diff --git a/docs/_data/bearer.yaml b/docs/_data/bearer.yaml
index 95d04bf3c..ad8f01ef7 100644
--- a/docs/_data/bearer.yaml
+++ b/docs/_data/bearer.yaml
@@ -1,13 +1,13 @@
 name: bearer
 options:
-  - name: help
-    shorthand: h
-    default_value: "false"
-    usage: help for bearer
+    - name: help
+      shorthand: h
+      default_value: "false"
+      usage: help for bearer
 see_also:
-  - bearer completion - Generate the autocompletion script for the your shell.
-  - bearer ignore - Manage ignored fingerprints
-  - bearer init - Generates a default config to `bearer.yml`
-  - bearer scan - Scan a directory or file
-  - bearer version - Print the version
-aliases:
+    - bearer completion - Generate the autocompletion script for the your shell.
+    - bearer ignore - Manage ignored fingerprints
+    - bearer init - Generates a default config to `bearer.yml`
+    - bearer scan - Scan a directory or file
+    - bearer version - Print the version
+aliases: 
diff --git a/docs/_data/bearer_completion.yaml b/docs/_data/bearer_completion.yaml
index 574780a31..c14e06d7b 100644
--- a/docs/_data/bearer_completion.yaml
+++ b/docs/_data/bearer_completion.yaml
@@ -2,10 +2,10 @@ name: bearer completion
 synopsis: Generate the autocompletion script for the your shell.
 usage: bearer completion [command]
 options:
-  - name: help
-    shorthand: h
-    default_value: "false"
-    usage: help for completion
+    - name: help
+      shorthand: h
+      default_value: "false"
+      usage: help for completion
 see_also:
-  - "bearer - "
-aliases:
+    - 'bearer - '
+aliases: 
diff --git a/docs/_data/bearer_ignore_add.yaml b/docs/_data/bearer_ignore_add.yaml
index 5c84e8f86..170583e33 100644
--- a/docs/_data/bearer_ignore_add.yaml
+++ b/docs/_data/bearer_ignore_add.yaml
@@ -2,54 +2,54 @@ name: bearer ignore add
 synopsis: Add an ignored fingerprint
 usage: bearer ignore add <fingerprint> [flags]
 options:
-  - name: api-key
-    usage: Use your Bearer API Key to send the report to Bearer.
-  - name: author
-    shorthand: a
-    usage: |
-      Add author information to this ignored finding. (default output of "git config user.name")
-  - name: comment
-    usage: Add a comment to this ignored finding.
-  - name: config-file
-    default_value: bearer.yml
-    usage: Load configuration from the specified path.
-  - name: debug
-    default_value: "false"
-    usage: Enable debug logs. Equivalent to --log-level=debug
-  - name: debug-profile
-    default_value: "false"
-    usage: Generate profiling data for debugging
-  - name: disable-version-check
-    default_value: "false"
-    usage: Disable Bearer version checking
-  - name: false-positive
-    default_value: "false"
-    usage: Mark an this ignored finding as false positive.
-  - name: force
-    default_value: "false"
-    usage: Overwrite an existing ignored finding.
-  - name: help
-    shorthand: h
-    default_value: "false"
-    usage: help for add
-  - name: host
-    default_value: my.bearer.sh
-    usage: Specify the Host for sending the report.
-  - name: ignore-file
-    default_value: bearer.ignore
-    usage: Load ignore file from the specified path.
-  - name: ignore-git
-    default_value: "false"
-    usage: Ignore Git listing
-  - name: log-level
-    default_value: info
-    usage: Set log level (error, info, debug, trace)
-  - name: no-color
-    default_value: "false"
-    usage: Disable color in output
+    - name: api-key
+      usage: Use your Bearer API Key to send the report to Bearer.
+    - name: author
+      shorthand: a
+      usage: |
+        Add author information to this ignored finding. (default output of "git config user.name")
+    - name: comment
+      usage: Add a comment to this ignored finding.
+    - name: config-file
+      default_value: bearer.yml
+      usage: Load configuration from the specified path.
+    - name: debug
+      default_value: "false"
+      usage: Enable debug logs. Equivalent to --log-level=debug
+    - name: debug-profile
+      default_value: "false"
+      usage: Generate profiling data for debugging
+    - name: disable-version-check
+      default_value: "false"
+      usage: Disable Bearer version checking
+    - name: false-positive
+      default_value: "false"
+      usage: Mark an this ignored finding as false positive.
+    - name: force
+      default_value: "false"
+      usage: Overwrite an existing ignored finding.
+    - name: help
+      shorthand: h
+      default_value: "false"
+      usage: help for add
+    - name: host
+      default_value: my.bearer.sh
+      usage: Specify the Host for sending the report.
+    - name: ignore-file
+      default_value: bearer.ignore
+      usage: Load ignore file from the specified path.
+    - name: ignore-git
+      default_value: "false"
+      usage: Ignore Git listing
+    - name: log-level
+      default_value: info
+      usage: Set log level (error, info, debug, trace)
+    - name: no-color
+      default_value: "false"
+      usage: Disable color in output
 example: |-
-  # Add an ignored fingerprint to your ignore file
-  $ bearer ignore add <fingerprint> --author Mish --comment "Possible false positive"
+    # Add an ignored fingerprint to your ignore file
+    $ bearer ignore add <fingerprint> --author Mish --comment "Possible false positive"
 see_also:
-  - bearer ignore - Manage ignored fingerprints
-aliases:
+    - bearer ignore - Manage ignored fingerprints
+aliases: 
diff --git a/docs/_data/bearer_ignore_migrate.yaml b/docs/_data/bearer_ignore_migrate.yaml
index ffe88659a..9795e8f9a 100644
--- a/docs/_data/bearer_ignore_migrate.yaml
+++ b/docs/_data/bearer_ignore_migrate.yaml
@@ -2,45 +2,45 @@ name: bearer ignore migrate
 synopsis: Migrate ignored fingerprints from bearer.yml to ignore file
 usage: bearer ignore migrate [flags]
 options:
-  - name: api-key
-    usage: Use your Bearer API Key to send the report to Bearer.
-  - name: config-file
-    default_value: bearer.yml
-    usage: Load configuration from the specified path.
-  - name: debug
-    default_value: "false"
-    usage: Enable debug logs. Equivalent to --log-level=debug
-  - name: debug-profile
-    default_value: "false"
-    usage: Generate profiling data for debugging
-  - name: disable-version-check
-    default_value: "false"
-    usage: Disable Bearer version checking
-  - name: force
-    default_value: "false"
-    usage: Overwrite an existing ignored finding.
-  - name: help
-    shorthand: h
-    default_value: "false"
-    usage: help for migrate
-  - name: host
-    default_value: my.bearer.sh
-    usage: Specify the Host for sending the report.
-  - name: ignore-file
-    default_value: bearer.ignore
-    usage: Load ignore file from the specified path.
-  - name: ignore-git
-    default_value: "false"
-    usage: Ignore Git listing
-  - name: log-level
-    default_value: info
-    usage: Set log level (error, info, debug, trace)
-  - name: no-color
-    default_value: "false"
-    usage: Disable color in output
+    - name: api-key
+      usage: Use your Bearer API Key to send the report to Bearer.
+    - name: config-file
+      default_value: bearer.yml
+      usage: Load configuration from the specified path.
+    - name: debug
+      default_value: "false"
+      usage: Enable debug logs. Equivalent to --log-level=debug
+    - name: debug-profile
+      default_value: "false"
+      usage: Generate profiling data for debugging
+    - name: disable-version-check
+      default_value: "false"
+      usage: Disable Bearer version checking
+    - name: force
+      default_value: "false"
+      usage: Overwrite an existing ignored finding.
+    - name: help
+      shorthand: h
+      default_value: "false"
+      usage: help for migrate
+    - name: host
+      default_value: my.bearer.sh
+      usage: Specify the Host for sending the report.
+    - name: ignore-file
+      default_value: bearer.ignore
+      usage: Load ignore file from the specified path.
