARER_NO_COLOR

Usage

# Add an ignored fingerprint to your ignore file
$ bearer ignore add <fingerprint> --author Mish --comment "Possible false positive"

Aliases

In addition to the primary bearer ignore add command, you can also use in place of it.

bearer ignore show

Show an ignored fingerprint

bearer ignore show <fingerprint> [flags]

Flags

Name Description Default Value Environment Variables
--all Show all ignored fingerprints. false BEARER_ALL
--api-key Use your Bearer API Key to send the report to Bearer. BEARER_API_KEY
--config-file Load configuration from the specified path. bearer.yml BEARER_CONFIG_FILE
--debug Enable debug logs. Equivalent to --log-level=debug false BEARER_DEBUG
--disable-version-check Disable Bearer version checking false BEARER_DISABLE_VERSION_CHECK
-h, --help help for show false
--ignore-file Load ignore file from the specified path. bearer.ignore BEARER_IGNORE_FILE
--log-level Set log level (error, info, debug, trace) info BEARER_LOG_LEVEL
--no-color Disable color in output false BEARER_NO_COLOR

Usage

# Show the details of an ignored fingerprint from your ignore file
$ bearer ignore show <fingerprint>

Aliases

In addition to the primary bearer ignore show command, you can also use in place of it.

bearer ignore remove

Remove an ignored fingerprint

bearer ignore remove <fingerprint> [flags]

Flags

Name Description Default Value Environment Variables
--api-key Use your Bearer API Key to send the report to Bearer. BEARER_API_KEY
--config-file Load configuration from the specified path. bearer.yml BEARER_CONFIG_FILE
--debug Enable debug logs. Equivalent to --log-level=debug false BEARER_DEBUG
--disable-version-check Disable Bearer version checking false BEARER_DISABLE_VERSION_CHECK
-h, --help help for remove false
--ignore-file Load ignore file from the specified path. bearer.ignore BEARER_IGNORE_FILE
--log-level Set log level (error, info, debug, trace) info BEARER_LOG_LEVEL
--no-color Disable color in output false BEARER_NO_COLOR

Usage

# Remove an ignored fingerprint from your ignore file
$ bearer ignore remove <fingerprint>

Aliases

In addition to the primary bearer ignore remove command, you can also use in place of it.

bearer ignore migrate

Migrate ignored fingerprints from bearer.yml to ignore file

bearer ignore migrate [flags]

Flags

Name Description Default Value Environment Variables
--api-key Use your Bearer API Key to send the report to Bearer. BEARER_API_KEY
--config-file Load configuration from the specified path. bearer.yml BEARER_CONFIG_FILE
--debug Enable debug logs. Equivalent to --log-level=debug false BEARER_DEBUG
--disable-version-check Disable Bearer version checking false BEARER_DISABLE_VERSION_CHECK
--force Overwrite an existing ignored finding. false BEARER_FORCE
-h, --help help for migrate false
--ignore-file Load ignore file from the specified path. bearer.ignore BEARER_IGNORE_FILE
--log-level Set log level (error, info, debug, trace) info BEARER_LOG_LEVEL
--no-color Disable color in output false BEARER_NO_COLOR

Usage

# Migrate existing ignored (excluded) fingerprints from bearer.yml file to ignore file
$ bearer ignore migrate

Aliases

In addition to the primary bearer ignore migrate command, you can also use in place of it.

bearer version

Print the version

bearer version [flags]

Flags

Name Description Default Value Environment Variables
--api-key Use your Bearer API Key to send the report to Bearer. BEARER_API_KEY
--config-file Load configuration from the specified path. bearer.yml BEARER_CONFIG_FILE
--debug Enable debug logs. Equivalent to --log-level=debug false BEARER_DEBUG
--disable-version-check Disable Bearer version checking false BEARER_DISABLE_VERSION_CHECK
-h, --help help for version false
--ignore-file Load ignore file from the specified path. bearer.ignore BEARER_IGNORE_FILE
--log-level Set log level (error, info, debug, trace) info BEARER_LOG_LEVEL
--no-color Disable color in output false BEARER_NO_COLOR

Aliases

In addition to the primary bearer version command, you can also use in place of it.