From 1781ef1786a562a3b74691ea21bb22d77a7cad29 Mon Sep 17 00:00:00 2001 From: Philip Hayton Date: Thu, 7 Mar 2024 15:18:44 +0000 Subject: [PATCH] docs: remove references to cloud (#1528) * docs: remove references to cloud * fix: string output ordering causing test flake --- README.md | 4 - docs/_data/nav.js | 4 - docs/_src/_includes/layouts/doc.njk | 8 -- docs/docs.md | 3 - docs/guides/bearer-cloud.md | 121 ------------------ docs/guides/configure-scan.md | 11 -- docs/guides/integration-strategy.md | 4 - .../TestSkipRulesFlag-report-dataflow | 2 - internal/commands/process/settings/rules.go | 2 + .../security/.snapshots/TestBuildReportString | 2 - internal/report/output/security/security.go | 4 - 11 files changed, 2 insertions(+), 163 deletions(-) delete mode 100644 docs/guides/bearer-cloud.md diff --git a/README.md b/README.md index 81325571f..d488c1f1c 100644 --- a/README.md +++ b/README.md @@ -24,8 +24,6 @@ [![Test][test-img]][test] [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md) [![Discord](https://img.shields.io/discord/1042147477765242973?label=discord)][discord] - - ☁️ Ready to take the next step? [Learn more about Bearer Cloud](https://docs.bearer.com/guides/bearer-cloud/). ☁️ ## Developer friendly static code analysis for security and privacy @@ -53,8 +51,6 @@ Bearer CLI scans your source code for: * Data Protection Impact Assessment (DPIA). * Records of Processing Activities (RoPA) input for GDPR compliance reporting. -Bearer CLI also powers our SaaS solution, [Bearer Cloud](https://docs.bearer.com/guides/bearer-cloud/), allowing security teams to scale and monitor their application security program using the same engine. - ## :rocket: Getting started Discover your most critical security risks and vulnerabilities in only a few minutes. In this guide, you will install Bearer CLI, run a security scan on a local project, and view the results. Let's get started! diff --git a/docs/_data/nav.js b/docs/_data/nav.js index 853fad39d..5a7fc70ba 100644 --- a/docs/_data/nav.js +++ b/docs/_data/nav.js @@ -44,10 +44,6 @@ module.exports = [ name: "Shell completions", url: "/guides/shell-completion/", }, - { - name: "Using Bearer Cloud", - url: "/guides/bearer-cloud/", - }, ], }, { diff --git a/docs/_src/_includes/layouts/doc.njk b/docs/_src/_includes/layouts/doc.njk index 7cb376daf..66c5e1670 100644 --- a/docs/_src/_includes/layouts/doc.njk +++ b/docs/_src/_includes/layouts/doc.njk @@ -34,10 +34,6 @@ layout: layouts/base.njk {% include 'breadcrumbs.njk' %} {% endif %} {{ content | safe }} -
-

Ready to take the next step? Learn more about Bearer Cloud. -

-
\ No newline at end of file diff --git a/docs/docs.md b/docs/docs.md index 291c28bb3..55f3a4dac 100644 --- a/docs/docs.md +++ b/docs/docs.md @@ -4,8 +4,6 @@ layout: "layouts/doc" permalink: "/" --- -{% callout "info" %}Discover Bearer Cloud, our solution to manage product and application code security at scale.{% endcallout %} - # Bearer CLI Welcome to the Bearer CLI documentation. Bearer CLI is a static application security testing (SAST) tool that scans your source code and analyzes your data flows to discover, filter and prioritize security and privacy risks. @@ -52,7 +50,6 @@ Guides help you make the most of Bearer CLI so you can get up and running quickl - [Create custom rule](/guides/custom-rule/) - [Run a privacy report](/guides/privacy/) - [Run a data flow report](/guides/dataflow/) -- [Using Bearer Cloud](/guides/bearer-cloud/) - [Enable Completion Script](/guides/shell-completion) ## Explanations diff --git a/docs/guides/bearer-cloud.md b/docs/guides/bearer-cloud.md deleted file mode 100644 index ed97182e6..000000000 --- a/docs/guides/bearer-cloud.md +++ /dev/null @@ -1,121 +0,0 @@ ---- -title: Using Bearer Cloud ---- - -# Bearer Cloud - -If you're looking to manage product and application code security at scale, Bearer Cloud offers a platform for engineering and security teams that syncs with Bearer CLI's engine. - - - -[Learn more about Bearer Cloud](https://www.bearer.com/bearer-cloud). - -## Get started with Bearer Cloud - -We provide many options for you to configure Bearer Cloud with your projects, more information below. -![View Jira Ticket](/assets/img/cloud/setup.png) - -### GitHub App - -The easiest way to start with Bearer Cloud, is to use Bearer's GitHub App which allows you to configure your project in 1-click. - -Here is what happens behind the scenes: - -- A GitHub Action is automatically configured on your project, it will trigger scans on PR and on merge to your main branch. You can tweak the configuration however you want afterward. -- A Bearer Cloud API Key is generated and configured on your GitHub project so that scan results are securely sent to your Bearer Cloud Dashboard. - -The best part? Bearer does all this without ever having access to your source code beyond the _.github/workflows_ directory, where the GitHub Action is configured. - -In addition to a 1-click setup, **the GitHub App provides the best developer experience** thanks to the ability for them to ignore findings directly in the PR workflow, and for your Security team to review those in Bearer Cloud Dashboard. - -### GitHub Action - -Using the same setup process