diff --git a/docs/.eleventy.js b/docs/.eleventy.js
index 42c62bba7..1553593ff 100644
--- a/docs/.eleventy.js
+++ b/docs/.eleventy.js
@@ -12,7 +12,9 @@ const markdownItAnchor = require("markdown-it-anchor")
const pluginTOC = require("eleventy-plugin-toc")
const now = String(Date.now())
const path = require("path")
+const fs = require("fs")
const mermaid = require("./_src/_plugins/mermaid")
+const nav = require("./_data/nav")
const mdSetup = markdownIt({ html: true })
.use(markdownItEmoji)
@@ -48,6 +50,35 @@ module.exports = function (eleventyConfig) {
eleventyConfig.addShortcode("version", function () {
return now
})
+ eleventyConfig.addShortcode("sectionLinks", function (sectionName) {
+ const section = nav.find(item => item.name == sectionName)
+ let out = ""
+ if(section){
+ section.items.forEach(item => {
+ out += `- [${item.name}](${item.url})\n`
+ })
+ }
+
+ return out
+ })
+
+ // {% yamlExample "ci/gitlab/basic" %}
+ eleventyConfig.addShortcode('yamlExample', function (exampleName) {
+ const example = fs.readFileSync(`./_data/examples/${exampleName}.yaml`, 'utf8')
+ return '```yaml\n' + example + '\n```';
+ });
+
+ eleventyConfig.addShortcode('githubAction', function(data){
+ out = "| Option | Description | Default |\n"
+ out += "| - | - | - |\n"
+ Object.keys(data).sort().forEach(key => {
+ const item = data[key]
+ const default_val = item.default ? "`"+item.default+"`" : ""
+ out += `| **${key}** | ${item.description} | ${default_val} |\n`
+ });
+ return out
+ })
+
eleventyConfig.setLibrary("md", mdSetup)
eleventyConfig.addPlugin(EleventyHtmlBasePlugin, {
baseHref: "/",
diff --git a/docs/_data/examples/ci/circleci/basic.yaml b/docs/_data/examples/ci/circleci/basic.yaml
new file mode 100644
index 000000000..efeeb001a
--- /dev/null
+++ b/docs/_data/examples/ci/circleci/basic.yaml
@@ -0,0 +1,18 @@
+version: 2.1
+
+jobs:
+ bearer:
+ machine:
+ image: ubuntu-2204:2023.07.2
+ environment:
+ # Set to default branch of your repo
+ DEFAULT_BRANCH: main
+ steps:
+ - checkout
+ - run: curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /tmp
+ - run: CURRENT_BRANCH=$CIRCLE_BRANCH SHA=$CIRCLE_SHA1 /tmp/bearer scan .
+
+workflows:
+ test:
+ jobs:
+ - bearer
\ No newline at end of file
diff --git a/docs/_data/examples/ci/circleci/reviewdog.yaml b/docs/_data/examples/ci/circleci/reviewdog.yaml
new file mode 100644
index 000000000..174d9a840
--- /dev/null
+++ b/docs/_data/examples/ci/circleci/reviewdog.yaml
@@ -0,0 +1,29 @@
+version: 2.1
+
+jobs:
+ bearer:
+ machine:
+ image: ubuntu-2204:2023.07.2
+ environment:
+ # Set to default branch of your repo
+ DEFAULT_BRANCH: main
+ steps:
+ - checkout
+ - run: curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /tmp
+ - run: curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b /tmp
+ - run: |
+ CURRENT_BRANCH=$CIRCLE_BRANCH SHA=$CIRCLE_SHA1 /tmp/bearer scan . --format=rdjson --output=rd.json || export BEARER_EXIT=$?
