docs(ci): move to using stand alone ci examples (#1371)

Bearer · Nov 6, 2023 · 7483fc3 · 7483fc3
1 parent 48da815
commit 7483fc3
Show file tree

Hide file tree

Showing 24 changed files with 364 additions and 427 deletions.
diff --git a/docs/.eleventy.js b/docs/.eleventy.js
@@ -12,7 +12,9 @@ const markdownItAnchor = require("markdown-it-anchor")
 const pluginTOC = require("eleventy-plugin-toc")
 const now = String(Date.now())
 const path = require("path")
+const fs = require("fs")
 const mermaid = require("./_src/_plugins/mermaid")
+const nav = require("./_data/nav")
 
 const mdSetup = markdownIt({ html: true })
   .use(markdownItEmoji)
@@ -48,6 +50,35 @@ module.exports = function (eleventyConfig) {
   eleventyConfig.addShortcode("version", function () {
     return now
   })
+  eleventyConfig.addShortcode("sectionLinks", function (sectionName) {
+    const section = nav.find(item => item.name == sectionName)
+    let out = ""
+    if(section){
+      section.items.forEach(item => {
+        out += `- [${item.name}](${item.url})\n`
+      })
+    }
+
+    return out
+  })
+
+  // {% yamlExample "ci/gitlab/basic" %}
+  eleventyConfig.addShortcode('yamlExample', function (exampleName) {
+    const example = fs.readFileSync(`./_data/examples/${exampleName}.yaml`, 'utf8')
+    return '```yaml\n' + example + '\n```';
+  });
+
+  eleventyConfig.addShortcode('githubAction', function(data){
+    out = "| Option | Description | Default |\n"
+    out += "| - | - | - |\n"
+    Object.keys(data).sort().forEach(key => {
+      const item = data[key]
+      const default_val = item.default ? "`"+item.default+"`" : ""
+      out += `| **${key}** | ${item.description} | ${default_val} |\n`
+    });
+    return out
+  })
+
   eleventyConfig.setLibrary("md", mdSetup)
   eleventyConfig.addPlugin(EleventyHtmlBasePlugin, {
     baseHref: "/",

