bearer.yml

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# This workflow file requires a free account on Bearer.com to manage findings, notifications and more.
# See https://docs.bearer.com/guides/bearer-cloud/
name: Bearer

on:
  push:
    branches: ["master" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: ["master"]
  schedule:
    - cron: '30 23 * * 6'

permissions:
  contents: read # for actions/checkout to fetch code
  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

jobs:
  bearer:
    runs-on: ubuntu-latest
    steps:
      # Checkout project source
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      # Scan code using Bearer CLI
      - name: Run Report
        id: report
        uses: bearer/bearer-action@828eeb928ce2f4a7ca5ed57fb8b59508cb8c79bc
        with:
          api-key: ${{ secrets.BEARER_TOKEN }}
          format: sarif
          output: results.sarif
          exit-code: 0
      # Upload SARIF file generated in previous step
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2
        with:
          sarif_file: results.sarif