Commands

Bearer CLI offers a number of commands to use and customize the CLI to your needs.

bearer scan

Scan a directory or file

bearer scan [flags] <path>

Flags

Name Description Default Value
--api-key Use your Bearer API Key to send the report to Bearer.
--config-file Load configuration from the specified path. bearer.yml
--context Expand context of schema classification e.g., --context=health, to include data types particular to health
--data-subject-mapping Override default data subject mapping by providing a path to a custom mapping JSON file
--debug Enable debug logs. Equivalent to --log-level=debug false
--debug-profile Generate profiling data for debugging false
--disable-default-rules Disables all default and built-in rules. false
--disable-domain-resolution Do not attempt to resolve detected domains during classification true
--disable-version-check Disable Bearer version checking false
--domain-resolution-timeout Set timeout when attempting to resolve detected domains during classification, e.g. --domain-resolution-timeout=3s 3s
--exclude-fingerprint Specify the comma-separated fingerprints of the findings you would like to exclude from the report. []
--exit-code Force a given exit code for the scan command. Set this to 0 (success) to always return a success exit code despite any findings from the scan. -1
--external-rule-dir Specify directories paths that contain .yaml files with external rules configuration []
--force Disable the cache and runs the detections again false
-f, --format Specify report format (json, yaml, sarif, gitlab-sast, rdjson, html)
-h, --help help for scan false
--host Specify the Host for sending the report. my.bearer.sh
--ignore-file Load ignore file from the specified path. bearer.ignore
--internal-domains Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains=".*.my-company.com,private.sh" []
--log-level Set log level (error, info, debug, trace) info
--no-color Disable color in output false
--only-rule Specify the comma-separated ids of the rules you would like to run. Skips all other rules. []
--output Specify the output path for the report.
--parallel Specify the amount of parallelism to use during the scan 0
--quiet Suppress non-essential messages false
--report Specify the type of report (security, privacy, dataflow). security
--scanner Specify which scanner to use e.g. --scanner=secrets, --scanner=secrets,sast [sast]
--severity Specify which severities are included in the report. critical,high,medium,low,warning
--skip-path Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql []
--skip-rule Specify the comma-separated ids of the rules you would like to skip. Runs all other rules. []

Usage

  # Scan a local project, including language-specific files
  $ bearer scan /path/to/your_project

Aliases

In addition to the primary scan command, you can also use s in place of it.

bearer init

Generates a default config to `bearer.yml`

bearer init [flags]

Flags

Name Description Default Value
-h, --help help for init false

bearer ignore add

Add an ignored fingerprint

bearer ignore add <fingerprint> [flags]

Flags

Name Description Default Value
--api-key Use your Bearer API Key to send the report to Bearer.
-a, --author Add author information to this ignored finding. (default output of "git config user.name")
--comment Add a comment to this ignored finding.
--config-file Load configuration from the specified path. bearer.yml
--debug Enable debug logs. Equivalent to --log-level=debug false
--debug-profile Generate profiling data for debugging false
--disable-version-check Disable Bearer version checking false
--false-positive Mark an this ignored finding as false positive. false
--force Overwrite an existing ignored finding. false
-h, --help help for add false
--host Specify the Host for sending the report. my.bearer.sh
--ignore-file Load ignore file from the specified path. bearer.ignore
--log-level Set log level (error, info, debug, trace) info
--no-color Disable color in output false

Usage

# Add an ignored fingerprint to your ignore file
$ bearer ignore add <fingerprint> --author Mish --comment "Possible false positive"

bearer ignore show

Show an ignored fingerprint

bearer ignore show <fingerprint> [flags]

Flags

Name Description Default Value
--all Show all ignored fingerprints. false
--api-key Use your Bearer API Key to send the report to Bearer.
--config-file Load configuration from the specified path. bearer.yml
--debug Enable debug logs. Equivalent to --log-level=debug false
--debug-profile Generate profiling data for debugging false
--disable-version-check Disable Bearer version checking false
-h, --help help for show false
--host Specify the Host for sending the report. my.bearer.sh
--ignore-file Load ignore file from the specified path. bearer.ignore
--log-level Set log level (error, info, debug, trace) info
--no-color Disable color in output false

Usage

# Show the details of an ignored fingerprint from your ignore file
$ bearer ignore show <fingerprint>

bearer ignore remove

Remove an ignored fingerprint

bearer ignore remove <fingerprint> [flags]

Flags

Name Description Default Value
--api-key Use your Bearer API Key to send the report to Bearer.
--config-file Load configuration from the specified path. bearer.yml
--debug Enable debug logs. Equivalent to --log-level=debug false
--debug-profile Generate profiling data for debugging false
--disable-version-check Disable Bearer version checking false
-h, --help help for remove false
--host Specify the Host for sending the report. my.bearer.sh
--ignore-file Load ignore file from the specified path. bearer.ignore
--log-level Set log level (error, info, debug, trace) info
--no-color Disable color in output false

Usage

# Remove an ignored fingerprint from your ignore file
$ bearer ignore remove <fingerprint>

bearer ignore pull

Pull ignored fingerprints from Cloud

bearer ignore pull <path> [flags]

Flags

Name Description Default Value
--api-key Use your Bearer API Key to send the report to Bearer.
--config-file Load configuration from the specified path. bearer.yml
--debug Enable debug logs. Equivalent to --log-level=debug false
--debug-profile Generate profiling data for debugging false
--disable-version-check Disable Bearer version checking false
-h, --help help for pull false
--host Specify the Host for sending the report. my.bearer.sh
--ignore-file Load ignore file from the specified path. bearer.ignore
--log-level Set log level (error, info, debug, trace) info
--no-color Disable color in output false

Usage

# Pull ignored fingerprints from the Cloud (requires API key)
$ bearer ignore pull /path/to/your_project --api-key=XXXXX

bearer ignore migrate

Migrate ignored fingerprints from bearer.yml to ignore file

bearer ignore migrate [flags]

Flags

Name Description Default Value
--api-key Use your Bearer API Key to send the report to Bearer.
--config-file Load configuration from the specified path. bearer.yml
--debug Enable debug logs. Equivalent to --log-level=debug false
--debug-profile Generate profiling data for debugging false
--disable-version-check Disable Bearer version checking false
--force Overwrite an existing ignored finding. false
-h, --help help for migrate false
--host Specify the Host for sending the report. my.bearer.sh
--ignore-file Load ignore file from the specified path. bearer.ignore
--log-level Set log level (error, info, debug, trace) info
--no-color Disable color in output false

Usage

# Migrate existing ignored (excluded) fingerprints from bearer.yml file to ignore file
$ bearer ignore migrate

bearer version

Print the version

bearer version [flags]

Flags

Name Description Default Value
--api-key Use your Bearer API Key to send the report to Bearer.
--config-file Load configuration from the specified path. bearer.yml
--debug Enable debug logs. Equivalent to --log-level=debug false
--debug-profile Generate profiling data for debugging false
--disable-version-check Disable Bearer version checking false
-h, --help help for version false
--host Specify the Host for sending the report. my.bearer.sh
--ignore-file Load ignore file from the specified path. bearer.ignore
--log-level Set log level (error, info, debug, trace) info
--no-color Disable color in output false

Ready to take the next step? Learn more about Bearer Cloud.