+ cat rd.json | REVIEWDOG_GITHUB_API_TOKEN=$GITHUB_TOKEN /tmp/reviewdog -f=rdjson -reporter=github-pr-review
+ exit $BEARER_EXIT
+
+workflows:
+ test:
+ jobs:
+ - bearer:
+ filters:
+ branches:
+ # No need to run a check on default branch
+ ignore: main
+ context:
+ - bearer
+ # make sure to set GITHUB_TOKEN in your context
\ No newline at end of file
diff --git a/docs/_data/examples/ci/github/basic-with-options.yaml b/docs/_data/examples/ci/github/basic-with-options.yaml
new file mode 100644
index 000000000..ec2b4ff7a
--- /dev/null
+++ b/docs/_data/examples/ci/github/basic-with-options.yaml
@@ -0,0 +1,21 @@
+name: Bearer
+
+on:
+ push:
+ branches:
+ - main
+
+permissions:
+ contents: read
+
+jobs:
+ rule_check:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Bearer
+ uses: bearer/bearer-action@v2
+ with:
+ config-file: '/some/path/bearer.yml'
+ only-rule: 'ruby_lang_cookies,ruby_lang_http_post_insecure_with_data'
+ skip-path: 'users/*.go,users/admin.sql'
\ No newline at end of file
diff --git a/docs/_data/examples/ci/github/basic.yaml b/docs/_data/examples/ci/github/basic.yaml
new file mode 100644
index 000000000..6650a4cda
--- /dev/null
+++ b/docs/_data/examples/ci/github/basic.yaml
@@ -0,0 +1,17 @@
+name: Bearer
+
+on:
+ push:
+ branches:
+ - main
+
+permissions:
+ contents: read
+
+jobs:
+ rule_check:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Bearer
+ uses: bearer/bearer-action@v2
\ No newline at end of file
diff --git a/docs/_data/examples/ci/github/cloud.yaml b/docs/_data/examples/ci/github/cloud.yaml
new file mode 100644
index 000000000..7016b9110
--- /dev/null
+++ b/docs/_data/examples/ci/github/cloud.yaml
@@ -0,0 +1,17 @@
+name: Bearer
+on:
+ push:
+ branches:
+ - main
+permissions:
+ contents: read
+jobs:
+ rule_check:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Run Report
+ id: report
+ uses: bearer/bearer-action@v2
+ with:
+ api-key: ${{ secrets.BEARER_TOKEN }}
\ No newline at end of file
diff --git a/docs/_data/examples/ci/github/defect-dojo.yaml b/docs/_data/examples/ci/github/defect-dojo.yaml
new file mode 100644
index 000000000..db5902dd9
--- /dev/null
+++ b/docs/_data/examples/ci/github/defect-dojo.yaml
@@ -0,0 +1,29 @@
+name: Bearer Defect Dojo
+
+on:
+ push:
+ branches:
+ - main
+
+permissions:
+ contents: read
+
+jobs:
+ rule_check:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Run Report
+ id: report
+ uses: bearer/bearer-action@v2
+ with:
+ format: gitlab-sast
+ output: gl-sast-report.json
+ - name: Defect Dojo
+ if: always()
+ env:
+ DD_TOKEN: ${{ secrets.DD_TOKEN}}
+ DD_APP: ${{ secrets.DD_APP}}
+ DD_ENGAGEMENT: ${{ secrets.DD_ENGAGEMENT}}
+ run: |
+ curl -X POST -F "file=@gl-sast-report.json" -F "product_name=$DD_APP" -F "engagement_name=$DD_ENGAGEMENT" -F "scan_type=GitLab SAST Report" -H "Authorization: Token $DD_TOKEN" http://example.com/api/v2/import-scan/
\ No newline at end of file
diff --git a/docs/_data/examples/ci/github/diff-reviewdog.yaml b/docs/_data/examples/ci/github/diff-reviewdog.yaml
new file mode 100644
index 000000000..345567e51
--- /dev/null
+++ b/docs/_data/examples/ci/github/diff-reviewdog.yaml
@@ -0,0 +1,30 @@
+name: Bearer PR Check
+
+on:
+ pull_request:
+ types: [opened, synchronize, reopened]
+
+permissions:
+ contents: read
+ pull-requests: write
+
+jobs:
+ rule_check:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - uses: reviewdog/action-setup@v1
+ with:
+ reviewdog_version: latest
+ - name: Bearer
+ uses: bearer/bearer-action@v2
+ with:
+ format: rdjson
+ output: rd.json
+ diff: true
+ - name: Run reviewdog
+ if: always()
+ env:
+ REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ run: |
+ cat rd.json | reviewdog -f=rdjson -reporter=github-pr-review
\ No newline at end of file
diff --git a/docs/_data/examples/ci/github/diff.yaml b/docs/_data/examples/ci/github/diff.yaml
new file mode 100644
index 000000000..c1e91c4a8
--- /dev/null
+++ b/docs/_data/examples/ci/github/diff.yaml
@@ -0,0 +1,18 @@
+name: Bearer PR Check
+
+on:
+ pull_request:
+ types: [opened, synchronize, reopened]
+
+permissions:
+ contents: read
+
+jobs:
+ rule_check:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Bearer
+ uses: bearer/bearer-action@v2
+ with:
+ diff: true
\ No newline at end of file
diff --git a/docs/_data/examples/ci/github/sarif.yaml b/docs/_data/examples/ci/github/sarif.yaml
new file mode 100644
index 000000000..5497265d4
--- /dev/null
+++ b/docs/_data/examples/ci/github/sarif.yaml
@@ -0,0 +1,25 @@
+name: Bearer
+
+on:
+ push:
+ branches:
+ - main
+
+permissions:
+ contents: read
+
+jobs:
+ rule_check:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: Bearer
+ uses: bearer/bearer-action@v2
+ with:
+ format: sarif
+ output: results.sarif
+ - name: Upload SARIF file
+ if: always()
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif
\ No newline at end of file
diff --git a/docs/_data/examples/ci/gitlab/basic.yaml b/docs/_data/examples/ci/gitlab/basic.yaml
new file mode 100644
index 000000000..20c333d26
--- /dev/null
+++ b/docs/_data/examples/ci/gitlab/basic.yaml
@@ -0,0 +1,5 @@
+bearer:
+ image:
+ name: bearer/bearer
+ entrypoint: [ "" ]
+ script: bearer scan .
