Bearer
Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.
Install / Use
/learn @Bearer/BearerREADME
Getting Started - FAQ - Documentation - Report a Bug
[![GitHub Release][release-img]][release]
[![Test][test-img]][test]
Language Support
Bearer CLI (Open Source): Go • Java • JavaScript • TypeScript • PHP • Python • Ruby
Bearer Pro by Cycode: All Bearer CLI languages plus:
- Advanced Cross-file Analysis: Java • Python • C# (alpha)
- Additional Languages: C# • Kotlin • Elixir • VB.Net
<a href="https://docs.bearer.com/reference/supported-languages/">Learn more about language support</a>
Developer friendly static code analysis for security and privacy
https://user-images.githubusercontent.com/1649672/230438696-9bb0fd35-2aa9-4273-9970-733189d01ff1.mp4
Bearer CLI scans your source code for:
-
Security risks and vulnerabilities using built-in rules covering the OWASP Top 10 and CWE Top 25, such as:
- A01: Access control (e.g. Path Traversal, Open Redirect, Exposure of Sensitive Information).
- A02: Cryptographic Failures (e.g. Weak Algorithm, Insecure Communication).
- A03: Injection (e.g. SQL Injection, Input Validation, XSS, XPath).
- A04: Design (e.g. Missing Encryption of Sensitive Data, Persistent Cookies Containing Sensitive Information).
- A05: Security Misconfiguration (e.g. Cleartext Storage of Sensitive Information in a Cookie or JWT).
- A07: Identification and Authentication Failures (e.g. Use of Hard-coded Password, Improper Certificate Validation).
- A08: Data Integrity Failures (e.g. Deserialization of Untrusted Data).
- A09: Security Logging and Monitoring Failures (e.g. Insertion of Sensitive Information into Log File).
- A10: Server-Side Request Forgery (SSRF).
Note: all the rules and their code patterns are accessible through the documentation.
-
Privacy risks with the ability to detect sensitive data flow such as the use of PII, PHI in your app, and components processing sensitive data (e.g. databases like pgSQL, third-party APIs such as OpenAI, Sentry, etc.). This helps generate a privacy report relevant for:
- Privacy Impact Assessment (PIA).
- Data Protection Impact Assessment (DPIA).
- Records of Processing Activities (RoPA) input for GDPR compliance reporting.
:rocket: Getting started
Discover your most critical security risks and vulnerabilities in only a few minutes. In this guide, you will install Bearer CLI, run a security scan on a local project, and view the results. Let's get started!
Install Bearer CLI
The quickest way to install Bearer CLI is with the install script. It will auto-select the best build for your architecture. Defaults installation to ./bin and to the latest release version:
curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh
Other install options
<details> <summary>Homebrew</summary>Using Bearer CLI's official Homebrew tap:
brew install bearer/tap/bearer
Update an existing installation with the following:
brew update && brew upgrade bearer/tap/bearer
sudo apt-get update && sudo apt-get install ca-certificates -y && sudo update-ca-certificates
sudo apt-get install apt-transport-https
echo -e "Types: deb\nURIs: https://apt.fury.io/bearer/\nSuites: /\nTrusted: yes" | sudo tee /etc/apt/sources.list.d/fury.sources
sudo apt-get update
sudo apt-get install bearer
Update an existing installation with the following:
sudo apt-get update
sudo apt-get install bearer
Add repository setting:
$ sudo vim /etc/yum.repos.d/fury.repo
[fury]
name=Gemfury Private Repo
baseurl=https://yum.fury.io/bearer/
enabled=1
gpgcheck=0
Then install with yum:
sudo yum -y update
sudo yum -y install bearer
Update an existing installation with the following:
sudo yum -y update bearer
Bearer CLI is also available as a Docker image on Docker Hub and ghcr.io.
With docker installed, you can run the following command with the appropriate paths in place of the examples.
docker run --rm -v /path/to/repo:/tmp/scan bearer/bearer:latest-amd64 scan /tmp/scan
Additionally, you can use docker compose. Add the following to your docker-compose.yml file and replace the volumes with the appropriate paths for your project:
version: "3"
services:
bearer:
platform: linux/amd64
image: bearer/bearer:latest-amd64
volumes:
- /path/to/repo:/tmp/scan
Then, run the docker compose run command to run Bearer CLI with any specified flags:
docker compose run bearer scan /tmp/scan --debug
The Docker configurations above will always use the latest release.
</details> <details> <summary>Binary</summary>Download the archive file for your operating system/architecture from here.
Unpack the archive, and put the binary somewhere in your $PATH (on UNIX-y systems, /usr/local/bin or the like). Make sure it has permission to execute.
To update Bearer CLI when using the binary, download the latest release and overwrite your existing installation location.
</details> <br/>Scan your project
The easiest way to try out Bearer CLI is with the OWASP Juice Shop example project. It simulates a realistic JavaScript application with common security flaws. Clone or download it to a convenient location to get started.
git clone https://github.com/juice-shop/juice-shop.git
Now, run the scan command with bearer scan on the project directory:
bearer scan juice-shop
A progress bar will display the status of the scan.
Once the scan is complete, Bearer CLI will output, by default, a security report with details of any rule findings, as well as where in the codebase the infractions happened and why.
By default the scan command use the SAST scanner, other scanner types are available.
Analyze the report
The security report is an easily digestible view of the security issues detected by Bearer CLI. A report is made up of:
- The list of rules run against your code.
- Each detected finding, containing the file location and lines that triggered the rule finding.
- A stat section with a summary of rules checks, findings and warnings.
The OWASP Juice Shop example application will trigger rule findings and output a full report. Here's a section of the output:
...
HIGH: Sensitive data stored in HTML local storage detected. [CWE-312]
https://docs.bearer.com/reference/rules/javascript_lang_session
To skip this rule, use the flag --skip-rule=javascript_lang_session
File: juice-shop/frontend/src/app/login/login.component.ts:102
102 localStorage.setItem('email', this.user.email)
=====================================
59 checks, 40 findings
CRITICAL: 0
HIGH: 16 (CWE-22, CWE-312, CWE-798, CWE-89)
MEDIUM: 24 (CWE-327, CWE-548, CWE-79)
LOW: 0
WARNING: 0
In addition of the security report, you can also run a privacy report.
Ready for the next step? Additional options for using and configuring the scan command can be found in configuring the scan command.
For more guides and usage tips, view the docs.
:question: FAQs
What makes Bearer CLI different from any other SAST tools?
SAST tools are known to bury security teams and developers under hundreds of issues with little context and no sense of priority, often requiring security analysts to triage issues manually.
The most vulnerable asset today is sensitive data, so we start there and prioritize findings by assessing sensitive data flows to highlight what is more critical, and what is not. This unique ability allows us to provide you with a privacy scanner too.
We