found in [the GitHub action guide](/guides/github-action/), configure the action to run `with` the `api-key` option. For example: - -{% yamlExample "ci/github/cloud" %} - -We highly recommend using GitHub's [encrypted secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets). In the example above, the secret is named `BEARER_TOKEN`. - -### GitLab CI/CD - -Set up the [GitLab CI/CD configuration](/guides/gitlab), then adjust your settings to include the `--api-key` flag with the `scan` command: - -{% yamlExample "ci/gitlab/cloud" %} - -We recommend using [GitLab's CI/CD variables](https://docs.gitlab.com/ee/ci/variables/) to protect your token. In the example above, the variable is named `BEARER_TOKEN`. - -#### Enhanced Integration - -Once the above is configured and your first scan is complete, visit the integrations section to configure our direct GitLab integration. This gives developers the ability to ignore findings directly in the MR workflow, and for your Security team to review those in the Bearer Cloud Dashboard. Setup is done per project with the following steps: - -- Create an access token with the ‘api’ scope and ‘maintainer’ role. We recommend using a [project access token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html). -- Enter the details for your desired project. -- Behind the scenes, we validate the token and automatically create and configure a webhook to capture MR events. -- Open an MR and see bearer findings directly in the comments! - -### Local projects - -Use the `--api-key` flag with the `scan` command: - -```bash -bearer scan project-folder --api-key=XXXXXXXX -``` - -## Import your projects - -Bearer Cloud automatically captures any scans run with a valid `api-key`. Subsequent scans of the same project will update the existing project entry in the Bearer Cloud dashboard. - -![Cloud dashboard](/assets/img/cloud-dashboard.jpg) - -### Ignored findings in Bearer Cloud - -When a valid `api-key` is present, the very first scan of a project reads ignored fingerprints from the ignore file and subsequently creates ignored findings for these in the Cloud, including status and comments (if present). A finding has "False Positive" status in the Cloud if its corresponding ignore file entry is a false positive (`false_positive: true`); otherwise, it has the status "Allowed". - -After the initial scan, the Cloud is taken as the source of truth for ignored fingerprints. If there are new entries added to the ignore file, in most cases, these are sent to the Cloud on subsequent scans, and the corresponding Cloud findings are updated to "False Positive" or "Allowed" status accordingly. - -However, it is important to note that the Cloud state is always prioritized over the contents of the ignore file. If a finding is already ignored in the Cloud, and then added to the ignore file, its Cloud status and comments are unchanged by subsequent scans. Similarly, if an ignored finding is re-opened in the Cloud, and then added to the ignore file, its Cloud status remains "Open". That is, re-opened findings can only be re-ignored again from the Cloud. - -Furthermore, if an ignored finding is later re-opened in the Cloud, any corresponding ignore entry is not automatically removed. Over time, then, the ignore file may become out-of-sync with the Cloud state. To remedy this, and align the ignore file with what is in the Cloud, use the following action: - -```bash -bearer ignore pull project-folder --api-key=XXXXXXXX -``` - -This action overwrites the current ignore file (including any new additions not yet sent to the Cloud) with all ignored findings from the Cloud, including status, comments, and author information. - -## Jira integration - -The Jira integration is available on the _Settings > Integrations_ page. - -To use the integration, you must connect a Jira account and allow access to the required permissions through the OAuth login. - -Following your company's best practices, you can provide access to an existing account or set up a new user in Jira specifically for this integration. Whichever option you choose, make sure the account has the access permissions required to create and update tickets in the projects you want to. - -You have two ways to use the Jira Integration: - -1. Creating a Jira Ticket directly from a finding. - ![Create Jira Ticket](/assets/img/jira-integration/create.png) - -2. Link a finding to an existing Jira ticket. - ![Link Jira Ticket](/assets/img/jira-integration/link.png) - -Once a finding is associated with a Jira ticket, you can quickly see it in the interface, view the ticket status and go to the ticket. - -![View Jira Ticket](/assets/img/jira-integration/view.png) - -{% callout "warn" %} -Findings on Bearer Cloud are only marked resolved when the associated code is fixed. If the associated Jira ticket is closed, but no code fix has been applied, the finding will stay open. The source of truth is always the code. -{% endcallout %} - -## Slack integration - -The Slack integration is available on the _Settings > Integrations_ page. - -To use the integration, you must connect a Slack account and allow access to the required permissions through the OAuth login, then select a default channel where you want to receive notifications on new findings. - -Below an example of a Slack notification triggered by a new finding: -![Slack notification](/assets/img/slack-integration/notification.png) - -## Need help? - -Get in touch with our team directly on [Discord](https://discord.com/invite/eaHZBJUXRF) or [book a demo](https://www.bearer.com/demo) with one of our engineer. diff --git a/docs/guides/configure-scan.md b/docs/guides/configure-scan.md index b117aabed..c29dce9ed 100644 --- a/docs/guides/configure-scan.md +++ b/docs/guides/configure-scan.md @@ -69,9 +69,6 @@ bearer ignore add 4b0883d52334dfd9a4acce2fcf810121_0 \ --false-positive ``` -
