■ ■ ■ ■ ■ ■
docs/guides/configure-scan.md
| 1 | + | --- |
| 2 | + | title: Configure the scan command |
| 3 | + | --- |
| 4 | + | |
| 5 | + | # Configure the scan to meet your needs |
| 6 | + | |
| 7 | + | Bearer offers a variety of ways to configure the core `scan` command to best meet your needs. Here are some common situations. For a full list of options, see the [commands reference](/reference/commands/). For many of the command flags listed below, you can also define them in your `bearer.yml` [config file](/reference/config/). |
| 8 | + | |
| 9 | + | ## Select a report type |
| 10 | + | |
| 11 | + | There are a variety of [report types](/explanations/reports/) to choose from. Bearer defaults to the Security report, but you can select any other type with the `--report` flag. |
| 12 | + | |
| 13 | + | ```bash |
| 14 | + | bearer scan . --report privacy |
| 15 | + | ``` |
| 16 | + | |
| 17 | + | ## Select a scanner type |
| 18 | + | |
| 19 | + | Did you know that Bearer can also detect hard-coded secrets in your code? In addition to the default SAST scanner, there's a built-in secrets scanner. Use the `--scanner` flag to change [scanner types](/explanations/scanners/). |
| 20 | + | |
| 21 | + | ```bash |
| 22 | + | bearer scan . --scanner secrets |
| 23 | + | ``` |
| 24 | + | |
| 25 | + | ## Skip or ignore specific rules |
| 26 | + | |
| 27 | + | Sometimes you want to ignore one or more rules, either for the entire scan or for individual blocks of code. Rules are identified by their id, for example: `ruby_lang_exception`. |
| 28 | + | |
| 29 | + | ### Skip rules for the entire scan |
| 30 | + | |
| 31 | + | To ignore rules for the entire scan you can use the `--skip-rule` flag with the `scan` command. |
| 32 | + | |
| 33 | + | Using `--skip-rule`: |
| 34 | + | |
| 35 | + | ```bash |
| 36 | + | # skip a single rule |
| 37 | + | bearer scan . --skip-rule ruby_lang_exception |
| 38 | + | |
| 39 | + | # skip multiple rules |
| 40 | + | bearer scan . --skip-rule ruby_lang_exception,ruby_lang_cookies |
| 41 | + | ``` |
| 42 | + | |
| 43 | + | Using `bearer.yml` |
| 44 | + | |
| 45 | + | ```yaml |
| 46 | + | rule: |
| 47 | + | skip-rule: [ruby_lang_exception, ruby_lang_cookies] |
| 48 | + | ``` |
| 49 | + | |
| 50 | + | ### Skip rules for individual code blocks |
| 51 | + | |
| 52 | + | Bearer supports comment-based rule skipping using the `bearer:disable` comment. To ignore a block of code, place the comment immediately before the block. |
| 53 | + | |
| 54 | + | In ruby: |
| 55 | + | |
| 56 | + | ```ruby |
| 57 | + | # bearer:disable ruby_lang_logger, ruby_lang_http_insecure |
| 58 | + | Net::HTTP.start("http://my.api.com/users/search) do |
| 59 | + | logger.warn("Searching for #{current_user.email}") |
| 60 | + | ... |
| 61 | + | end |
| 62 | + | ``` |
| 63 | + | |
| 64 | + | In javascript: |
| 65 | + | |
| 66 | + | ```javascript |
| 67 | + | // bearer:disable javascript_lang_logger |
| 68 | + | function logUser(user) { |
| 69 | + | log.info(user.name) |
| 70 | + | } |
| 71 | + | ``` |
| 72 | + | |
| 73 | + | To ignore an individual line of code, place the comment immediately before the line. |
| 74 | + | |
| 75 | + | ```ruby |
| 76 | + | def my_func |
| 77 | + | # bearer:disable ruby_rails_logger |
| 78 | + | Rails.logger(current_user.email) |
| 79 | + | end |
| 80 | + | ``` |
| 81 | + | |
| 82 | + | ```javascript |
| 83 | + | function logUser(user) { |
| 84 | + | log.info(user.name) |
| 85 | + | // bearer:disable javascript_lang_logger |
| 86 | + | log.info(user.uuid) |
| 87 | + | } |
| 88 | + | ``` |
| 89 | + | |
| 90 | + | ## Run only specified rules |
| 91 | + | |
| 92 | + | Similar to how you can skip rules, you can also tell the scan to only run specific rules. To do so, specify the rule IDs with the `--only-rule` flag. |
| 93 | + | |
| 94 | + | ```bash |
| 95 | + | bearer scan . --only-rule ruby_lang_cookies |
| 96 | + | ``` |
| 97 | + | |
| 98 | + | ## Change the output format |
| 99 | + | |
| 100 | + | Each [report type](/explanations/reports/) has a default output format, but in general you're able to also select between `json` and `yaml` with the `--format` flag. |
| 101 | + | |
| 102 | + | ```bash |
| 103 | + | bearer scan . --format yaml |
| 104 | + | ``` |
| 105 | + | |
| 106 | + | ## Output to a file |
| 107 | + | |
| 108 | + | Sometimes you'll want to hand off the report, and while you could pipe the results to another command, we've included the `--output` flag to make it easier. Specify the path to the output file. |
| 109 | + | |
| 110 | + | ```bash |
| 111 | + | bearer scan . --report dataflow --output dataflow.json |
| 112 | + | ``` |
| 113 | + | |
| 114 | + | ## Limit severity levels |
| 115 | + | |
| 116 | + | Depending on how you're using Bearer, you may want to limit the severity levels that show up in the report. This can be useful for triaging only the most critical issues. Use the `--severity` flag to define which levels to include from the list of critical, high, medium, low, and warning. |
| 117 | + | |
| 118 | + | ```bash |
| 119 | + | bearer scan . --severity critical,high |
| 120 | + | ``` |