Configuring Bearer CLI

Configuration of Bearer CLI can be done with flags on the scan command, or by using a bearer.yml file in the project directory.

To initialize the config file, run the following from your project directory:

bearer init

This creates a config file in your current directory. Below is an annotated version of that file.

# Report settings
# Specify report format (json, yaml, sarif, gitlab-sast)
format: ""
# Specify the output path for the report.
output: ""
# Specify the type of report (security, privacy, dataflow).
report: security
# Specify which severities are included in the report as a comma separated string
severity: "critical,high,medium,low,warning"
# Rule settings
# Disable all default rules by setting this value to true.
disable-default-rules: false
# Specify the comma-separated ids of the rules you would like to run;
# skips all other rules.
only-rule: []
# Specify the comma-separated ids of the rules you would like to skip;
# runs all other rules.
skip-rule: []
# Scan settings
# Specify the type of scanner (sast, secrets).
- sast
- secrets
# Expand context of schema classification
# For example, "health" will include data types particular to health
context: ""
# Override default data subject mapping by providing a path to a custom mapping JSON file
data-subject-mapping: ""
# Enable debug logs
debug: false
# Do not attempt to resolve detected domains during classification.
disable-domain-resolution: true
# Set timeout when attempting to resolve detected domains during classification.
domain-resolution-timeout: 3s
# Specify directories paths that contain yaml files with external rules configuration.
external-rule-dir: []
# Disable the cache and runs the detections again every time scan runs.
force: false
# Define regular expressions for better classification of private or unreachable domains
# e.g., ".*,"
internal-domains: []
# Suppress non-essential messages
quiet: false
# Specify the comma separated files and directories to skip. Supports * syntax.
skip-path: []

Utilizing a custom config

By default, Bearer CLI will look for a bearer.yml file in the project directory where the scan is run. Alternatively, you can use the --config-file flag with the scan command to reference a config file that is outside the project directory.