{"id":13358882,"url":"https://github.com/bearer/bearer","last_synced_at":"2026-01-29T11:23:46.321Z","repository":{"id":64863986,"uuid":"542197924","full_name":"Bearer/bearer","owner":"Bearer","description":"Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.","archived":false,"fork":false,"pushed_at":"2025-03-03T02:38:07.000Z","size":24807,"stargazers_count":2208,"open_issues_count":14,"forks_count":120,"subscribers_count":20,"default_branch":"main","last_synced_at":"2025-03-07T09:51:24.209Z","etag":null,"topics":["appsec","code-quality","compliance","dataflow","devsecops","devsecops-tools","gdpr","owasp","privacy","sast","security","security-audit","security-automation","security-scanner","security-tools","static-analysis","static-code-analysis","vulnerabilities","vulnerability"],"latest_commit_sha":null,"homepage":"https://docs.bearer.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Bearer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-09-27T17:02:45.000Z","updated_at":"2025-03-06T16:53:23.000Z","dependencies_parsed_at":"2023-10-03T22:20:37.893Z","dependency_job_id":"e87ad712-82a7-480d-8e94-2ddc461f99f7","html_url":"https://github.com/Bearer/bearer","commit_stats":{"total_commits":711,"total_committers":16,"mean_commits":44.4375,"dds":0.7735583684950773,"last_synced_commit":"2a8846e2495cf41395fbf785a7f69d4f1783b981"},"previous_names":["bearer/curio"],"tags_count":167,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bearer%2Fbearer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bearer%2Fbearer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bearer%2Fbearer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bearer%2Fbearer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Bearer","download_url":"https://codeload.github.com/Bearer/bearer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243217889,"owners_count":20255616,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","code-quality","compliance","dataflow","devsecops","devsecops-tools","gdpr","owasp","privacy","sast","security","security-audit","security-automation","security-scanner","security-tools","static-analysis","static-code-analysis","vulnerabilities","vulnerability"],"created_at":"2024-07-29T21:03:48.448Z","updated_at":"2026-01-16T05:48:12.495Z","avatar_url":"https://github.com/Bearer.png","language":"Go","funding_links":[],"categories":["开源类库","Multiple languages"],"sub_categories":["代码分析"],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003ca href=\"https://cycode.com/cygives/\" alt=\"Bearer is part of Cygives, the community hub for free \u0026 open developer security tools.\"/\u003e\n    \u003cpicture\u003e\n      \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"./docs/assets/img/Cygives-darkmode.svg\"\u003e\n      \u003cimg alt=\"Cygives Banner\" src=\"./docs/assets/img/Cygives-lightmode.svg\"\u003e\n    \u003c/picture\u003e\n  \u003c/a\u003e\n  \u003cbr/\u003e\n  \u003cbr/\u003e\n  \u003cpicture\u003e\n    \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"./docs/assets/img/bearer-logo-dark.svg\"\u003e\n    \u003cimg alt=\"Bearer\" src=\"./docs/assets/img/bearer-logo-light.svg\"\u003e\n  \u003c/picture\u003e\n  \u003cbr /\u003e\n  \u003chr/\u003e\n    Scan your source code against top \u003cstrong\u003esecurity\u003c/strong\u003e and \u003cstrong\u003eprivacy\u003c/strong\u003e risks.\n  \u003cbr /\u003e\u003cbr /\u003e\n  Bearer is a static application security testing (SAST) tool designed to scan your source code and analyze data flows to identify, filter, and prioritize security and privacy risks.\n  \u003cbr/\u003e\u003cbr/\u003e\n  Bearer offers a free, open solution, Bearer CLI, and a commercial solution, Bearer Pro, available through \u003ca href=\"https://cycode.com/\"\u003eCycode\u003c/a\u003e.\n  \u003cbr /\u003e\u003cbr /\u003e\n\n[Getting Started](#rocket-getting-started) - [FAQ](#question-faqs) - [Documentation](https://docs.bearer.com) - [Report a Bug](https://github.com/Bearer/bearer/issues/new/choose)\n\n[![GitHub Release][release-img]][release]\n[![Test][test-img]][test]\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md)\n\n\u003c/div\u003e\n\n## Language Support\n\n**Bearer CLI (Open Source)**: Go • Java • JavaScript • TypeScript • PHP • Python • Ruby\n\n**Bearer Pro by Cycode**: _All Bearer CLI languages plus:_\n- **Advanced Cross-file Analysis**: Java • Python • C# _(alpha)_\n- **Additional Languages**: C# • Kotlin • Elixir • VB.Net\n\n\n\u003ca href=\"https://docs.bearer.com/reference/supported-languages/\"\u003eLearn more about language support\u003c/a\u003e\n\n## Developer friendly static code analysis for security and privacy\n\n\n\u003chttps://user-images.githubusercontent.com/1649672/230438696-9bb0fd35-2aa9-4273-9970-733189d01ff1.mp4\u003e\n\nBearer CLI scans your source code for:\n\n- **Security risks and vulnerabilities** using [built-in rules](https://docs.bearer.com/reference/rules/) covering the [OWASP Top 10](https://owasp.org/www-project-top-ten/) and [CWE Top 25](https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html), such as:\n\n  - A01: Access control (e.g. Path Traversal, Open Redirect, Exposure of Sensitive Information).