Repository files navigation

---

Scan your source code against topsecurity andprivacy risks.

Bearer is a static application security testing (SAST) tool designed to scan your source code and analyze data flows to identify, filter, and prioritize security and privacy risks.

Bearer offers a free, open solution, Bearer CLI, and a commercial solution, Bearer Pro, available throughCycode.

Getting Started -FAQ -Documentation -Report a Bug -Discord Community

Bearer CLI: Go • Java • JavaScript • TypeScript • PHP • Python • Ruby
Bearer Pro by Cycode: C# • Kotlin • Elixir+ everything in Bearer OSS

Learn more about language suppport

Bearer CLI scans your source code for:

• Security risks and vulnerabilities usingbuilt-in rules covering theOWASP Top 10 andCWE Top 25, such as:

  • A01: Access control (e.g. Path Traversal, Open Redirect, Exposure of Sensitive Information).
  • A02: Cryptographic Failures (e.g. Weak Algorithm, Insecure Communication).
  • A03: Injection (e.g. SQL Injection, Input Validation, XSS, XPath).
  • A04: Design (e.g. Missing Encryption of Sensitive Data, Persistent Cookies Containing Sensitive Information).
  • A05: Security Misconfiguration (e.g. Cleartext Storage of Sensitive Information in a Cookie or JWT).
  • A07: Identification and Authentication Failures (e.g. Use of Hard-coded Password, Improper Certificate Validation).
  • A08: Data Integrity Failures (e.g. Deserialization of Untrusted Data).
  • A09: Security Logging and Monitoring Failures (e.g. Insertion of Sensitive Information into Log File).
  • A10: Server-Side Request Forgery (SSRF).

  Note: all the rules and their code patterns are accessible through thedocumentation.

• Privacy risks with the ability to detectsensitive data flow such as the use of PII, PHI in your app, andcomponents processing sensitive data (e.g. databases like pgSQL, third-party APIs such as OpenAI, Sentry, etc.). This helps generate aprivacy report relevant for:

  • Privacy Impact Assessment (PIA).
  • Data Protection Impact Assessment (DPIA).
  • Records of Processing Activities (RoPA) input for GDPR compliance reporting.

Discover your most critical security risks and vulnerabilities in only a few minutes. In this guide, you will install Bearer CLI, run a security scan on a local project, and view the results. Let's get started!

The quickest way to install Bearer CLI is with the install script. It will auto-select the best build for your architecture.Defaults installation to./bin and to the latest release version:

curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh| sh

brew install bearer/tap/bearer

brew update&& brew upgrade bearer/tap/bearer

sudo apt-get install apt-transport-httpsecho"deb [trusted=yes] https://apt.fury.io/bearer/ /"| sudo tee -a /etc/apt/sources.list.d/fury.listsudo apt-get updatesudo apt-get install bearer

sudo apt-get updatesudo apt-get install bearer

$ sudo vim /etc/yum.repos.d/fury.repo[fury]name=Gemfury Private Repobaseurl=https://yum.fury.io/bearer/enabled=1gpgcheck=0

  sudo yum -y update  sudo yum -y install bearer

sudo yum -y update bearer

docker run --rm -v /path/to/repo:/tmp/scan bearer/bearer:latest-amd64 scan /tmp/scan

version:"3"services:bearer:platform:linux/amd64image:bearer/bearer:latest-amd64volumes:      -/path/to/repo:/tmp/scan

docker compose run bearer scan /tmp/scan --debug

The easiest way to try out Bearer CLI is with the OWASPJuice Shop example project. It simulates a realistic JavaScript application with common security flaws. Clone or download it to a convenient location to get started.

git clone https://github.com/juice-shop/juice-shop.git

Now, run the scan command withbearer scan on the project directory:

bearer scan juice-shop

A progress bar will display the status of the scan.

Once the scan is complete, Bearer CLI will output, by default, a security report with details of any rule findings, as well as where in the codebase the infractions happened and why.

By default thescan command use the SAST scanner, otherscanner types are available.

The security report is an easily digestible view of the security issues detected by Bearer CLI. A report is made up of:

• The list ofrules run against your code.
• Each detected finding, containing the file location and lines that triggered the rule finding.
• A stat section with a summary of rules checks, findings and warnings.