-{% callout "info" %} If you're looking for more options when it comes to managing findings, take a look at Bearer Cloud. For ignored findings in particular, see Ignored findings in Bearer Cloud. {% endcallout %} - ## Skip or ignore specific rules Sometimes you want to ignore one or more rules, either for the entire scan or for individual blocks of code. Rules are identified by their id, for example: `ruby_lang_exception`. @@ -199,14 +196,6 @@ Run the commands together, replacing the scan location and the output path to ma bearer scan . --format html --output path/to/security-scan.html ``` -## Send report to Bearer Cloud - -If you're looking to manage product and application code security at scale, [Bearer Cloud](https://www.bearer.com/bearer-cloud) offers a platform for teams that syncs with Bearer CLI's output. - -Learn how to [send your report](/guides/bearer-cloud) to Bearer Cloud. - -![Cloud dashboard](/assets/img/cloud-dashboard.jpg) - ## Next steps For more ways to make the most of our Bearer CLI, check out the [commands reference](/reference/commands/). Need additional help? [Open an issue]({{meta.links.issues}}) or join our [Discord community]({{meta.links.discord}}). diff --git a/docs/guides/integration-strategy.md b/docs/guides/integration-strategy.md index 74d7c4ab7..1fcde2253 100644 --- a/docs/guides/integration-strategy.md +++ b/docs/guides/integration-strategy.md @@ -55,10 +55,6 @@ Here is our recommended strategy: - Postpone handling them for now, but note that they will appear on future scans. - Ignore them using the `bearer ignore` command, categorizing them as _allowed_ and providing a comment explaining why. -{% callout "info" %} -If you have many findings and need assistance from your team to triage and remediate them, consider using Bearer Cloud, a UI interface that complements Bearer CLI for faster resolution. -{% endcallout %} - ## Step 3: Minimize new issues from being introduced To prevent the introduction of new issues in your codebase, it is crucial to identify and address them before developers merge their code into the main branch, as part of your CI. diff --git a/e2e/flags/.snapshots/TestSkipRulesFlag-report-dataflow b/e2e/flags/.snapshots/TestSkipRulesFlag-report-dataflow index 5dad86091..257ca0efe 100644 --- a/e2e/flags/.snapshots/TestSkipRulesFlag-report-dataflow +++ b/e2e/flags/.snapshots/TestSkipRulesFlag-report-dataflow @@ -27,8 +27,6 @@ WARNING: 0 Need help or want to discuss the output? Join the Community https://discord.gg/eaHZBJUXRF -Retain state and manage your findings directly on Bearer Cloud. Learn more at https://docs.bearer.com/guides/bearer-cloud/ - -- Analyzing codebase diff --git a/internal/commands/process/settings/rules.go b/internal/commands/process/settings/rules.go index 4fa80fe20..fdbd27974 100644 --- a/internal/commands/process/settings/rules.go +++ b/internal/commands/process/settings/rules.go @@ -5,6 +5,7 @@ import ( "io/fs" "os" "path/filepath" + "sort" "strings" "github.com/rs/zerolog/log" @@ -336,6 +337,7 @@ func validateRuleOptionIDs( } if len(invalidSkipRuleIDs) > 0 { + sort.Strings(invalidSkipRuleIDs) output.StdErrLog(fmt.Sprintf("Warning: rule IDs %s given to be skipped but were not found", strings.Join(invalidSkipRuleIDs, ","))) } if len(invalidRuleIDs) > 0 { diff --git a/internal/report/output/security/.snapshots/TestBuildReportString b/internal/report/output/security/.snapshots/TestBuildReportString index 15a1ada04..6b96a1d94 100644 --- a/internal/report/output/security/.snapshots/TestBuildReportString +++ b/internal/report/output/security/.snapshots/TestBuildReportString @@ -37,5 +37,3 @@ WARNING: 0 Need help or want to discuss the output? Join the Community https://discord.gg/eaHZBJUXRF -Retain state and manage your findings directly on Bearer Cloud. Learn more at https://docs.bearer.com/guides/bearer-cloud/ - diff --git a/internal/report/output/security/security.go b/internal/report/output/security/security.go index 698ef8bc3..ddb0359eb 100644 --- a/internal/report/output/security/security.go +++ b/internal/report/output/security/security.go @@ -455,10 +455,6 @@ func BuildReportString(reportData *outputtypes.ReportData, config settings.Confi reportStr.WriteString("\nNeed help or want to discuss the output? Join the Community https://discord.gg/eaHZBJUXRF\n") - if config.Client == nil { - reportStr.WriteString("\nRetain state and manage your findings directly on Bearer Cloud. Learn more at https://docs.bearer.com/guides/bearer-cloud/\n") - } - color.NoColor = initialColorSetting return reportStr