\n  - A02: Cryptographic Failures (e.g. Weak Algorithm, Insecure Communication).\n  - A03: Injection (e.g. SQL Injection, Input Validation, XSS, XPath).\n  - A04: Design (e.g. Missing Encryption of Sensitive Data, Persistent Cookies Containing Sensitive Information).\n  - A05: Security Misconfiguration (e.g. Cleartext Storage of Sensitive Information in a Cookie or JWT).\n  - A07: Identification and Authentication Failures (e.g. Use of Hard-coded Password, Improper Certificate Validation).\n  - A08: Data Integrity Failures (e.g. Deserialization of Untrusted Data).\n  - A09: Security Logging and Monitoring Failures (e.g. Insertion of Sensitive Information into Log File).\n  - A10: Server-Side Request Forgery (SSRF).\n\n  _Note: all the rules and their code patterns are accessible through the [documentation](https://docs.bearer.com/reference/rules/)._\n\n- **Privacy risks** with the ability to detect [sensitive data flow](https://docs.bearer.com/explanations/discovery-and-classification/) such as the use of PII, PHI in your app, and [components](https://docs.bearer.com/reference/recipes/) processing sensitive data (e.g. databases like pgSQL, third-party APIs such as OpenAI, Sentry, etc.). This helps generate a [privacy report](https://docs.bearer.com/guides/privacy/) relevant for:\n  - Privacy Impact Assessment (PIA).\n  - Data Protection Impact Assessment (DPIA).\n  - Records of Processing Activities (RoPA) input for GDPR compliance reporting.\n\n## :rocket: Getting started\n\nDiscover your most critical security risks and vulnerabilities in only a few minutes. In this guide, you will install Bearer CLI, run a security scan on a local project, and view the results. Let's get started!\n\n### Install Bearer CLI\n\nThe quickest way to install Bearer CLI is with the install script. It will auto-select the best build for your architecture. _Defaults installation to `./bin` and to the latest release version_:\n\n```bash\ncurl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh\n```\n\n#### Other install options\n\n\u003cdetails\u003e\n  \u003csummary\u003eHomebrew\u003c/summary\u003e\n\nUsing [Bearer CLI's official Homebrew tap](https://github.com/Bearer/homebrew-tap):\n\n```bash\nbrew install bearer/tap/bearer\n```\n\nUpdate an existing installation with the following:\n\n```bash\nbrew update \u0026\u0026 brew upgrade bearer/tap/bearer\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003eDebian/Ubuntu\u003c/summary\u003e\n\n```shell\nsudo apt-get update \u0026\u0026 sudo apt-get install ca-certificates -y \u0026\u0026 sudo update-ca-certificates\nsudo apt-get install apt-transport-https\necho -e \"Types: deb\\nURIs: https://apt.fury.io/bearer/\\nSuites: /\\nTrusted: yes\" | sudo tee /etc/apt/sources.list.d/fury.sources\nsudo apt-get update\nsudo apt-get install bearer\n```\n\nUpdate an existing installation with the following:\n\n```bash\nsudo apt-get update\nsudo apt-get install bearer\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003eRHEL/CentOS\u003c/summary\u003e\n\nAdd repository setting:\n\n```shell\n$ sudo vim /etc/yum.repos.d/fury.repo\n[fury]\nname=Gemfury Private Repo\nbaseurl=https://yum.fury.io/bearer/\nenabled=1\ngpgcheck=0\n```\n\nThen install with yum:\n\n```shell\n  sudo yum -y update\n  sudo yum -y install bearer\n```\n\nUpdate an existing installation with the following:\n\n```bash\nsudo yum -y update bearer\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003eDocker\u003c/summary\u003e\n\nBearer CLI is also available as a Docker image on [Docker Hub](https://hub.docker.com/r/bearer/bearer) and [ghcr.io](https://github.com/bearer/bearer/pkgs/container/bearer).\n\nWith docker installed, you can run the following command with the appropriate paths in place of the examples.\n\n```bash\ndocker run --rm -v /path/to/repo:/tmp/scan bearer/bearer:latest-amd64 scan /tmp/scan\n```\n\nAdditionally, you can use docker compose. Add the following to your `docker-compose.yml` file and replace the volumes with the appropriate paths for your project:\n\n```yml\nversion: \"3\"\nservices:\n  bearer:\n    platform: linux/amd64\n    image: bearer/bearer:latest-amd64\n    volumes:\n      - /path/to/repo:/tmp/scan\n```\n\nThen, run the `docker compose run` command to run Bearer CLI with any specified flags:\n\n```bash\ndocker compose run bearer scan /tmp/scan --debug\n```\n\nThe Docker configurations above will always use the latest release.