+    - name: ignore-git
+      default_value: "false"
+      usage: Ignore Git listing
+    - name: log-level
+      default_value: info
+      usage: Set log level (error, info, debug, trace)
+    - name: no-color
+      default_value: "false"
+      usage: Disable color in output
 example: |-
-  # Migrate existing ignored (excluded) fingerprints from bearer.yml file to ignore file
-  $ bearer ignore migrate
+    # Migrate existing ignored (excluded) fingerprints from bearer.yml file to ignore file
+    $ bearer ignore migrate
 see_also:
-  - bearer ignore - Manage ignored fingerprints
-aliases:
+    - bearer ignore - Manage ignored fingerprints
+aliases: 
diff --git a/docs/_data/bearer_ignore_pull.yaml b/docs/_data/bearer_ignore_pull.yaml
index 00c440dff..d0e8c9105 100644
--- a/docs/_data/bearer_ignore_pull.yaml
+++ b/docs/_data/bearer_ignore_pull.yaml
@@ -2,42 +2,42 @@ name: bearer ignore pull
 synopsis: Pull ignored fingerprints from Cloud
 usage: bearer ignore pull <path> [flags]
 options:
-  - name: api-key
-    usage: Use your Bearer API Key to send the report to Bearer.
-  - name: config-file
-    default_value: bearer.yml
-    usage: Load configuration from the specified path.
-  - name: debug
-    default_value: "false"
-    usage: Enable debug logs. Equivalent to --log-level=debug
-  - name: debug-profile
-    default_value: "false"
-    usage: Generate profiling data for debugging
-  - name: disable-version-check
-    default_value: "false"
-    usage: Disable Bearer version checking
-  - name: help
-    shorthand: h
-    default_value: "false"
-    usage: help for pull
-  - name: host
-    default_value: my.bearer.sh
-    usage: Specify the Host for sending the report.
-  - name: ignore-file
-    default_value: bearer.ignore
-    usage: Load ignore file from the specified path.
-  - name: ignore-git
-    default_value: "false"
-    usage: Ignore Git listing
-  - name: log-level
-    default_value: info
-    usage: Set log level (error, info, debug, trace)
-  - name: no-color
-    default_value: "false"
-    usage: Disable color in output
+    - name: api-key
+      usage: Use your Bearer API Key to send the report to Bearer.
+    - name: config-file
+      default_value: bearer.yml
+      usage: Load configuration from the specified path.
+    - name: debug
+      default_value: "false"
+      usage: Enable debug logs. Equivalent to --log-level=debug
+    - name: debug-profile
+      default_value: "false"
+      usage: Generate profiling data for debugging
+    - name: disable-version-check
+      default_value: "false"
+      usage: Disable Bearer version checking
+    - name: help
+      shorthand: h
+      default_value: "false"
+      usage: help for pull
+    - name: host
+      default_value: my.bearer.sh
+      usage: Specify the Host for sending the report.
+    - name: ignore-file
+      default_value: bearer.ignore
+      usage: Load ignore file from the specified path.
+    - name: ignore-git
+      default_value: "false"
+      usage: Ignore Git listing
+    - name: log-level
+      default_value: info
+      usage: Set log level (error, info, debug, trace)
+    - name: no-color
+      default_value: "false"
+      usage: Disable color in output
 example: |-
-  # Pull ignored fingerprints from the Cloud (requires API key)
-  $ bearer ignore pull /path/to/your_project --api-key=XXXXX
+    # Pull ignored fingerprints from the Cloud (requires API key)
+    $ bearer ignore pull /path/to/your_project --api-key=XXXXX
 see_also:
-  - bearer ignore - Manage ignored fingerprints
-aliases:
+    - bearer ignore - Manage ignored fingerprints
+aliases: 
diff --git a/docs/_data/bearer_ignore_remove.yaml b/docs/_data/bearer_ignore_remove.yaml
index d38d51c33..71060cc6a 100644
--- a/docs/_data/bearer_ignore_remove.yaml
+++ b/docs/_data/bearer_ignore_remove.yaml
@@ -2,42 +2,42 @@ name: bearer ignore remove
 synopsis: Remove an ignored fingerprint
 usage: bearer ignore remove <fingerprint> [flags]
 options:
-  - name: api-key
-    usage: Use your Bearer API Key to send the report to Bearer.
-  - name: config-file
-    default_value: bearer.yml
-    usage: Load configuration from the specified path.
-  - name: debug
-    default_value: "false"
-    usage: Enable debug logs. Equivalent to --log-level=debug
-  - name: debug-profile
-    default_value: "false"
-    usage: Generate profiling data for debugging
-  - name: disable-version-check
-    default_value: "false"
-    usage: Disable Bearer version checking
-  - name: help
-    shorthand: h
-    default_value: "false"
-    usage: help for remove
-  - name: host
-    default_value: my.bearer.sh
-    usage: Specify the Host for sending the report.
-  - name: ignore-file
-    default_value: bearer.ignore
-    usage: Load ignore file from the specified path.
-  - name: ignore-git
-    default_value: "false"
-    usage: Ignore Git listing
-  - name: log-level
-    default_value: info
-    usage: Set log level (error, info, debug, trace)
-  - name: no-color
-    default_value: "false"
-    usage: Disable color in output
+    - name: api-key
+      usage: Use your Bearer API Key to send the report to Bearer.
+    - name: config-file
+      default_value: bearer.yml
+      usage: Load configuration from the specified path.
+    - name: debug
+      default_value: "false"
+      usage: Enable debug logs. Equivalent to --log-level=debug
+    - name: debug-profile
+      default_value: "false"
+      usage: Generate profiling data for debugging
+    - name: disable-version-check
+      default_value: "false"
+      usage: Disable Bearer version checking
+    - name: help
+      shorthand: h
+      default_value: "false"
+      usage: help for remove
+    - name: host
+      default_value: my.bearer.sh
+      usage: Specify the Host for sending the report.
+    - name: ignore-file
+      default_value: bearer.ignore
+      usage: Load ignore file from the specified path.
+    - name: ignore-git
+      default_value: "false"
+      usage: Ignore Git listing
+    - name: log-level
+      default_value: info
+      usage: Set log level (error, info, debug, trace)
+    - name: no-color
+      default_value: "false"
+      usage: Disable color in output
 example: |-
-  # Remove an ignored fingerprint from your ignore file
-  $ bearer ignore remove <fingerprint>
+    # Remove an ignored fingerprint from your ignore file
+    $ bearer ignore remove <fingerprint>
 see_also:
-  - bearer ignore - Manage ignored fingerprints
-aliases:
+    - bearer ignore - Manage ignored fingerprints
+aliases: 
diff --git a/docs/_data/bearer_ignore_show.yaml b/docs/_data/bearer_ignore_show.yaml
index 71d1dc13f..f8d926af7 100644
--- a/docs/_data/bearer_ignore_show.yaml
+++ b/docs/_data/bearer_ignore_show.yaml
@@ -2,45 +2,45 @@ name: bearer ignore show
 synopsis: Show an ignored fingerprint
 usage: bearer ignore show <fingerprint> [flags]
 options:
-  - name: all
-    default_value: "false"
-    usage: Show all ignored fingerprints.
-  - name: api-key
-    usage: Use your Bearer API Key to send the report to Bearer.
-  - name: config-file
-    default_value: bearer.yml
-    usage: Load configuration from the specified path.
-  - name: debug
-    default_value: "false"
-    usage: Enable debug logs. Equivalent to --log-level=debug
-  - name: debug-profile
-    default_value: "false"
-    usage: Generate profiling data for debugging
-  - name: disable-version-check
-    default_value: "false"
-    usage: Disable Bearer version checking
-  - name: help
-    shorthand: h
-    default_value: "false"
-    usage: help for show
-  - name: host
-    default_value: my.bearer.sh
-    usage: Specify the Host for sending the report.
-  - name: ignore-file
-    default_value: bearer.ignore
-    usage: Load ignore file from the specified path.
-  - name: ignore-git
-    default_value: "false"
-    usage: Ignore Git listing
-  - name: log-level
-    default_value: info
-    usage: Set log level (error, info, debug, trace)
-  - name: no-color
-    default_value: "false"
-    usage: Disable color in output
+    - name: all
+      default_value: "false"
+      usage: Show all ignored fingerprints.
+    - name: api-key
+      usage: Use your Bearer API Key to send the report to Bearer.
+    - name: config-file
+      default_value: bearer.yml
+      usage: Load configuration from the specified path.
