bearer.yml

# This workflow file requires a free account on Bearer.com to manage findings, notifications and more.
#
# See https://docs.bearer.com/guides/bearer-cloud/

name: Bearer

on:
  push:
    branches: [$default-branch, $protected-branches]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [$default-branch]
  schedule:
    - cron: $cron-weekly

permissions:
  contents: read # for actions/checkout to fetch code
  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

jobs:
  bearer:
    runs-on: ubuntu-latest
    steps:
      # Checkout project source
      - uses: actions/checkout@v3
      # Scan code using Bearer CLI
      - name: Run Report
        id: report
        uses: bearer/bearer-action@v2
        with:
          api-key: ${{ secrets.BEARER_TOKEN }}
          format: sarif
          output: results.sarif
      # Upload SARIF file generated in previous step
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif