As part of Bearer CLI v1.9.0 release, we're thrilled to offer improved code scanning integration with GitHub for our open-source security scan. In this article, we'll briefly go over the format that makes this possible, how it works, and how you can start using it today.
Set up Bearer CLI with GitHub Code Scanning
You can now configure the Bearer action to automatically generate and upload a standard SARIF file to GitHub to take full advantage of GitHub’s built-in code scanning interface. This enables added functionality, and an interface, to our existing SAST CI/CD support.
Check out the Bearer CLI GitHub Action documentation for instructions for setting up the workflow.
Once enabled, any vulnerability alerts are displayed on the repository’s Security page. There, you can browse findings across all code-scanning integrations.
Findings from Bearer include details about where in the code the detection comes from, as well as remediation advice and links to additional resources.
You can dismiss findings, sort by severity, and more. This allows your team to better tackle security findings and more easily prioritize your efforts toward the most critical concerns.
GitHub code scanning support is available for all public repositories, as well as private repositories for organizations with a GitHub enterprise plan.
What is SARIF and how it accelerates integrations
This direct integration is made possible by a shared format known as the static application results interchange format (SARIF). It’s a standard interoperability format for static application security testing (SAST) tools that lets any tool report vulnerabilities and defects in a format that can then be integrated into other tools—all without the lock-in of proprietary schema.
SARIF came to be as part of an OASIS Open technical committee that included participation from experts across the cybersecurity industry. The result is a standard that allows organizations to combine and compare results from multiple, often competing, tools to get a better picture of their security needs.
At their worst, tools without SARIF support lock you into their ecosystem. At their best, they require your team to write parsers for a proprietary format. This makes portability difficult and raises concerns when it comes to the longevity of software decisions.
Utilizing the shared format, this is less of a problem. SARIF is built on JSON, so it's easily transportable. Existing platforms and tools like Visual Studio Code, GitHub's CodeQL, SonarQube, Jenkins, AzureDevOps, and countless others offer built-in support or easily configurable extensions for consuming and exporting SARIF where needed.
When choosing a SAST offering, you'll want to confirm that it offers output in a portable format like SARIF to avoid any future compatibility issues.
Outputting SARIF with Bearer CLI
The Bearer action handles SARIF output to GitHub, but if you’d like to use SARIF output from Bearer CLI on your own, you can set the output format. To do so, use the format flag on a scan.
You can also export to a file by combining this with the output flag.
This allows you to take the findings and integrate them into any platform that supports SARIF.
For detailed instructions on updating to the latest version of Bearer CLI, see the upgrade documentation for your platform.
More to come
GitHub code scanning with SARIF support is the direct result of suggestions and feedback from users like you. Be the first to know about new releases by starring the repo on GitHub. We'd love to hear how you use it to make your applications more secure at the earliest stages of product development. Let us know in the community discord and on Twitter.