diff --git a/docs/_data/examples/ci/gitlab/cloud.yaml b/docs/_data/examples/ci/gitlab/cloud.yaml
new file mode 100644
index 000000000..650e6f091
--- /dev/null
+++ b/docs/_data/examples/ci/gitlab/cloud.yaml
@@ -0,0 +1,5 @@
+bearer:
+ image:
+ name: bearer/bearer
+ entrypoint: [ "" ]
+ script: bearer scan . --api-key=$BEARER_TOKEN
\ No newline at end of file
diff --git a/docs/_data/examples/ci/gitlab/diff-reviewdog.yaml b/docs/_data/examples/ci/gitlab/diff-reviewdog.yaml
new file mode 100644
index 000000000..1cf87b309
--- /dev/null
+++ b/docs/_data/examples/ci/gitlab/diff-reviewdog.yaml
@@ -0,0 +1,10 @@
+bearer_mr:
+ variables:
+ DIFF_BASE_BRANCH: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
+ DIFF_BASE_COMMIT: $CI_MERGE_REQUEST_DIFF_BASE_SHA
+ script:
+ - curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+ - curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b /usr/local/bin
+ - bearer scan . --format=rdjson --output=rd.json || export BEARER_EXIT=$?
+ - cat rd.json | reviewdog -f=rdjson -reporter=gitlab-mr-discussion
+ - exit $BEARER_EXIT
\ No newline at end of file
diff --git a/docs/_data/examples/ci/gitlab/diff.yaml b/docs/_data/examples/ci/gitlab/diff.yaml
new file mode 100644
index 000000000..1c95d02b4
--- /dev/null
+++ b/docs/_data/examples/ci/gitlab/diff.yaml
@@ -0,0 +1,8 @@
+bearer_mr:
+ image:
+ name: bearer/bearer
+ entrypoint: [ "" ]
+ variables:
+ DIFF_BASE_BRANCH: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
+ DIFF_BASE_COMMIT: $CI_MERGE_REQUEST_DIFF_BASE_SHA
+ script: bearer scan .
\ No newline at end of file
diff --git a/docs/_data/examples/ci/gitlab/sast.yaml b/docs/_data/examples/ci/gitlab/sast.yaml
new file mode 100644
index 000000000..2595d627c
--- /dev/null
+++ b/docs/_data/examples/ci/gitlab/sast.yaml
@@ -0,0 +1,9 @@
+bearer:
+ image:
+ name: bearer/bearer
+ entrypoint: [ "" ]
+ script:
+ - bearer scan . --format gitlab-sast --output gl-sast-report.json
+ artifacts:
+ reports:
+ sast: gl-sast-report.json
\ No newline at end of file
diff --git a/docs/_data/meta.js b/docs/_data/meta.js
index 91b2bdb31..b968f8aa7 100644
--- a/docs/_data/meta.js
+++ b/docs/_data/meta.js
@@ -9,5 +9,6 @@ module.exports = {
links: {
discord: "https://discord.gg/eaHZBJUXRF",
issues: "https://github.com/Bearer/bearer/issues",
+ action: "https://github.com/marketplace/actions/bearer-action"
},
};
diff --git a/docs/explanations/index.md b/docs/explanations/index.md
index d6140f58d..6c121b6a4 100644
--- a/docs/explanations/index.md
+++ b/docs/explanations/index.md
@@ -6,8 +6,4 @@ title: Explanations
Explanations dive into the rational behind Bearer CLI and explain some of its heavier concepts.
