Commands
Bearer CLI offers a number of commands to use and customize the CLI to your needs.
- bearer scan: Scan a directory or file
- bearer init: Generates a default config to `bearer.yml`
- bearer ignore add: Add an ignored fingerprint
- bearer ignore show: Show an ignored fingerprint
- bearer ignore remove: Remove an ignored fingerprint
- bearer ignore pull: Pull ignored fingerprints from Cloud
- bearer ignore migrate: Migrate ignored fingerprints from bearer.yml to ignore file
- bearer version: Print the version
bearer scan
Scan a directory or file
bearer scan [flags] <path>Flags
| Name | Description | Default Value | Environment Variables | |
|---|---|---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | BEARER_API_KEY | ||
--config-file
|
Load configuration from the specified path. | bearer.yml | BEARER_CONFIG_FILE | |
--context
|
Expand context of schema classification e.g., --context=health, to include data types particular to health | BEARER_CONTEXT | ||
--data-subject-mapping
|
Override default data subject mapping by providing a path to a custom mapping JSON file | BEARER_DATA_SUBJECT_MAPPING | ||
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false | BEARER_DEBUG | |
--diff
|
Only report differences in findings relative to a base branch. | false | BEARER_DIFF | |
--disable-default-rules
|
Disables all default and built-in rules. | false | BEARER_DISABLE_DEFAULT_RULES | |
--disable-domain-resolution
|
Do not attempt to resolve detected domains during classification | true | BEARER_DISABLE_DOMAIN_RESOLUTION | |
--disable-version-check
|
Disable Bearer version checking | false | BEARER_DISABLE_VERSION_CHECK | |
--domain-resolution-timeout
|
Set timeout when attempting to resolve detected domains during classification, e.g. --domain-resolution-timeout=3s | 3s | BEARER_DOMAIN_RESOLUTION_TIMEOUT | |
--exit-code
|
Force a given exit code for the scan command. Set this to 0 (success) to always return a success exit code despite any findings from the scan. | -1 | BEARER_EXIT_CODE | |
--external-rule-dir
|
Specify directories paths that contain .yaml files with external rules configuration | [] | BEARER_EXTERNAL_RULE_DIR | |
--fail-on-severity
|
Specify which severities cause the report to fail. Works in conjunction with --exit-code. | critical,high,medium,low | BEARER_FAIL_ON_SEVERITY | |
--force
|
Disable the cache and runs the detections again | false | BEARER_FORCE | |
-f,
--format
|
Specify report format (json, yaml, sarif, gitlab-sast, rdjson, html) | BEARER_FORMAT | ||
-h,
--help
|
help for scan | false | ||
--hide-progress-bar
|
Hide progress bar from output | false | BEARER_HIDE_PROGRESS_BAR | |
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore | BEARER_IGNORE_FILE | |
--internal-domains
|
Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains=".*.my-company.com,private.sh" | [] | BEARER_INTERNAL_DOMAINS | |
--log-level
|
Set log level (error, info, debug, trace) | info | BEARER_LOG_LEVEL | |
--no-color
|
Disable color in output | false | BEARER_NO_COLOR | |
--only-rule
|
Specify the comma-separated ids of the rules you would like to run. Skips all other rules. | [] | BEARER_ONLY_RULE | |
--output
|
Specify the output path for the report. | BEARER_OUTPUT | ||
--parallel
|
Specify the amount of parallelism to use during the scan | 0 | BEARER_PARALLEL | |
--quiet
|
Suppress non-essential messages | false | BEARER_QUIET | |
--report
|
Specify the type of report (security, privacy, dataflow). | security | BEARER_REPORT | |
--scanner
|
Specify which scanner to use e.g. --scanner=secrets, --scanner=secrets,sast | [sast] | BEARER_SCANNER,SCANNER | |
--severity
|
Specify which severities are included in the report. | critical,high,medium,low,warning | BEARER_SEVERITY | |
--skip-path
|
Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql | [] | BEARER_SKIP_PATH | |
--skip-rule
|
Specify the comma-separated ids of the rules you would like to skip. Runs all other rules. | [] | BEARER_SKIP_RULE | |
--skip-test
|
Disable automatic skipping of test files | true | BEARER_SKIP_TEST |
Usage
# Scan a local project, including language-specific files
$ bearer scan /path/to/your_projectAliases
In addition to the primary bearer scan command, you can also use s in place of it.
bearer init
Generates a default config to `bearer.yml`
bearer init [flags]Flags
| Name | Description | Default Value | Environment Variables | |
|---|---|---|---|---|
-h,
--help
|
help for init | false |
Aliases
In addition to the primary bearer init command, you can also use in place of it.
bearer ignore add
Add an ignored fingerprint
bearer ignore add <fingerprint> [flags]Flags
| Name | Description | Default Value | Environment Variables | |
|---|---|---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | BEARER_API_KEY | ||
-a,
--author
|
Add author information to this ignored finding. (default output of "git config user.name") | BEARER_AUTHOR | ||
--comment
|
Add a comment to this ignored finding. | BEARER_COMMENT | ||
--config-file
|
Load configuration from the specified path. | bearer.yml | BEARER_CONFIG_FILE | |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false | BEARER_DEBUG | |
--disable-version-check
|
Disable Bearer version checking | false | BEARER_DISABLE_VERSION_CHECK | |
--false-positive
|
Mark an this ignored finding as false positive. | false | BEARER_FALSE_POSITIVE | |
--force
|
Overwrite an existing ignored finding. | false | BEARER_FORCE | |
-h,
--help
|
help for add | false | ||
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore | BEARER_IGNORE_FILE | |
--log-level
|
Set log level (error, info, debug, trace) | info | BEARER_LOG_LEVEL | |
--no-color
|
Disable color in output | false | BEARER_NO_COLOR |
Usage
# Add an ignored fingerprint to your ignore file
$ bearer ignore add <fingerprint> --author Mish --comment "Possible false positive"Aliases
In addition to the primary bearer ignore add command, you can also use in place of it.
