This add-on integrates Bearer, a powerful static application security testing (SAST) tool, directly into your DDEV project.
It allows you to scan your source code for security and privacy vulnerabilities without leaving the DDEV workflow.
- Early Detection: Discover security vulnerabilities in your codebase during development
- Comprehensive Coverage: Detects risks based on OWASP Top 10 and CWE Top 25 standards
- Data Flow Analysis: Analyzes your source code's data flows to identify security and privacy risks
- Flexible Scanning: Customize scans by severity level, scanner type, and context
- Built-in Rules: Pre-configured rules for common security vulnerabilities
- Multi-Scanner Support: Scan for various vulnerability types including secrets, credentials, and OWASP violations
- Severity Filtering: Focus on critical and high-severity issues or customize to your needs
- Configurable Rules: Customize scanning behavior through
bearer.ymlconfiguration file - Fingerprint-based Ignore Management: Mark specific findings as false positives and track them with author and comment metadata
- Context-Aware Scanning: Run scans with specific contexts (e.g., health, payment) for targeted analysis
ddev add-on get massiws/ddev-bearer
ddev restart
# Generates a default config to `bearer.yml`
ddev bearer initAfter installation, you may want to customize the default configuration settings by editing the bearer.yml file:
see Bearer configuration docs for more information.
Important: Restart DDEV after making changes to the bearer.yml file.
Make sure to commit the .ddev directory and the bearer.yml file to version control.
| Command | Description |
|---|---|
ddev bearer |
Display available commands and usage information |
ddev bearer scan . |
Scan entire project using default configuration in bearer.yml |
ddev bearer scan . --severity critical,high |
Scan only for critical and high-severity issues |
ddev bearer scan . --scanner=secrets |
Scan specifically for hardcoded credentials and secrets |
ddev bearer scan <path/to/file> --context=health |
Scan specific file/folder with custom context (health, payment, finance, etc.) |
ddev bearer ignore add <fingerprint> --author "Your Name" --comment "Reason" |
Add fingerprint to ignore file and track with author/comment metadata |
Auto-fill Author in Ignore Commands: To avoid specifying the author repeatedly, configure your Git username in DDEV globals:
ln -s $HOME/.gitconfig $HOME/.ddev/homeadditions/.gitconfigThis will automatically use your Git username for all ddev bearer ignore commands.
For comprehensive information, refer to the Bearer CLI documentation:
Contributed and maintained by @massiws
For issues, feature requests, or contributions, please visit the GitHub repository.