TheOWASP Juice Shop example application will trigger rule findings and output a full report. Here's a section of the output:

...HIGH: Sensitive data stored in HTML local storage detected. [CWE-312]https://docs.bearer.com/reference/rules/javascript_lang_sessionTo skip this rule, use the flag --skip-rule=javascript_lang_sessionFile: juice-shop/frontend/src/app/login/login.component.ts:102 102       localStorage.setItem('email', this.user.email)=====================================59 checks, 40 findingsCRITICAL: 0HIGH: 16 (CWE-22, CWE-312, CWE-798, CWE-89)MEDIUM: 24 (CWE-327, CWE-548, CWE-79)LOW: 0WARNING: 0

In addition of the security report, you can also run aprivacy report.

Ready for the next step? Additional options for using and configuring thescan command can be found inconfiguring the scan command.

For more guides and usage tips,view the docs.

SAST tools are known to bury security teams and developers under hundreds of issues with little context and no sense of priority, often requiring security analysts to triage issues manually.

The most vulnerable asset today is sensitive data, so we start there andprioritize findings by assessing sensitive data flows to highlight what is more critical, and what is not. This unique ability allows us to provide you with a privacy scanner too.

We believe that by linking security issues with a clear business impact and risk of a data breach, or data leak, we can build better and more robust software, at no extra cost.

In addition, by being Free and Open, extendable by design, and built with a great developer UX in mind, we bet you will see the difference for yourself.

In addition of detecting security flaws in your code, Bearer CLI allows you to automate the evidence gathering process needed to generate a privacy report for your compliance team.

When you run Bearer CLI on your codebase, it discovers and classifies data by identifying patterns in the source code. Specifically, it looks for data types and matches against them. Most importantly, it never views the actual values—it just can’t—but only the code itself. If you want to learn more, here is thelonger explanation.

Bearer CLI is able to identify over 120+ data types from sensitive data categories such as Personal Data (PD), Sensitive PD, Personally identifiable information (PII), and Personal Health Information (PHI). You can view the full list in thesupported data types documentation.

Finally, Bearer CLI also lets you detect components storing and processing sensitive data such as databases, internal APIs, and third-party APIs. See therecipe list for a complete list of components.

Bearer CLI currently supports:

Learn more about language support.

It depends on the size of your applications. It can take as little as 20 seconds, up to a few minutes for an extremely large code base.

As a rule of thumb, Bearer CLI should never take more time than running your test suite.

In the case of CI integration, we provide a diff scan solution to make it even faster.Learn more.

If you’re familiar with SAST tools, false positives are always a possibility.

By using the most modern static code analysis techniques and providing a native filtering and prioritizing solution on the most important issues, we believe we have dramatically improved the overall SAST experience.

We strive to provide the best possible experience for our users.Learn more about how we achieve this.

We recommend running Bearer CLI in your CI to check new PRs automatically for security issues, so your development team has a direct feedback loop to fix issues immediately.

You can also integrate Bearer CLI in your CD, though we recommend setting it to only fail on high criticality issues, as the impact for your organization might be important.

In addition, running Bearer CLI as a scheduled job is a great way to keep track of your security posture and make sure new security issues are found even in projects with low activity.

Make sure to read ourintegration strategy guide for more information.

Thanks for using Bearer CLI. Still have questions?

• Start with thedocumentation.
• Have a question or need some help? Find the Bearer team onDiscord.
• Got a feature request or found a bug?Open a new issue.
• Found a security issue? Check out ourSecurity Policy for reporting details.
• Find out more at Bearer.com

Interested in contributing? We're here for it! For details on how to contribute, setting up your development environment, and our processes, review thecontribution guide.

Everyone interacting with this project is expected to follow the guidelines of ourcode of conduct.

To report a vulnerability or suspected vulnerability,see our security policy. For any questions, concerns or other security matters, feel free toopen an issue or join theDiscord Community.

Bearer CLI code is licensed under the terms of theElastic License 2.0 (ELv2), which means you can use it freely inside your organization to protect your applications without any commercial requirements.

You are not allowed to provide Bearer CLI to third parties as a hosted or managed service without the explicit approval of Bearer Inc.