Repository files navigation

---

Discover, filter, and prioritize security risks and vulnerabilities impacting your code.

Bearer is a static application security testing (SAST) tool that scans your source code and analyzes your data flows to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD).

Currently supportingJavaScript andRuby stacks.

Getting Started -FAQ -Documentation -Report a Bug -Discord Community

Bearer provides built-in rules against a common set of security risks and vulnerabilities, known asOWASP Top 10. Here are some practical examples of what those rules look for:

• Non-filtered user input.
• Leakage of sensitive data through cookies, internal loggers, third-party logging services, and into analytics environments.
• Usage of weak encryption libraries or misusage of encryption algorithms.
• Unencrypted incoming and outgoing communication (HTTP, FTP, SMTP) of sensitive information.
• Hard-coded secrets and tokens.

And manymore.

Bearer is Open Source (see license) and fully customizable, from creating your own rules to component detection (database, API) and data classification.

Bearer also powers our commercial offering,Bearer Cloud, allowing security teams to scale and monitor their application security program using the same engine.

Discover your most critical security risks and vulnerabilities in only a few minutes. In this guide, you will install Bearer, run a scan on a local project, and view the results. Let's get started!

The quickest way to install Bearer is with the install script. It will auto-select the best build for your architecture.Defaults installation to./bin and to the latest release version:

curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh| sh

brew install bearer/tap/bearer

$ sudo apt-get install apt-transport-https$echo"deb [trusted=yes] https://apt.fury.io/bearer/ /"| sudo tee -a /etc/apt/sources.list.d/fury.list$ sudo apt-get update$ sudo apt-get install bearer

$ sudo vim /etc/yum.repos.d/fury.repo[fury]name=Gemfury Private Repobaseurl=https://yum.fury.io/bearer/enabled=1gpgcheck=0

  $ sudo yum -y update  $ sudo yum -y install bearer

docker run --rm -v /path/to/repo:/tmp/scan bearer/bearer:latest-amd64 scan /tmp/scan

version:"3"services:bearer:platform:linux/amd64image:bearer/bearer:latest-amd64volumes:      -/path/to/repo:/tmp/scan

docker compose run bearer scan /tmp/scan --debug

The easiest way to try out Bearer is with our example project,Bear Publishing. It simulates a realistic Ruby application with common security flaws. Clone or download it to a convenient location to get started.

git clone https://github.com/Bearer/bear-publishing.git

Now, run the scan command withbearer scan on the project directory:

bearer scan bear-publishing

A progress bar will display the status of the scan.

Once the scan is complete, Bearer will output a security report with details of any rule failures, as well as where in the codebase the infractions happened and why.

By default thescan command use the SAST scanner, otherscanner types are available.

The security report is an easily digestible view of the security issues detected by Bearer. A report is made up of:

• The list ofrules run against your code.
• Each detected failure, containing the file location and lines that triggered the rule failure.
• A stat section with a summary of rules checks, failures and warnings.

TheBear Publishing example application will trigger rule failures and output a full report. Here's a section of the output:

...CRITICAL: Only communicate using SFTP connections.https://docs.bearer.com/reference/rules/ruby_lang_insecure_ftpFile: bear-publishing/app/services/marketing_export.rb:34 34     Net::FTP.open( 35       'marketing.example.com', 36       'marketing', 37       'password123'  ... 41     end=====================================56 checks, 10 failures, 6 warningsCRITICAL: 7HIGH: 0MEDIUM: 0LOW: 3WARNING: 6

The security report is just onereport type available in Bearer.

Additional options for using and configuring thescan command can be found in thescan documentation.

For additional guides and usage tips,view the docs.

When you run Bearer on your codebase, it discovers and classifies data by identifying patterns in the source code. Specifically, it looks for data types and matches against them. Most importantly, it never views the actual values (it just can’t)—but only the code itself.

Bearer assesses 120+ data types from sensitive data categories such as Personal Data (PD), Sensitive PD, Personally identifiable information (PII), and Personal Health Information (PHI). You can view the full list in thesupported data types documentation.

In a nutshell, our static code analysis is performed on two levels:Analyzing class names, methods, functions, variables, properties, and attributes. It then ties those together to detected data structures. It does variable reconciliation etc.Analyzing data structure definitions files such as OpenAPI, SQL, GraphQL, and Protobuf.

Bearer then passes this over to the classification engine we built to support this very particular discovery process.

If you want to learn more, here is thelonger explanation.

We recommend running Bearer in your CI to check new PR automatically for security issues, so your development team has a direct feedback loop to fix issues immediately.

You can also integrate Bearer in your CD, though we recommend to only make it fail on high criticality issues only, as the impact for your organization might be important.

In addition, running Bearer on a scheduled job is a great way to keep track of your security posture and make sure new security issues are found even in projects with low activity.

Bearer currently supports JavaScript and Ruby and their associated most used frameworks and libraries. More languages will follow.

SAST tools are known to bury security teams and developers under hundreds of issues with little context and no sense of priority, often requiring security analysts to triage issues. Not Bearer.

The most vulnerable asset today is sensitive data, so we start there and prioritize application security risks and vulnerabilities by assessing sensitive data flows in your code to highlight what is urgent, and what is not.

We believe that by linking security issues with a clear business impact and risk of a data breach, or data leak, we can build better and more robust software, at no extra cost.

In addition, by being Open Source, extendable by design, and built with a great developer UX in mind, we bet you will see the difference for yourself.

It depends on the size of your applications. It can take as little as 20 seconds, up to a few minutes for an extremely large code base. We’ve added an internal caching layer that only looks at delta changes to allow quick, subsequent scans.

Running Bearer should not take more time than running your test suite.

If you’re familiar with other SAST tools, false positives are always a possibility.

By using the most modern static code analysis techniques and providing a native filtering and prioritizing solution on the most important issues, we believe this problem won’t be a concern when using Bearer.

Thanks for using Bearer. Still have questions?

• Start with thedocumentation.
• Have a question or need some help? Find the Bearer team onDiscord.
• Got a feature request or found a bug?Open a new issue.
• Found a security issue? Check out ourSecurity Policy for reporting details.
• Find out more at Bearer.com

Interested in contributing? We're here for it! For details on how to contribute, setting up your development environment, and our processes, review thecontribution guide.

Everyone interacting with this project is expected to follow the guidelines of ourcode of conduct.

To report a vulnerability or suspected vulnerability,see our security policy. For any questions, concerns or other security matters, feel free toopen an issue or join theDiscord Community.

Bearer code is licensed under the terms of theElastic License 2.0 (ELv2), which means you can use it freely inside your organization to protect your applications without any commercial requirements.

You are not allowed to provide Bearer to third parties as a hosted or managed service without the explicit approval of Bearer Inc.