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n  \u003csummary\u003eBinary\u003c/summary\u003e\n\nDownload the archive file for your operating system/architecture from [here](https://github.com/Bearer/bearer/releases/latest/).\n\nUnpack the archive, and put the binary somewhere in your $PATH (on UNIX-y systems, /usr/local/bin or the like). Make sure it has permission to execute.\n\nTo update Bearer CLI when using the binary, download the latest release and overwrite your existing installation location.\n\n\u003c/details\u003e\n\u003cbr/\u003e\n\n### Scan your project\n\nThe easiest way to try out Bearer CLI is with the OWASP [Juice Shop](https://github.com/juice-shop/juice-shop) example project. It simulates a realistic JavaScript application with common security flaws. Clone or download it to a convenient location to get started.\n\n```bash\ngit clone https://github.com/juice-shop/juice-shop.git\n```\n\nNow, run the scan command with `bearer scan` on the project directory:\n\n```bash\nbearer scan juice-shop\n```\n\nA progress bar will display the status of the scan.\n\nOnce the scan is complete, Bearer CLI will output, by default, a security report with details of any rule findings, as well as where in the codebase the infractions happened and why.\n\nBy default the `scan` command use the SAST scanner, other [scanner types](https://docs.bearer.com/explanations/scanners) are available.\n\n### Analyze the report\n\nThe security report is an easily digestible view of the security issues detected by Bearer CLI. A report is made up of:\n\n- The list of [rules](https://docs.bearer.com/reference/rules/) run against your code.\n- Each detected finding, containing the file location and lines that triggered the rule finding.\n- A stat section with a summary of rules checks, findings and warnings.\n\nThe [OWASP Juice Shop](https://github.com/juice-shop/juice-shop) example application will trigger rule findings and output a full report. Here's a section of the output:\n\n```text\n...\nHIGH: Sensitive data stored in HTML local storage detected. [CWE-312]\nhttps://docs.bearer.com/reference/rules/javascript_lang_session\nTo skip this rule, use the flag --skip-rule=javascript_lang_session\n\nFile: juice-shop/frontend/src/app/login/login.component.ts:102\n\n 102       localStorage.setItem('email', this.user.email)\n\n\n=====================================\n\n59 checks, 40 findings\n\nCRITICAL: 0\nHIGH: 16 (CWE-22, CWE-312, CWE-798, CWE-89)\nMEDIUM: 24 (CWE-327, CWE-548, CWE-79)\nLOW: 0\nWARNING: 0\n```\n\nIn addition of the security report, you can also run a [privacy report](https://docs.bearer.com/explanations/reports/#privacy-report).\n\nReady for the next step? Additional options for using and configuring the `scan` command can be found in [configuring the scan command](https://docs.bearer.com/guides/configure-scan/).\n\nFor more guides and usage tips, [view the docs](https://docs.bearer.com/).\n\n## :question: FAQs\n\n### What makes Bearer CLI different from any other SAST tools?\n\nSAST tools are known to bury security teams and developers under hundreds of issues with little context and no sense of priority, often requiring security analysts to triage issues manually.\n\nThe most vulnerable asset today is sensitive data, so we start there and [prioritize](https://github.com/Bearer/bearer/issues/728) findings by assessing sensitive data flows to highlight what is more critical, and what is not. This unique ability allows us to provide you with a privacy scanner too.\n\nWe believe that by linking security issues with a clear business impact and risk of a data breach, or data leak, we can build better and more robust software, at no extra cost.\n\nIn addition, by being Free and Open, extendable by design, and built with a great developer UX in mind, we bet you will see the difference for yourself.\n\n### What is the privacy scanner?\n\nIn addition of detecting security flaws in your code, Bearer CLI allows you to automate the evidence gathering process needed to generate a privacy report for your compliance team.\n\nWhen you run Bearer CLI on your codebase, it discovers and classifies data by identifying patterns in the source code. Specifically, it looks for data types and matches against them. Most importantly, it never views the actual values—it just can’t—but only the code itself. If you want to learn more, here is the [longer explanation](https://docs.bearer.com/explanations/discovery-and-classification/).\n\nBearer CLI is able to identify over 120+ data types from sensitive data categories such as Personal Data (PD), Sensitive PD, Personally identifiable information (PII), and Personal Health Information (PHI). You can view the full list in the [supported data types documentation](https://docs.bearer.com/reference/datatypes/).