+    - name: debug
+      default_value: "false"
+      usage: Enable debug logs. Equivalent to --log-level=debug
+    - name: debug-profile
+      default_value: "false"
+      usage: Generate profiling data for debugging
+    - name: disable-version-check
+      default_value: "false"
+      usage: Disable Bearer version checking
+    - name: help
+      shorthand: h
+      default_value: "false"
+      usage: help for show
+    - name: host
+      default_value: my.bearer.sh
+      usage: Specify the Host for sending the report.
+    - name: ignore-file
+      default_value: bearer.ignore
+      usage: Load ignore file from the specified path.
+    - name: ignore-git
+      default_value: "false"
+      usage: Ignore Git listing
+    - name: log-level
+      default_value: info
+      usage: Set log level (error, info, debug, trace)
+    - name: no-color
+      default_value: "false"
+      usage: Disable color in output
 example: |-
-  # Show the details of an ignored fingerprint from your ignore file
-  $ bearer ignore show <fingerprint>
+    # Show the details of an ignored fingerprint from your ignore file
+    $ bearer ignore show <fingerprint>
 see_also:
-  - bearer ignore - Manage ignored fingerprints
-aliases:
+    - bearer ignore - Manage ignored fingerprints
+aliases: 
diff --git a/docs/_data/bearer_init.yaml b/docs/_data/bearer_init.yaml
index dfd244cdf..17f53a9d7 100644
--- a/docs/_data/bearer_init.yaml
+++ b/docs/_data/bearer_init.yaml
@@ -2,10 +2,10 @@ name: bearer init
 synopsis: Generates a default config to `bearer.yml`
 usage: bearer init [flags]
 options:
-  - name: help
-    shorthand: h
-    default_value: "false"
-    usage: help for init
+    - name: help
+      shorthand: h
+      default_value: "false"
+      usage: help for init
 see_also:
-  - "bearer - "
-aliases:
+    - 'bearer - '
+aliases: 
diff --git a/docs/_data/bearer_scan.yaml b/docs/_data/bearer_scan.yaml
index 3f6ad94e4..ee0924090 100644
--- a/docs/_data/bearer_scan.yaml
+++ b/docs/_data/bearer_scan.yaml
@@ -2,119 +2,142 @@ name: bearer scan
 synopsis: Scan a directory or file
 usage: bearer scan [flags] <path>
 options:
-  - name: api-key
-    usage: Use your Bearer API Key to send the report to Bearer.
-  - name: config-file
-    default_value: bearer.yml
-    usage: Load configuration from the specified path.
-  - name: context
-    usage: |
-      Expand context of schema classification e.g., --context=health, to include data types particular to health
-  - name: data-subject-mapping
-    usage: |
-      Override default data subject mapping by providing a path to a custom mapping JSON file
-  - name: debug
-    default_value: "false"
-    usage: Enable debug logs. Equivalent to --log-level=debug
-  - name: debug-profile
-    default_value: "false"
-    usage: Generate profiling data for debugging
-  - name: disable-default-rules
-    default_value: "false"
-    usage: Disables all default and built-in rules.
-  - name: disable-domain-resolution
-    default_value: "true"
-    usage: |
-      Do not attempt to resolve detected domains during classification
-  - name: disable-version-check
-    default_value: "false"
-    usage: Disable Bearer version checking
-  - name: domain-resolution-timeout
-    default_value: 3s
-    usage: |
-      Set timeout when attempting to resolve detected domains during classification, e.g. --domain-resolution-timeout=3s
-  - name: exclude-fingerprint
-    default_value: "[]"
-    usage: |
-      Specify the comma-separated fingerprints of the findings you would like to exclude from the report.
-  - name: exit-code
-    default_value: "-1"
-    usage: |
-      Force a given exit code for the scan command. Set this to 0 (success) to always return a success exit code despite any findings from the scan.
-  - name: external-rule-dir
-    default_value: "[]"
-    usage: |
-      Specify directories paths that contain .yaml files with external rules configuration
-  - name: fail-on-severity
-    default_value: critical,high,medium,low
-    usage: |
-      Specify which severities cause the report to fail. Works in conjunction with --exit-code.