diff --git a/docs/_data/examples/ci/circleci/basic.yaml b/docs/_data/examples/ci/circleci/basic.yaml
@@ -0,0 +1,18 @@
+version: 2.1
+
+jobs:
+  bearer:
+    machine:
+      image: ubuntu-2204:2023.07.2
+    environment:
+      # Set to default branch of your repo
+      DEFAULT_BRANCH: main
+    steps:
+      - checkout
+      - run: curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /tmp
+      - run: CURRENT_BRANCH=$CIRCLE_BRANCH SHA=$CIRCLE_SHA1 /tmp/bearer scan .
+
+workflows:
+  test:
+    jobs:
+      - bearer
diff --git a/docs/_data/examples/ci/circleci/reviewdog.yaml b/docs/_data/examples/ci/circleci/reviewdog.yaml
@@ -0,0 +1,29 @@
+version: 2.1
+
+jobs:
+  bearer:
+    machine:
+      image: ubuntu-2204:2023.07.2
+    environment:
+      # Set to default branch of your repo
+      DEFAULT_BRANCH: main
+    steps:
+      - checkout
+      - run: curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /tmp
+      - run: curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b /tmp
+      - run: |
+          CURRENT_BRANCH=$CIRCLE_BRANCH SHA=$CIRCLE_SHA1 /tmp/bearer scan . --format=rdjson --output=rd.json || export BEARER_EXIT=$?
+          cat rd.json | REVIEWDOG_GITHUB_API_TOKEN=$GITHUB_TOKEN /tmp/reviewdog -f=rdjson -reporter=github-pr-review
+          exit $BEARER_EXIT
+
+workflows:
+  test:
+    jobs:
+      - bearer:
+          filters:
+            branches:
+              # No need to run a check on default branch
+              ignore: main
+          context:
+            - bearer
+            # make sure to set GITHUB_TOKEN in your context
diff --git a/docs/_data/examples/ci/github/basic-with-options.yaml b/docs/_data/examples/ci/github/basic-with-options.yaml
@@ -0,0 +1,21 @@
+name: Bearer
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  rule_check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Bearer
+        uses: bearer/bearer-action@v2
+        with:
+          config-file: '/some/path/bearer.yml'
+          only-rule: 'ruby_lang_cookies,ruby_lang_http_post_insecure_with_data'
+          skip-path: 'users/*.go,users/admin.sql'
diff --git a/docs/_data/examples/ci/github/basic.yaml b/docs/_data/examples/ci/github/basic.yaml
@@ -0,0 +1,17 @@
+name: Bearer
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  rule_check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Bearer
+        uses: bearer/bearer-action@v2
diff --git a/docs/_data/examples/ci/github/cloud.yaml b/docs/_data/examples/ci/github/cloud.yaml
@@ -0,0 +1,17 @@
+name: Bearer
+on:
+  push:
+    branches:
+      - main
+permissions:
+  contents: read
+jobs:
+  rule_check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run Report
+        id: report
+        uses: bearer/bearer-action@v2
+        with:
+          api-key: ${{ secrets.BEARER_TOKEN }}
diff --git a/docs/_data/examples/ci/github/defect-dojo.yaml b/docs/_data/examples/ci/github/defect-dojo.yaml
@@ -0,0 +1,29 @@
+name: Bearer Defect Dojo
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  rule_check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run Report
+        id: report
+        uses: bearer/bearer-action@v2
+        with:
+          format: gitlab-sast
+          output: gl-sast-report.json
+      - name: Defect Dojo
+        if: always()
+        env:
+          DD_TOKEN: ${{ secrets.DD_TOKEN}}
+          DD_APP: ${{ secrets.DD_APP}}
+          DD_ENGAGEMENT: ${{ secrets.DD_ENGAGEMENT}}
+        run: |
+          curl -X POST -F "[email protected]" -F "product_name=$DD_APP" -F "engagement_name=$DD_ENGAGEMENT" -F "scan_type=GitLab SAST Report" -H "Authorization: Token $DD_TOKEN" http://example.com/api/v2/import-scan/
diff --git a/docs/_data/examples/ci/github/diff-reviewdog.yaml b/docs/_data/examples/ci/github/diff-reviewdog.yaml
@@ -0,0 +1,30 @@
+name: Bearer PR Check
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  rule_check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: reviewdog/action-setup@v1
+        with:
+          reviewdog_version: latest
+      - name: Bearer
+        uses: bearer/bearer-action@v2
+        with:
+          format: rdjson
+          output: rd.json
+          diff: true
+      - name: Run reviewdog
+        if: always()
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cat rd.json | reviewdog -f=rdjson -reporter=github-pr-review
diff --git a/docs/_data/examples/ci/github/diff.yaml b/docs/_data/examples/ci/github/diff.yaml
@@ -0,0 +1,18 @@
+name: Bearer PR Check
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+
+jobs:
+  rule_check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Bearer
+        uses: bearer/bearer-action@v2
+        with:
+          diff: true
diff --git a/docs/_data/examples/ci/github/sarif.yaml b/docs/_data/examples/ci/github/sarif.yaml
@@ -0,0 +1,25 @@
+name: Bearer
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  rule_check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Bearer
+        uses: bearer/bearer-action@v2
+        with:
+          format: sarif
+          output: results.sarif
+      - name: Upload SARIF file
+        if: always()
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: results.sarif
diff --git a/docs/_data/examples/ci/gitlab/basic.yaml b/docs/_data/examples/ci/gitlab/basic.yaml
@@ -0,0 +1,5 @@
+bearer:
+  image:
+    name: bearer/bearer
+    entrypoint: [ "" ]
+  script: bearer scan .
diff --git a/docs/_data/examples/ci/gitlab/cloud.yaml b/docs/_data/examples/ci/gitlab/cloud.yaml
@@ -0,0 +1,5 @@
+bearer:
+  image:
+    name: bearer/bearer
+    entrypoint: [ "" ]
+  script: bearer scan . --api-key=$BEARER_TOKEN
diff --git a/docs/_data/examples/ci/gitlab/diff-reviewdog.yaml b/docs/_data/examples/ci/gitlab/diff-reviewdog.yaml
@@ -0,0 +1,10 @@
+bearer_mr:
+  variables:
+    DIFF_BASE_BRANCH: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
+    DIFF_BASE_COMMIT: $CI_MERGE_REQUEST_DIFF_BASE_SHA
+  script:
+    - curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+    - curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b /usr/local/bin
+    - bearer scan . --format=rdjson --output=rd.json || export BEARER_EXIT=$?
+    - cat rd.json | reviewdog -f=rdjson -reporter=gitlab-mr-discussion
+    - exit $BEARER_EXIT
diff --git a/docs/_data/examples/ci/gitlab/diff.yaml b/docs/_data/examples/ci/gitlab/diff.yaml
@@ -0,0 +1,8 @@
+bearer_mr:
+  image:
+    name: bearer/bearer
+    entrypoint: [ "" ]
+  variables:
+    DIFF_BASE_BRANCH: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
+    DIFF_BASE_COMMIT: $CI_MERGE_REQUEST_DIFF_BASE_SHA
+  script: bearer scan .
diff --git a/docs/_data/examples/ci/gitlab/sast.yaml b/docs/_data/examples/ci/gitlab/sast.yaml
@@ -0,0 +1,9 @@
+bearer:
+  image:
+    name: bearer/bearer
+    entrypoint: [ "" ]
+  script:
+    - bearer scan . --format gitlab-sast --output gl-sast-report.json
+  artifacts:
+    reports:
+      sast: gl-sast-report.json
diff --git a/docs/_data/meta.js b/docs/_data/meta.js
@@ -9,5 +9,6 @@ module.exports = {
   links: {
     discord: "https://discord.gg/eaHZBJUXRF",
     issues: "https://github.com/Bearer/bearer/issues",
+    action: "https://github.com/marketplace/actions/bearer-action"
   },
 };
diff --git a/docs/explanations/index.md b/docs/explanations/index.md
@@ -6,8 +6,4 @@ title: Explanations
 