-- [How Bearer CLI works](/explanations/workflow/)
-- [Sensitive data flow](/explanations/discovery-and-classification/)
-- [Report types](/explanations/reports/)
-- [Scanner Types](/explanations/scanners/)
-- [Dynamic Severity Levels](/explanations/severity/)
\ No newline at end of file
+{% sectionLinks "Explanations" %}
\ No newline at end of file
diff --git a/docs/guides/bearer-cloud.md b/docs/guides/bearer-cloud.md
index b72b703da..dc98f6041 100644
--- a/docs/guides/bearer-cloud.md
+++ b/docs/guides/bearer-cloud.md
@@ -49,26 +49,7 @@ bearer scan project-folder --api-key=XXXXXXXX
Using the same setup process found in [the GitHub action guide](/guides/github-action/), configure the action to run `with` the `api-key` option. For example:
-```yaml
-# .github/workflows/bearer.yml
-name: Bearer
-on:
- push:
- branches:
- - main
-permissions:
- contents: read
-jobs:
- rule_check:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- - name: Run Report
- id: report
- uses: bearer/bearer-action@v2
- with:
- api-key: {% raw %}${{ secrets.BEARER_TOKEN }}{% endraw %}
-```
+{% yamlExample "ci/github/cloud" %}
We highly recommend using GitHub's [encrypted secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets). In the example above, the secret is named `BEARER_TOKEN`.
@@ -76,19 +57,7 @@ We highly recommend using GitHub's [encrypted secrets](https://docs.github.com/e
Set up the [GitLab CI/CD configuration](/guides/gitlab), then adjust your settings to include the `--api-key` flag with the `scan` command:
-```yaml
-# .gitlab-ci.yml
-bearer:
- image:
- name: bearer/bearer
- entrypoint: [ "" ]
- variables:
- SHA: $CI_COMMIT_SHA
- CURRENT_BRANCH: $CI_COMMIT_REF_NAME
- DEFAULT_BRANCH: $CI_DEFAULT_BRANCH
- ORIGIN_URL: $CI_REPOSITORY_URL
- script: bearer scan . --api-key=$BEARER_TOKEN
-```
+{% yamlExample "ci/gitlab/cloud" %}
We recommend using [GitLab's CI/CD variables](https://docs.gitlab.com/ee/ci/variables/) to protect your token. In the example above, the variable is named `BEARER_TOKEN`.
diff --git a/docs/guides/ci-setup.md b/docs/guides/ci-setup.md
index 2e1f2e598..7a50a0576 100644
--- a/docs/guides/ci-setup.md
+++ b/docs/guides/ci-setup.md
@@ -8,13 +8,9 @@ Using Bearer CLI in your CI/CD pipeline works similarly to most other integratio
## GitHub
-Bearer offers an official [GitHub Action](https://github.com/marketplace/actions/bearer-security) to connect directly with your repository. To enable it with the default settings, create a `bearer.yml` file in your `.github/workflows` directory and include the following:
+Bearer offers an official [GitHub Action]({{meta.links.action}}) to connect directly with your repository. To enable it with the default settings, create a `bearer.yml` file in your `.github/workflows` directory and include the following:
-```yml
-steps:
- - uses: actions/checkout@v3
- - uses: bearer/bearer-action@v2
-```
+{% yamlExample "ci/github/basic" %}
For more details and additional configuration, see our [guide to using the GitHub action](/guides/github-action/). To hook directly into GitHub's code scanning feature, check the [configure GitHub code scanning](/guides/github-action/#configure-github-code-scanning) section of the doc.
@@ -22,18 +18,7 @@ For more details and additional configuration, see our [guide to using the GitHu
To integrate Bearer CLI with GitLab CI/CD, we recommend using the docker entrypoint method. Edit your existing `.gitlab-ci.yml` file or add one to your repository root, then add the following lines:
-```yml
-bearer:
- image:
- name: bearer/bearer
- entrypoint: [ "" ]
- variables:
- SHA: $CI_COMMIT_SHA
- CURRENT_BRANCH: $CI_COMMIT_REF_NAME
- DEFAULT_BRANCH: $CI_DEFAULT_BRANCH
- ORIGIN_URL: $CI_REPOSITORY_URL
- script: bearer scan .
-```
+{% yamlExample "ci/gitlab/basic" %}
This tells GitLab to use the `bearer/bearer` docker image. You can adjust the `script` key to [customize the scan](/guides/configure-scan/) with flags the same way as a local installation. An example of this file is available in [our example GitLab repo](https://gitlab.com/bearer/bear-publishing/-/tree/main).
@@ -45,61 +30,11 @@ For more details and additional configuration, see our [guide to using GitLab](/
To integrate with CircleCI, you can add the following job to your `.circleci/config.yml`
-```yml
-version: 2.1
-
-jobs:
- bearer:
- machine:
- image: ubuntu-2204:2023.07.2
- environment:
- # Set to default branch of your repo
- DEFAULT_BRANCH: main
- steps:
- - checkout
- - run: curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /tmp
- - run: CURRENT_BRANCH=$CIRCLE_BRANCH SHA=$CIRCLE_SHA1 /tmp/bearer scan .