-  - name: force
-    default_value: "false"
-    usage: Disable the cache and runs the detections again
-  - name: format
-    shorthand: f
-    usage: |
-      Specify report format (json, yaml, sarif, gitlab-sast, rdjson, html)
-  - name: help
-    shorthand: h
-    default_value: "false"
-    usage: help for scan
-  - name: hide-progress-bar
-    default_value: "false"
-    usage: Hide progress bar from output
-  - name: host
-    default_value: my.bearer.sh
-    usage: Specify the Host for sending the report.
-  - name: ignore-file
-    default_value: bearer.ignore
-    usage: Load ignore file from the specified path.
-  - name: ignore-git
-    default_value: "false"
-    usage: Ignore Git listing
-  - name: internal-domains
-    default_value: "[]"
-    usage: |
-      Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains=".*.my-company.com,private.sh"
-  - name: log-level
-    default_value: info
-    usage: Set log level (error, info, debug, trace)
-  - name: no-color
-    default_value: "false"
-    usage: Disable color in output
-  - name: only-rule
-    default_value: "[]"
-    usage: |
-      Specify the comma-separated ids of the rules you would like to run. Skips all other rules.
-  - name: output
-    usage: Specify the output path for the report.
-  - name: parallel
-    default_value: "0"
-    usage: Specify the amount of parallelism to use during the scan
-  - name: quiet
-    default_value: "false"
-    usage: Suppress non-essential messages
-  - name: report
-    default_value: security
-    usage: Specify the type of report (security, privacy, dataflow).
-  - name: scanner
-    default_value: "[sast]"
-    usage: |
-      Specify which scanner to use e.g. --scanner=secrets, --scanner=secrets,sast
-  - name: severity
-    default_value: critical,high,medium,low,warning
-    usage: Specify which severities are included in the report.
-  - name: skip-path
-    default_value: "[]"
-    usage: |
-      Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql
-  - name: skip-rule
-    default_value: "[]"
-    usage: |
-      Specify the comma-separated ids of the rules you would like to skip. Runs all other rules.
+    - name: api-key
+      usage: Use your Bearer API Key to send the report to Bearer.
+    - name: config-file
+      default_value: bearer.yml
+      usage: Load configuration from the specified path.
+    - name: context
+      usage: |
+        Expand context of schema classification e.g., --context=health, to include data types particular to health
+    - name: current-branch
+      usage: The name of the current branch.
+    - name: current-commit
+      usage: The hash of the current commit.
+    - name: data-subject-mapping
+      usage: |
+        Override default data subject mapping by providing a path to a custom mapping JSON file
+    - name: debug
+      default_value: "false"
+      usage: Enable debug logs. Equivalent to --log-level=debug
+    - name: debug-profile
+      default_value: "false"
+      usage: Generate profiling data for debugging
+    - name: default-branch
+      usage: The name of the default branch.
+    - name: diff
+      default_value: "false"
+      usage: |
+        Only report differences in findings relative to a base branch.
+    - name: diff-base-branch
+      usage: The name of the base branch to use for diff scanning.
+    - name: diff-base-commit
+      usage: The hash of the base commit to use for diff scanning.
+    - name: disable-default-rules
+      default_value: "false"
+      usage: Disables all default and built-in rules.
+    - name: disable-domain-resolution
+      default_value: "true"
+      usage: |
+        Do not attempt to resolve detected domains during classification
+    - name: disable-version-check
+      default_value: "false"
+      usage: Disable Bearer version checking
+    - name: domain-resolution-timeout
+      default_value: 3s
+      usage: |
+        Set timeout when attempting to resolve detected domains during classification, e.g. --domain-resolution-timeout=3s
+    - name: exclude-fingerprint
+      default_value: '[]'
+      usage: |
+        Specify the comma-separated fingerprints of the findings you would like to exclude from the report.
+    - name: exit-code
+      default_value: "-1"
+      usage: |
+        Force a given exit code for the scan command. Set this to 0 (success) to always return a success exit code despite any findings from the scan.
+    - name: external-rule-dir
+      default_value: '[]'
+      usage: |
+        Specify directories paths that contain .yaml files with external rules configuration
+    - name: fail-on-severity
+      default_value: critical,high,medium,low
+      usage: |
+        Specify which severities cause the report to fail. Works in conjunction with --exit-code.