 Explanations dive into the rational behind Bearer CLI and explain some of its heavier concepts.
 
-- [How Bearer CLI works](/explanations/workflow/)
-- [Sensitive data flow](/explanations/discovery-and-classification/)
-- [Report types](/explanations/reports/)
-- [Scanner Types](/explanations/scanners/)
-- [Dynamic Severity Levels](/explanations/severity/)
+{% sectionLinks "Explanations" %}
diff --git a/docs/guides/bearer-cloud.md b/docs/guides/bearer-cloud.md
@@ -49,46 +49,15 @@ bearer scan project-folder --api-key=XXXXXXXX
 
 Using the same setup process found in [the GitHub action guide](/guides/github-action/), configure the action to run `with` the `api-key` option. For example:
 
-```yaml
-# .github/workflows/bearer.yml
-name: Bearer
-on:
-  push:
-    branches:
-      - main
-permissions:
-  contents: read
-jobs:
-  rule_check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Run Report
-        id: report
-        uses: bearer/bearer-action@v2
-        with:
-          api-key: {% raw %}${{ secrets.BEARER_TOKEN }}{% endraw %}
-```
+{% yamlExample "ci/github/cloud" %}
 
 We highly recommend using GitHub's [encrypted secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets). In the example above, the secret is named `BEARER_TOKEN`.
 
 ### GitLab CI/CD
 
 Set up the [GitLab CI/CD configuration](/guides/gitlab), then adjust your settings to include the `--api-key` flag with the `scan` command:
 
-```yaml
-# .gitlab-ci.yml
-bearer:
-  image:
-    name: bearer/bearer
-    entrypoint: [ "" ]
-  variables:
-    SHA: $CI_COMMIT_SHA
-    CURRENT_BRANCH: $CI_COMMIT_REF_NAME
-    DEFAULT_BRANCH: $CI_DEFAULT_BRANCH
-    ORIGIN_URL: $CI_REPOSITORY_URL
-  script: bearer scan . --api-key=$BEARER_TOKEN
-```
+{% yamlExample "ci/gitlab/cloud" %}
 
 We recommend using [GitLab's CI/CD variables](https://docs.gitlab.com/ee/ci/variables/) to protect your token. In the example above, the variable is named `BEARER_TOKEN`.