\n\nFinally, Bearer CLI also lets you detect components storing and processing sensitive data such as databases, internal APIs, and third-party APIs. See the [recipe list](https://docs.bearer.com/reference/recipes/) for a complete list of components.\n\n### Supported Language\n\n[Learn more](https://docs.bearer.com/reference/supported-languages/) about language support.\n\n### How long does it take to scan my code? Is it fast?\n\nIt depends on the size of your applications. It can take as little as 20 seconds, up to a few minutes for an extremely large code base.\n\nAs a rule of thumb, Bearer CLI should never take more time than running your test suite.\n\nIn the case of CI integration, we provide a diff scan solution to make it even faster. [Learn more](https://docs.bearer.com/guides/configure-scan/#only-report-new-findings-on-a-branch).\n\n### What about false positives?\n\nIf you’re familiar with SAST tools, false positives are always a possibility.\n\nBy using the most modern static code analysis techniques and providing a native filtering and prioritizing solution on the most important issues, we believe we have dramatically improved the overall SAST experience.\n\nWe strive to provide the best possible experience for our users. [Learn more](https://docs.bearer.com/reference/supported-languages/#how-do-we-evaluate-language-support%3F) about how we achieve this.\n\n### When and where to use Bearer CLI?\n\nWe recommend running Bearer CLI in your CI to check new PRs automatically for security issues, so your development team has a direct feedback loop to fix issues immediately.\n\nYou can also integrate Bearer CLI in your CD, though we recommend setting it to only fail on high criticality issues, as the impact for your organization might be important.\n\nIn addition, running Bearer CLI as a scheduled job is a great way to keep track of your security posture and make sure new security issues are found even in projects with low activity.\n\nMake sure to read our [integration strategy guide](https://docs.bearer.com/guides/integration-strategy/) for more information.\n\n## Do you support interprocedural and inter-file analysis?\n\nYes, Bearer Pro supports interprocedural and inter-file analysis, currently with full capabilities for Java and actively being extended to other major supported languages. This advanced analysis allows Bearer Pro to trace data flow and control flow across function and file boundaries within an entire codebase. This is crucial for accurately identifying complex vulnerabilities that depend on the interaction of different code components, significantly reducing false positives compared to analyses limited to individual functions or files.\n\nBearer Pro's interprocedural and inter-file analysis for Java has demonstrated strong results on the OWASP Java Benchmark, achieving a score of 76% with a reported false positive rate of less than 2%.\n\n## :raised_hand: Get in touch\n\nThanks for using Bearer CLI. Still have questions?\n\n- Start with the [documentation](https://docs.bearer.com).\n- Got a feature request or found a bug? [Open a new issue](https://github.com/Bearer/bearer/issues/new/choose).\n- Found a security issue? Check out our [Security Policy](https://github.com/Bearer/bearer/security/policy) for reporting details.\n- Find out more at [Bearer.com](https://www.bearer.com)\n\n## :handshake: Contributing\n\nInterested in contributing? We're here for it! For details on how to contribute, setting up your development environment, and our processes, review the [contribution guide](CONTRIBUTING.md).\n\n## :rotating_light: Code of conduct\n\nEveryone interacting with this project is expected to follow the guidelines of our [code of conduct](CODE_OF_CONDUCT.md).\n\n## :shield: Security\n\nTo report a vulnerability or suspected vulnerability, [see our security policy](https://github.com/Bearer/bearer/security/policy). For any questions, concerns or other security matters, feel free to [open an issue](https://github.com/Bearer/bearer/issues/new/choose).\n\n## :mortar_board: License\n\nBearer CLI code is licensed under the terms of the [Elastic License 2.0](LICENSE.txt) (ELv2), which means you can use it freely inside your organization to protect your applications without any commercial requirements.\n\nYou are not allowed to provide Bearer CLI to third parties as a hosted or managed service without the explicit approval of Bearer Inc.\n\n---\n\n[test]: https://github.com/Bearer/bearer/actions/workflows/test.yml\n[test-img]: https://github.com/Bearer/bearer/actions/workflows/test.yml/badge.svg\n[release]: https://github.com/Bearer/bearer/releases\n[release-img]: https://img.shields.io/github/release/Bearer/bearer.svg?logo=github\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbearer%2Fbearer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbearer%2Fbearer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbearer%2Fbearer/lists"}