+    - name: force
+      default_value: "false"
+      usage: Disable the cache and runs the detections again
+    - name: format
+      shorthand: f
+      usage: |
+        Specify report format (json, yaml, sarif, gitlab-sast, rdjson, html)
+    - name: github-api-url
+      usage: A non-standard URL to use for the Github API
+    - name: github-repository
+      usage: |
+        The owner and name of the repository on Github. eg. Bearer/bearer
+    - name: github-token
+      usage: An access token for the Github API.
+    - name: help
+      shorthand: h
+      default_value: "false"
+      usage: help for scan
+    - name: hide-progress-bar
+      default_value: "false"
+      usage: Hide progress bar from output
+    - name: host
+      default_value: my.bearer.sh
+      usage: Specify the Host for sending the report.
+    - name: ignore-file
+      default_value: bearer.ignore
+      usage: Load ignore file from the specified path.
+    - name: ignore-git
+      default_value: "false"
+      usage: Ignore Git listing
+    - name: internal-domains
+      default_value: '[]'
+      usage: |
+        Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains=".*.my-company.com,private.sh"
+    - name: log-level
+      default_value: info
+      usage: Set log level (error, info, debug, trace)
+    - name: no-color
+      default_value: "false"
+      usage: Disable color in output
+    - name: only-rule
+      default_value: '[]'
+      usage: |
+        Specify the comma-separated ids of the rules you would like to run. Skips all other rules.
+    - name: output
+      usage: Specify the output path for the report.
+    - name: parallel
+      default_value: "0"
+      usage: Specify the amount of parallelism to use during the scan
+    - name: quiet
+      default_value: "false"
+      usage: Suppress non-essential messages
+    - name: report
+      default_value: security
+      usage: Specify the type of report (security, privacy, dataflow).
+    - name: repository-url
+      usage: The remote URL of the repository.
+    - name: scanner
+      default_value: '[sast]'
+      usage: |
+        Specify which scanner to use e.g. --scanner=secrets, --scanner=secrets,sast
+    - name: severity
+      default_value: critical,high,medium,low,warning
+      usage: Specify which severities are included in the report.
+    - name: skip-path
+      default_value: '[]'
+      usage: |
+        Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql
+    - name: skip-rule
+      default_value: '[]'
+      usage: |
+        Specify the comma-separated ids of the rules you would like to skip. Runs all other rules.
 example: |4-
       # Scan a local project, including language-specific files
       $ bearer scan /path/to/your_project
 see_also:
-  - "bearer - "
+    - 'bearer - '
 aliases: s
diff --git a/docs/_data/bearer_version.yaml b/docs/_data/bearer_version.yaml
index 957a4d9bc..70a739357 100644
--- a/docs/_data/bearer_version.yaml
+++ b/docs/_data/bearer_version.yaml
@@ -2,39 +2,39 @@ name: bearer version
 synopsis: Print the version
 usage: bearer version [flags]
 options:
-  - name: api-key
-    usage: Use your Bearer API Key to send the report to Bearer.
-  - name: config-file
-    default_value: bearer.yml
-    usage: Load configuration from the specified path.
-  - name: debug
-    default_value: "false"
-    usage: Enable debug logs. Equivalent to --log-level=debug
-  - name: debug-profile
-    default_value: "false"
-    usage: Generate profiling data for debugging
-  - name: disable-version-check
-    default_value: "false"
-    usage: Disable Bearer version checking
-  - name: help
-    shorthand: h
-    default_value: "false"
-    usage: help for version
-  - name: host
-    default_value: my.bearer.sh
-    usage: Specify the Host for sending the report.
-  - name: ignore-file
-    default_value: bearer.ignore
-    usage: Load ignore file from the specified path.
-  - name: ignore-git
-    default_value: "false"
-    usage: Ignore Git listing
-  - name: log-level
-    default_value: info
-    usage: Set log level (error, info, debug, trace)
-  - name: no-color
-    default_value: "false"
-    usage: Disable color in output
+    - name: api-key
+      usage: Use your Bearer API Key to send the report to Bearer.
+    - name: config-file
+      default_value: bearer.yml
+      usage: Load configuration from the specified path.
