action.yml

name: "Bearer Action"
description: "Bearer is a free and open SAST tool that analyzes your source code to help find and fix security and privacy risks."
branding:
  icon: "check-square"
  color: "purple"
inputs:
  version:
    description: "Specify the Bearer version to use. This must match a Bearer release name."
    required: false
    default: ""
  scanner:
    description: "Specify the comma separated scanners e.g. --scanner secrets,sast"
    required: false
    default: ""
  config-file:
    description: "configuration file path"
    required: false
    default: ""
  bearer-ignore-file:
    description: "bearer.ignore file path"
    required: false
    default: ""
  only-rule:
    description: "Specify the comma-separated ids of the rules you would like to run. Skips all other rules."
    required: false
    default: ""
  skip-rule:
    description: "Specify the comma-separated ids of the rules you would like to skip. Runs all other rules."
    required: false
    default: ""
  skip-path:
    description: "Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql"
    required: false
    default: ""
  exclude-fingerprint:
    description: "Specify the comma-separated fingerprints of the findings you would like to exclude from the report."
    required: false
    default: ""
  severity:
    description: "Specify which severities are included in the report as a comma separated string"
    required: false
    default: ""
  format:
    description: "Specify which format to use for the report (json, yaml, sarif, gitlab-sast)"
    required: false
    default: ""
  output:
    description: "Specify where to store the report"
    required: false
    default: ""
  api-key:
    description: "For use with Bearer Cloud"
    required: false
    default: ""
  diff:
    description: "Enable differential scanning. Only supported for pull request events"
    required: false
    default: "false"
  quiet:
    description: "Suppress non-essential messages"
    required: false
    default: ""
  hide-progress-bar:
    description: "Hide progress bar from output"
    required: false
    default: "true"
  exit-code:
    description: "Forces the exit-code when errors are reported"
    required: false
    default: ""
  path:
    description: "The path to scan"
    required: false
    default: "."
outputs:
  rule_breaches:
    description: "Details of any rule breaches that occur"
    value: ${{ steps.run.outputs.rule_breaches }}
  exit_code:
    description: "exit code from binary"
    value: ${{ steps.run.outputs.exit_code }}
runs:
  using: "composite"
  steps:
    - shell: bash
      run: |
        VERSION="${{ inputs.version }}"
        if [[ ! -z "$VERSION" ]]; then
          VERSION="v${VERSION#v}"
        fi

        curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b "$RUNNER_TEMP" "$VERSION"
    - id: run
      shell: bash
      env:
        BEARER_SCANNER: ${{ inputs.scanner }}
        BEARER_CONFIG_FILE: ${{ inputs.config-file }}
        BEARER_IGNORE_FILE: ${{ inputs.bearer-ignore-file }}
        BEARER_ONLY_RULE: ${{ inputs.only-rule }}
        BEARER_SKIP_RULE: ${{ inputs.skip-rule }}
        BEARER_SKIP_PATH: ${{ inputs.skip-path }}
        BEARER_EXCLUDE_FINGERPRINT: ${{ inputs.exclude-fingerprint }}
        BEARER_FORMAT: ${{ inputs.format }}
        BEARER_OUTPUT: ${{ inputs.output }}
        BEARER_EXIT_CODE: ${{ inputs.exit-code }}
        BEARER_SEVERITY: ${{ inputs.severity }}
        BEARER_API_KEY: ${{ inputs.api-key }}
        BEARER_QUIET: ${{ inputs.quiet }}
        BEARER_HIDE_PROGRESS_BAR: ${{ inputs.hide-progress-bar }}
        SHA: ${{ github.event.pull_request.head.sha || github.sha }}
        PR_NUMBER: ${{ github.event.pull_request.number }}
        CURRENT_BRANCH: ${{ github.head_ref }}
        DIFF_BASE_BRANCH: ${{ fromJSON(inputs.diff) && github.base_ref || '' }}
        DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
        GITHUB_TOKEN: ${{ github.token }}
      run: |
        set +e
        RULE_BREACHES=`$RUNNER_TEMP/bearer scan "${{ inputs.path }}"`
        SCAN_EXIT_CODE=$?
        set -e

        echo "::debug::$RULE_BREACHES"

        EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)

        echo "rule_breaches<<$EOF" >> $GITHUB_OUTPUT
        echo "$RULE_BREACHES" >> $GITHUB_OUTPUT
        echo "$EOF" >> $GITHUB_OUTPUT

        echo "exit_code=$SCAN_EXIT_CODE" >> $GITHUB_OUTPUT

        exit $SCAN_EXIT_CODE