-
-workflows:
- test:
- jobs:
- - bearer
-```
+{% yamlExample "ci/circleci/basic" %}
A more advanced example using a Github repository and reviewdog for PR comments:
-```yml
-version: 2.1
-
-jobs:
- bearer:
- machine:
- image: ubuntu-2204:2023.07.2
- environment:
- # Set to default branch of your repo
- DEFAULT_BRANCH: main
- steps:
- - checkout
- - run: curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /tmp
- - run: curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b /tmp
- - run: |
- CURRENT_BRANCH=$CIRCLE_BRANCH SHA=$CIRCLE_SHA1 /tmp/bearer scan . --format=rdjson --output=rd.json || export BEARER_EXIT=$?
- cat rd.json | REVIEWDOG_GITHUB_API_TOKEN=$GITHUB_TOKEN /tmp/reviewdog -f=rdjson -reporter=github-pr-review
- exit $BEARER_EXIT
-
-workflows:
- test:
- jobs:
- - bearer:
- filters:
- branches:
- # No need to run a check on default branch
- ignore: main
- context:
- - bearer
- # make sure to set GITHUB_TOKEN in your context
-
-```
+{% yamlExample "ci/circleci/reviewdog" %}
The `GITHUB_TOKEN` in this case just requires read and write access to pull requests for the repository.
diff --git a/docs/guides/github-action.md b/docs/guides/github-action.md
new file mode 100644
index 000000000..b84e7708f
--- /dev/null
+++ b/docs/guides/github-action.md
@@ -0,0 +1,76 @@
+---
+title: Using GitHub Action
+---
+
+# Using GitHub Action
+
+Running Bearer from the CLI is great, but if you want it integrated directly with your Git workflow there's nothing easier than a GitHub action. If you're unfamiliar with GitHub actions, here's a [primer available from GitHub](https://github.com/features/actions). You can also see how the action works directly on our [Bear Publishing example app](https://github.com/Bearer/bear-publishing/actions/workflows/bearer.yml).
+
+## Getting started
+
+You can [view the action here]({{meta.links.action}}), or follow along below.
+
+Actions live in the `.github/workflows/` directory within your repository. Start by creating a `bearer.yml` file in the workflows directory.
+
+We recommend the following config in `.github/workflows/bearer.yml` to run Bearer's security report:
+
+{% yamlExample "ci/github/basic" %}
+
+This will run the [security report](/explanations/reports), show the report in the job log, and flag the action as pass or fail based on whether Bearer's default rules pass or fail.
+
+## Further configuration
+
+Just as with the CLI app, you can configure the action to meet the needs of your project. Set custom inputs and outputs using the `with` key. Here's an example using the `config-file`, `skip-path`, and `only-rule` flags:
+
+{% yamlExample "ci/github/basic-with-options" %}
+
+### Inputs
+
+{% githubAction bearerAction.inputs %}
+
+### Outputs
+If you want to process the output of the cli we recommend using the `output` input above to write a file that can be used elsewhere, but we also provide some basic outputs you can use if needed:
+
+{% githubAction bearerAction.outputs %}
+
+## Configure GitHub code scanning
+Bearer CLI supports [GitHub code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning). By using the SARIF output format, you can display [security report](/explanations/reports/#security-report) findings directly in the Security tab of your repository.
+
+
+
+To enable this feature, update your action configuration to include new permissions, new format and outputs, and an additional step. Here's an example configuration:
+
+{% yamlExample "ci/github/sarif" %}
+
+By setting the format and output path, and adding a new upload step, the action will upload SARIF-formatted findings to GitHub's code scanner.
+
+## Pull Request Diff
+
+When the Bearer action is being used to check a pull request, you can tell the
+action to only report findings introduced within the pull request by setting
+the `diff` input parameter to `true`.
+
+{% yamlExample "ci/github/diff" %}
+
+See our guide on [configuring a scan](/guides/configure-scan#only-report-new-findings-on-a-branch)
+for more information on differential scans.
+
+## Code Review Comments
+Bearer CLI supports [Reviewdog](https://github.com/reviewdog/reviewdog) rdjson format so you can use any of the reviewdog reporters to quickly add bearer feedback directly to your pull requests.
+
+
+
+{% yamlExample "ci/github/diff-reviewdog" %}
+
+## Integrate with Defect Dojo
+
+We can monitor findings with [Defect Dojo](https://github.com/DefectDojo/django-DefectDojo) by using the `gitlab-sast` format and the v2 API. Make sure to update the instance url and set the necessary secrets.