+    - name: debug
+      default_value: "false"
+      usage: Enable debug logs. Equivalent to --log-level=debug
+    - name: debug-profile
+      default_value: "false"
+      usage: Generate profiling data for debugging
+    - name: disable-version-check
+      default_value: "false"
+      usage: Disable Bearer version checking
+    - name: help
+      shorthand: h
+      default_value: "false"
+      usage: help for version
+    - name: host
+      default_value: my.bearer.sh
+      usage: Specify the Host for sending the report.
+    - name: ignore-file
+      default_value: bearer.ignore
+      usage: Load ignore file from the specified path.
+    - name: ignore-git
+      default_value: "false"
+      usage: Ignore Git listing
+    - name: log-level
+      default_value: info
+      usage: Set log level (error, info, debug, trace)
+    - name: no-color
+      default_value: "false"
+      usage: Disable color in output
 see_also:
-  - "bearer - "
-aliases:
+    - 'bearer - '
+aliases: 
diff --git a/docs/_data/examples/ci/gitlab/diff-reviewdog.yaml b/docs/_data/examples/ci/gitlab/diff-reviewdog.yaml
index a1eee6565..a233fd37e 100644
--- a/docs/_data/examples/ci/gitlab/diff-reviewdog.yaml
+++ b/docs/_data/examples/ci/gitlab/diff-reviewdog.yaml
@@ -1,10 +1,7 @@
 bearer_mr:
-  variables:
-    DIFF_BASE_BRANCH: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
-    DIFF_BASE_COMMIT: $CI_MERGE_REQUEST_DIFF_BASE_SHA
   script:
     - curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /usr/local/bin
     - curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b /usr/local/bin
-    - bearer scan . --format=rdjson --output=rd.json || export BEARER_EXIT=$?
+    - bearer scan . --diff --format=rdjson --output=rd.json || export BEARER_EXIT=$?
     - cat rd.json | reviewdog -f=rdjson -reporter=gitlab-mr-discussion
     - exit $BEARER_EXIT
diff --git a/docs/_data/examples/ci/gitlab/diff.yaml b/docs/_data/examples/ci/gitlab/diff.yaml
index 6b801f6c2..02bcea650 100644
--- a/docs/_data/examples/ci/gitlab/diff.yaml
+++ b/docs/_data/examples/ci/gitlab/diff.yaml
@@ -2,7 +2,4 @@ bearer_mr:
   image:
     name: bearer/bearer
     entrypoint: [""]
-  variables:
-    DIFF_BASE_BRANCH: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
-    DIFF_BASE_COMMIT: $CI_MERGE_REQUEST_DIFF_BASE_SHA
-  script: bearer scan .
+  script: bearer scan --diff .
diff --git a/docs/guides/configure-scan.md b/docs/guides/configure-scan.md
index 414efdbb5..b117aabed 100644
--- a/docs/guides/configure-scan.md
+++ b/docs/guides/configure-scan.md
@@ -33,12 +33,13 @@ When scanning a Git repository, you can choose to only report new findings that
 have been introduced, relative to a base branch. Any findings that already
 existed in the base branch will not be reported.
 
-Use the `DIFF_BASE_BRANCH` environment variable to enable differential scanning,
-and to specify the base branch to use for comparison.
+Use the `--diff` flag to enable differential scanning. The repository's default
+branch will be used as the base branch for comparison. You can override this by
+setting the `BEARER_DIFF_BASE_BRANCH` environment variable.
 
 ```bash
 git checkout my-feature
-DIFF_BASE_BRANCH=main bearer scan .
+BEARER_DIFF_BASE_BRANCH=base-branch bearer scan --diff .
 ```
 
 If the base branch is not available in the git repository, it's head will be
diff --git a/docs/guides/gitlab.md b/docs/guides/gitlab.md
index d95ded83e..722d7a2ac 100644
--- a/docs/guides/gitlab.md
+++ b/docs/guides/gitlab.md
@@ -31,8 +31,8 @@ These changes set the format to `gitlab-sast` and write an artifact that GitLab
 ### Gitlab Merge Request Diff
 
 When Bearer CLI is being used to check a merge request, you can tell the Bearer
-CLI to only report findings introduced within the merge request by setting the
-`DIFF_BASE_BRANCH` variable.
+CLI to only report findings introduced within the merge request by adding the
+`--diff` flag.
 
 {% yamlExample "ci/gitlab/diff" %}