Scanner Types

Bearer CLI comes with two types of security scanners, SAST (default) and Secrets.

SAST Scanner

The SAST scanner is the default one if you don't specify any. This scanner uses the built-in rules to detect various security risks and vulnerabilities in your code.

The output of the SAST scanner depends on the report type used, by default the security report will be selected and display the list of rules violations in your terminal.

$ bearer scan . --scanner=sast
CRITICAL: Sensitive data stored in a JWT detected.
To skip this rule, use the flag --skip-rule=ruby_lang_jwt

File: /bear-publishing/lib/jwt.rb:6

3 JWT.encode(
4 {
5 id:,
6 email:,
7 class: user.class,
8 },
9 nil,
11 )


You can see a full list of built-in rules or create a custom rule.

Secrets Scanner

The Secrets scanner type detects hard-coded secrets in your code. It checks for common secret patterns such as keys, tokens, and passwords using the popular Gitleaks library.

$ bearer scan . --scanner=secrets
CRITICAL: Hard-coded secret detected. [CWE-798]

Detected: Password in URL
File: ../../OWASP/NodeGoat/

You can see a full list of built-in patterns.

⚠️ Secret detection patterns are not configurable today. If this is something you'd like to see, please open an issue.