+
+{% yamlExample "ci/github/defect-dojo" %}
+
+## Make the most of Bearer
+
+For more ways to use Bearer, check out the different [report types](/explanations/reports/), [available rules](/reference/rules/), [supported data types](/reference/datatypes/).
+
+Have a question or need help? Join our [Discord community](https://discord.gg/eaHZBJUXRF) or [open an issue on GitHub](https://github.com/Bearer/bearer/issues).
+
diff --git a/docs/guides/github-action.njk b/docs/guides/github-action.njk
deleted file mode 100644
index e2c2ceb23..000000000
--- a/docs/guides/github-action.njk
+++ /dev/null
@@ -1,244 +0,0 @@
----
-title: Using GitHub Action
----
-{% renderTemplate "md" %}
-
-# Using GitHub Action
-
-Running Bearer from the CLI is great, but if you want it integrated directly with your Git workflow there's nothing easier than a GitHub action. If you're unfamiliar with GitHub actions, here's a [primer available from GitHub](https://github.com/features/actions). You can also see how the action works directly on our [Bear Publishing example app](https://github.com/Bearer/bear-publishing/actions/workflows/bearer.yml).
-
-## Getting started
-
-You can [view the action here](https://github.com/marketplace/actions/bearer-security), or follow along below.
-
-Actions live in the `.github/workflows/` directory within your repository. Start by creating a `bearer.yml` file in the workflows directory.
-
-We recommend the following config in `.github/workflows/bearer.yml` to run Bearer's security report:
-
-```yaml
-name: Bearer
-
-on:
- push:
- branches:
- - main
-
-permissions:
- contents: read
-
-jobs:
- rule_check:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- - name: Run Report
- id: report
- uses: bearer/bearer-action@v2
-```
-
-This will run the [security report](/explanations/reports), display the results to the action summary screen within GitHub, and flag the action as pass or fail based on whether Bearer's default rules pass or fail.
-
-## Further configuration
-
-Just as with the CLI app, you can configure the action to meet the needs of your project. Set custom inputs and outputs using the `with` key. Here's an example using the `config-file`, `skip-path`, and `only-rule` flags:
-
-```yaml
-steps:
- - uses: actions/checkout@v3
- - name: Bearer
- uses: bearer/bearer-action@v2
- with:
- config-file: '/some/path/bearer.yml'
- only-rule: 'ruby_lang_cookies,ruby_lang_http_post_insecure_with_data'
- skip-path: 'users/*.go,users/admin.sql'
-```
-
-The following are a list of available inputs and outputs:
-{% endrenderTemplate %}
-
-Inputs
-
-{% for key, value in bearerAction.inputs %}
-
- {{key}}
-
- {{value.description}}
- {% if not value.required %}
- (Optional)
- {% endif %}
-
-{% endfor %}
-
-Outputs
-{% for key, value in bearerAction.outputs %}
-
- {{key}}
-
- {{value.description}}
- {% if not value.required %}
- (Optional)
- {% endif %}
-
-{% endfor %}
-
-{% renderTemplate "md" %}
-## Configure GitHub code scanning
-Bearer CLI supports [GitHub code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning). By using the SARIF output format, you can display [security report](/explanations/reports/#security-report) findings directly in the Security tab of your repository.
-
-
-
-To enable this feature, update your action configuration to include new permissions, new format and outputs, and an additional step. Here's an example configuration:
-
-```diff-yaml
-name: Bearer
-
-on:
- push:
- branches:
- - main
-
-permissions:
- contents: read
-+ # Add the security-events permission
- security-events: write
-
-jobs:
- rule_check:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- - name: Run Report
- id: report
- uses: bearer/bearer-action@v2
- with:
-+ # Include these two options
- format: sarif
- output: results.sarif
-+ # Add a new step to upload the SARIF file
- - name: Upload SARIF file
- if: always()
- uses: github/codeql-action/upload-sarif@v2
- with:
- sarif_file: results.sarif
-```
-
-By setting the format and output path, and adding a new upload step, the action will upload SARIF-formatted findings to GitHub's code scanner.
-
-## Pull Request Diff
-
-When the Bearer action is being used to check a pull request, you can tell the
-action to only report findings introduced within the pull request by setting
-the `diff` input parameter to `true`.
-
-```diff-yaml
-name: Bearer PR Check
-
-on:
-+ # Diff can only be used with pull_request events
- pull_request:
- types: [opened, synchronize, reopened]
-
-permissions:
- contents: read
-
-jobs:
- rule_check:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- - name: Run Report
- id: report
- uses: bearer/bearer-action@v2
- with:
-+ # Add diff option
- diff: true
-```
-
-See our guide on [configuring a scan](/guides/configure-scan#only-report-new-findings-on-a-branch)
-for more information on differential scans.