bearer ignore show
Show an ignored fingerprint
bearer ignore show <fingerprint> [flags]Flags
| Name | Description | Default Value | Environment Variables | |
|---|---|---|---|---|
--all
|
Show all ignored fingerprints. | false | BEARER_ALL | |
--api-key
|
Use your Bearer API Key to send the report to Bearer. | BEARER_API_KEY | ||
--config-file
|
Load configuration from the specified path. | bearer.yml | BEARER_CONFIG_FILE | |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false | BEARER_DEBUG | |
--disable-version-check
|
Disable Bearer version checking | false | BEARER_DISABLE_VERSION_CHECK | |
-h,
--help
|
help for show | false | ||
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore | BEARER_IGNORE_FILE | |
--log-level
|
Set log level (error, info, debug, trace) | info | BEARER_LOG_LEVEL | |
--no-color
|
Disable color in output | false | BEARER_NO_COLOR |
Usage
# Show the details of an ignored fingerprint from your ignore file
$ bearer ignore show <fingerprint>Aliases
In addition to the primary bearer ignore show command, you can also use in place of it.
bearer ignore remove
Remove an ignored fingerprint
bearer ignore remove <fingerprint> [flags]Flags
| Name | Description | Default Value | Environment Variables | |
|---|---|---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | BEARER_API_KEY | ||
--config-file
|
Load configuration from the specified path. | bearer.yml | BEARER_CONFIG_FILE | |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false | BEARER_DEBUG | |
--disable-version-check
|
Disable Bearer version checking | false | BEARER_DISABLE_VERSION_CHECK | |
-h,
--help
|
help for remove | false | ||
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore | BEARER_IGNORE_FILE | |
--log-level
|
Set log level (error, info, debug, trace) | info | BEARER_LOG_LEVEL | |
--no-color
|
Disable color in output | false | BEARER_NO_COLOR |
Usage
# Remove an ignored fingerprint from your ignore file
$ bearer ignore remove <fingerprint>Aliases
In addition to the primary bearer ignore remove command, you can also use in place of it.
bearer ignore pull
Pull ignored fingerprints from Cloud
bearer ignore pull <path> [flags]Flags
| Name | Description | Default Value | Environment Variables | |
|---|---|---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | BEARER_API_KEY | ||
--config-file
|
Load configuration from the specified path. | bearer.yml | BEARER_CONFIG_FILE | |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false | BEARER_DEBUG | |
--disable-version-check
|
Disable Bearer version checking | false | BEARER_DISABLE_VERSION_CHECK | |
-h,
--help
|
help for pull | false | ||
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore | BEARER_IGNORE_FILE | |
--log-level
|
Set log level (error, info, debug, trace) | info | BEARER_LOG_LEVEL | |
--no-color
|
Disable color in output | false | BEARER_NO_COLOR |
Usage
# Pull ignored fingerprints from the Cloud (requires API key)
$ bearer ignore pull /path/to/your_project --api-key=XXXXXAliases
In addition to the primary bearer ignore pull command, you can also use in place of it.
bearer ignore migrate
Migrate ignored fingerprints from bearer.yml to ignore file
bearer ignore migrate [flags]Flags
| Name | Description | Default Value | Environment Variables | |
|---|---|---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | BEARER_API_KEY | ||
--config-file
|
Load configuration from the specified path. | bearer.yml | BEARER_CONFIG_FILE | |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false | BEARER_DEBUG | |
--disable-version-check
|
Disable Bearer version checking | false | BEARER_DISABLE_VERSION_CHECK | |
--force
|
Overwrite an existing ignored finding. | false | BEARER_FORCE | |
-h,
--help
|
help for migrate | false | ||
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore | BEARER_IGNORE_FILE | |
--log-level
|
Set log level (error, info, debug, trace) | info | BEARER_LOG_LEVEL | |
--no-color
|
Disable color in output | false | BEARER_NO_COLOR |
Usage
# Migrate existing ignored (excluded) fingerprints from bearer.yml file to ignore file
$ bearer ignore migrateAliases
In addition to the primary bearer ignore migrate command, you can also use in place of it.
bearer version
Print the version
bearer version [flags]Flags
| Name | Description | Default Value | Environment Variables | |
|---|---|---|---|---|
--api-key
|
Use your Bearer API Key to send the report to Bearer. | BEARER_API_KEY | ||
--config-file
|
Load configuration from the specified path. | bearer.yml | BEARER_CONFIG_FILE | |
--debug
|
Enable debug logs. Equivalent to --log-level=debug | false | BEARER_DEBUG | |
--disable-version-check
|
Disable Bearer version checking | false | BEARER_DISABLE_VERSION_CHECK | |
-h,
--help
|
help for version | false | ||
--ignore-file
|
Load ignore file from the specified path. | bearer.ignore | BEARER_IGNORE_FILE | |
--log-level
|
Set log level (error, info, debug, trace) | info | BEARER_LOG_LEVEL | |
--no-color
|
Disable color in output | false | BEARER_NO_COLOR |
Aliases
In addition to the primary bearer version command, you can also use in place of it.