Welcome to the Bearer documentation. Bearer is a static application security testing (SAST) tool that scans your source code and analyzes your data flows to discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD).

We provides built-in rules against a common set of security risks and vulnerabilities, known as OWASP Top 10. Here are some practical examples of what those rules look for:

  • Leakage of sensitive data through cookies, internal loggers, third-party logging services, and into analytics environments.
  • Usage of weak encryption libraries or misusage of encryption algorithms.
  • Unencrypted incoming and outgoing communication (HTTP, FTP, SMTP) of sensitive information.
  • Non-filtered user input.
  • Hard-coded secrets and tokens.

And many more.

Bearer currently supports JavaScript and Ruby stacks, more will follow.

bearer security scanner gif

Getting started

New to Bearer? Check out the quickstart to scan your first project.

Ready to dive in? Bearer's scanners and reports are your path to analyzing security risks and vulnerabilities in your application. Check the command reference to configure Bearer to your needs.


Guides help you make the most of Bearer so you can get up and running quickly.


Explanations dive into the rational behind Bearer and explain some of its heavier concepts.


Reference documents are where you'll find detailed information about each command, as well as support charges for languages, rules, datatypes, and more.


We'd love to see the impact you can bring to Bearer. Our contributing documentation will help get you started, whether you want to dive deep into the code or simply fix a typo.

Sunglasses Bear