-
-## Code Review Comments
-Bearer CLI supports [Reviewdog](https://github.com/reviewdog/reviewdog) rdjson format so you can use any of the reviewdog reporters to quickly add bearer feedback directly to your pull requests.
-
-
-
-```diff-yaml
-name: Bearer PR Check
-
-on:
- pull_request:
- types: [opened, synchronize, reopened]
-
-permissions:
- contents: read
-+ # Add the pull-requests permission
- pull-requests: write
-
-jobs:
- rule_check:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
-+ # install reviewdog
- - uses: reviewdog/action-setup@v1
- with:
- reviewdog_version: latest
- - name: Run Report
- id: report
- uses: bearer/bearer-action@v2
- with:
-+ # use rdjson output, and only report changes from your PR
- format: rdjson
- output: rd.json
- diff: true
-+ # always run reviewdog otherwise the step will be skiped by github when a scan fails
- - name: Run reviewdog
- if: always()
- env:
- REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: |
- cat rd.json | reviewdog -f=rdjson -reporter=github-pr-review
-```
-
-## Integrate with Defect Dojo
-
-We can monitor findings with [Defect Dojo](https://github.com/DefectDojo/django-DefectDojo) by using the `gitlab-sast` format and the v2 API. Make sure to update the instance url and set the necessary secrets.
-
-```yaml
-name: Bearer Defect Dojo
-
-on:
- push:
- branches:
- - main
-
-permissions:
- contents: read
-
-jobs:
- rule_check:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
- - name: Run Report
- id: report
- uses: bearer/bearer-action@v2
- with:
- format: gitlab-sast
- output: gl-sast-report.json
- - name: Defect Dojo
- if: always()
- env:
- DD_TOKEN: ${{ secrets.DD_TOKEN}}
- DD_APP: ${{ secrets.DD_APP}}
- DD_ENGAGEMENT: ${{ secrets.DD_ENGAGEMENT}}
- run: |
- curl -X POST -F "file=@gl-sast-report.json" -F "product_name=$DD_APP" -F "engagement_name=$DD_ENGAGEMENT" -F "scan_type=GitLab SAST Report" -H "Authorization: Token $DD_TOKEN" http://example.com/api/v2/import-scan/
-```
-
-## Make the most of Bearer
-
-For more ways to use Bearer, check out the different [report types](/explanations/reports/), [available rules](/reference/rules/), [supported data types](/reference/datatypes/).
-
-Have a question or need help? Join our [Discord community](https://discord.gg/eaHZBJUXRF) or [open an issue on GitHub](https://github.com/Bearer/bearer/issues).
-{% endrenderTemplate %}
diff --git a/docs/guides/gitlab.md b/docs/guides/gitlab.md
index 32fc8a24d..e7990b8a0 100644
--- a/docs/guides/gitlab.md
+++ b/docs/guides/gitlab.md
@@ -1,7 +1,6 @@
---
title: Using GitLab CI/CD
---
-{% renderTemplate "md" %}
# Using GitLab CI/CD
@@ -12,18 +11,7 @@ Running Bearer from the CLI is great, but if you want it integrated directly wit
To integrate Bearer CLI with GitLab CI/CD, we recommend using the docker entrypoint method. Edit your existing `.gitlab-ci.yml` file or add one to your repository root, then add the following lines:
-```yml
-bearer:
- image:
- name: bearer/bearer
- entrypoint: [ "" ]
- variables:
- SHA: $CI_COMMIT_SHA
- CURRENT_BRANCH: $CI_COMMIT_REF_NAME
- DEFAULT_BRANCH: $CI_DEFAULT_BRANCH
- ORIGIN_URL: $CI_REPOSITORY_URL
- script: bearer scan .
-```
+{% yamlExample "ci/gitlab/basic" %}
This tells GitLab to use the `bearer/bearer` docker image. You can adjust the `script` key to [customize the scan](/guides/configure-scan/) with flags the same way as a local installation. An example of this file is available in [our example GitLab repo](https://gitlab.com/bearer/bear-publishing/-/tree/main).
@@ -37,23 +25,7 @@ GitLab offers an integrated security scanner that can take results from Bearer C
To take advantage of this, you'll need a GitLab plan that supports it. Then, you can configure your `.gitlab-ci.yml` file with Bearer CLI's special format type.
-```yml
-bearer:
- image:
- name: bearer/bearer
- entrypoint: [ "" ]
- variables:
- SHA: $CI_COMMIT_SHA
- CURRENT_BRANCH: $CI_COMMIT_REF_NAME
- DEFAULT_BRANCH: $CI_DEFAULT_BRANCH
- ORIGIN_URL: $CI_REPOSITORY_URL
- script:
- - bearer scan . --format gitlab-sast --output gl-sast-report.json
-
- artifacts:
- reports:
- sast: gl-sast-report.json
-```
+{% yamlExample "ci/gitlab/sast" %}
These changes set the format to `gitlab-sast` and write an artifact that GitLab can use. Once run, the results of the security scan will display in the Security and Compliance section of the repository.
@@ -63,20 +35,7 @@ When Bearer CLI is being used to check a merge request, you can tell the Bearer
CLI to only report findings introduced within the merge request by setting the
`DIFF_BASE_BRANCH` variable.
-```yml
-bearer:
- image:
- name: bearer/bearer
- entrypoint: [ "" ]
- variables:
- SHA: $CI_COMMIT_SHA
- CURRENT_BRANCH: $CI_COMMIT_REF_NAME
- DEFAULT_BRANCH: $CI_DEFAULT_BRANCH
- ORIGIN_URL: $CI_REPOSITORY_URL
- DIFF_BASE_BRANCH: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
- DIFF_BASE_COMMIT: $CI_MERGE_REQUEST_DIFF_BASE_SHA
- script: bearer scan .
-```
+{% yamlExample "ci/gitlab/diff" %}
See our guide on [configuring a scan](/guides/configure-scan#only-report-new-findings-on-a-branch)
for more information on differential scans.
@@ -89,21 +48,7 @@ Bearer CLI supports [Reviewdog](https://github.com/reviewdog/reviewdog) rdjson f
To keep the thing in one job we download each binary then run the two commands individually.
-```yml
-pr_check:
- variables:
- SHA: $CI_COMMIT_SHA
- CURRENT_BRANCH: $CI_COMMIT_REF_NAME
- DEFAULT_BRANCH: $CI_DEFAULT_BRANCH
- ORIGIN_URL: $CI_REPOSITORY_URL
- DIFF_BASE_BRANCH: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
- DIFF_BASE_COMMIT: $CI_MERGE_REQUEST_DIFF_BASE_SHA
- script:
- - curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- - curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b /usr/local/bin
- - bearer scan . --format=rdjson --output=rd.json
- - cat rd.json | reviewdog -f=rdjson -reporter=gitlab-mr-discussion
-```
+{% yamlExample "ci/gitlab/diff-reviewdog" %}
[Don't forget](https://github.com/reviewdog/reviewdog#reporter-gitlab-mergerequest-discussions--reportergitlab-mr-discussion) to set `REVIEWDOG_GITLAB_API_TOKEN` in your project environment variables with a personal API access token.
@@ -112,4 +57,4 @@ pr_check:
For more ways to use Bearer, check out the different [report types](/explanations/reports/), [available rules](/reference/rules/), [supported data types](/reference/datatypes/).
Have a question or need help? Join our [Discord community](https://discord.gg/eaHZBJUXRF) or [open an issue on GitHub](https://github.com/Bearer/bearer/issues).
-{% endrenderTemplate %}
+
diff --git a/docs/guides/index.md b/docs/guides/index.md
index 3d55cfaec..bc01ca5d3 100644
--- a/docs/guides/index.md
+++ b/docs/guides/index.md
@@ -6,11 +6,4 @@ title: Guides
Guides help you make the most of Bearer CLI so you can get up and running quickly. Have a request for a new guide? Open an [issue on GitHub]({{meta.links.issues}}).
-- [Configure the scan command](/guides/configure-scan/)
-- [Using GitHub action](/guides/github-action/)
-- [Using GitLab CI/CD](/guides/gitlab/)
-- [Set up CI/CD](/guides/ci-setup/)
-- [Create a custom rule](/guides/custom-rule/)
-- [Run a privacy report](/guides/privacy/)
-- [Run a data flow report](/guides/dataflow/)
-- [Using Bearer Cloud](/guides/bearer-cloud/)
\ No newline at end of file
+{% sectionLinks "Guides" %}
\ No newline at end of file
diff --git a/docs/reference/index.md b/docs/reference/index.md
index 7811db92c..ef1819f95 100644
--- a/docs/reference/index.md
+++ b/docs/reference/index.md
@@ -6,10 +6,4 @@ title: Reference
Reference documents are where you'll find detailed information about each command, as well as support charges for languages, rules, datatypes, and more.
-- [Built-in Rules](/reference/rules/)
-- [Supported Data Types](/reference/datatypes/)
-- [Recipes](/reference/recipes/)
-- [Commands](/reference/commands/)
-- [Supported Languages](/reference/supported-languages/)
-- [Configuration](/reference/config/)
-- [Installation](/reference/installation/)
\ No newline at end of file
+{% sectionLinks "Reference" %}
\ No newline at end of file