Bearer

Bearer is a static analysis security testing tool and privacy compliance auditor. It identifies security vulnerabilities, hard-coded secrets, and privacy risks in source code through static analysis and data flow tracing.

The tool distinguishes itself by tracking the movement of sensitive data through code to identify leaks and by mapping personal and health-related information flows to generate evidence for privacy impact assessments. It also provides differential scanning for pull requests and uses fingerprint-based suppression to exclude known false positives from reports.

The platform covers a broad range of security domains, including injection flaws, cross-site scripting, weak cryptography, and insecure network configurations. It further includes capabilities for secrets detection and the generation of structured security and privacy compliance reports.

Integration is supported via a pipeline scanner that manages process exit codes for CI/CD automation.

Features

Source Code Security Analysis - Identifies privacy violations and security flaws using built-in or custom static analysis rules.
Static Analysis Security Testing - Analyzes source code without execution to find security vulnerabilities and hard-coded secrets.
Static Analysis Security Testing - Provides a static analysis security testing tool to identify injection flaws and common vulnerabilities based on OWASP and CWE.
Data Leakage Detection - Finds sensitive information exposed in log messages or third-party transmissions.
SAST Scanners - Provides a security scanner integrated into CI/CD pipelines to identify vulnerabilities during the build process.
Application Privacy Analysis - Tracks how personal information is sent to third-party services to identify data exposure.
Privacy Implementation Audits - Maps data flows and identifies PII to verify privacy protocol implementations and generate regulatory evidence.
Information Flow Tracking - Implements tracking of sensitive data propagation across file and function boundaries to identify multi-component vulnerabilities.
Privacy Compliance Auditors - Identifies PII and PHI data flows to generate evidence for privacy impact assessments and regulatory reports.
Protected Information Identification - Detects personal and health-related information within the source code to support privacy audits.
Secret Detection - Identifies hard-coded API keys, passwords, and sensitive credentials embedded in source code.
Secret Scanning - Provides a toggle to switch between general static analysis and dedicated secret scanning.
Data Sensitivity Classifications - Matches discovered data against predefined types like PII and PHI using pattern recognition.
Sensitive Data Flow Analysis - Traces the movement of sensitive information through applications to identify potential data leaks.
Sensitive Data Flow Detection - Identifies the movement of protected data types through application components and third-party APIs.
Static Analysis Signatures - Utilizes predefined and custom signatures to detect security vulnerabilities and privacy risks within source code.
Injection Vulnerabilities - Scans for unsanitized input that could lead to SQL or command injection attacks.
Compliance Reporting - Generates audit-ready compliance documentation for privacy impact assessments and data protection records.
Rule-Based Classification Engines - Employs a rule-based engine with heuristic patterns to categorize discovered data into PII and PHI types.
Security Pattern Matching - Matches code patterns against industry standards like OWASP and CWE to identify security risks.
Cross-File Data Flow Tracing - Analyzes data movement across function and file boundaries to find complex vulnerabilities.
Taint Analysis Engines - Tracks the movement of untrusted or sensitive data from sources to sinks to detect injection flaws and leaks.
Fingerprint-Based Suppressions - Uses unique vulnerability fingerprints to permanently suppress known false positives from security reports.
Data Type Categorization - Applies heuristics and cluster analysis to organize discovered data into specific categories.
Analysis Suppressions - Uses unique fingerprints to permanently suppress known false positives from future security scans.
Incremental Scan Scoping - Optimizes scan time by reporting only findings introduced since a specified base branch.
CI/CD Pipeline Integrations - Provides native integration for automating security scans within CI/CD pipelines during the build process.
Compliance Report Generators - Generates structured JSON and HTML reports from scan findings to support privacy impact assessments and auditing.
Deserialization Security - Finds untrusted user input in deserialization methods that could lead to remote code execution.
Identity Linking Analysis - Determines if code objects represent people by analyzing attributes and context to aid privacy auditing.
Insecure Local Storage Detection - Flags the use of browser local storage for storing sensitive information.
Network Security Auditing - Identifies insecure protocols and missing SSL verification in network settings.
Path Traversal Protections - Finds unsanitized input used in file paths that could allow unauthorized filesystem access.
Permissive File Permission Detection - Detects files and directories created with overly broad access rights.
Security Report Generation - Lists vulnerabilities by file and line number with associated industry identifiers in structured reports.
Differential Analysis - Provides differential analysis to identify new security findings by comparing current scan results against a base branch.
CI/CD - Integrates static analysis into CI/CD pipelines to mitigate security vulnerabilities and secrets leakage.
Cross-Site Scripting Tools - Detects locations where unsanitized user input is rendered in web responses, leading to XSS.
Weak Cryptography Detection - Detects deprecated encryption ciphers and inadequate hashing algorithms within the codebase.
Custom Security Rule Definitions - Allows the definition of project-specific scanning logic to detect unique security or privacy patterns.
Custom Analysis Rules - Provides mechanisms to include or exclude specific analysis rules to focus on relevant security checks.
Data Classification Extensions - Supports the addition of custom data types and classification rules to tailor scanning to specific project needs.
Data Flow Visualizations - Generates visual mappings of how sensitive data moves through the application codebase.
Privacy Evidence Automation - Catalogs data flows and processing components to generate evidence for privacy compliance audits.
Differential Security Gates - Performs differential scans on pull requests to provide immediate feedback on newly introduced security risks.
Code Analysis and Quality - Security scanning for codebases.
Code Analysis Platforms - Security-focused analysis to identify and prioritize sensitive data exposure risks.
Static Code Analysis - Scans code for OWASP Top 10 security and privacy risks.
Application Security Testing - Scans source code for security risks and sensitive data exposure.
Security and Compliance - Open-source static security analysis for sensitive data.
Security and Vulnerability Scanning - Static analysis for discovering and prioritizing security risks.
Static Analysis - Multi-language static analysis for security issues.

securego/gosec

8,866View on GitHub

gosec is a static analysis security tool designed to scan Go source code for vulnerabilities and common coding flaws. It functions as a security analyzer that inspects the abstract syntax tree to identify insecure function calls, API usage, and potential security risks. The tool distinguishes itself by mapping detected vulnerabilities to Common Weakness Enumeration identifiers for standardized reporting and integrating with external AI models to suggest code fixes for identified issues. Its capabilities cover the detection of injection vulnerabilities, hardcoded credentials, weak cryptograph

ajinabraham/nodejsscan

2,563View on GitHub

nodejsscan is a static analysis security tool and vulnerability detection engine designed to scan Node.js source code for security flaws and common coding vulnerabilities. It functions as a static application security testing tool that analyzes code without executing the program. The tool operates as a security linter that can be integrated into continuous integration pipelines to block insecure code from merging into main branches. It automates the auditing process through rule-based detection and pattern-based static analysis. The project provides capabilities for vulnerability alert autom

snyk/cli

5,428View on GitHub

The Snyk CLI is a command-line security scanner that detects known vulnerabilities across open-source dependencies, proprietary application code, container images, and infrastructure-as-code configuration files. It also serves as a platform management tool, allowing users to configure organizations, users, SSO, and reporting from the terminal rather than the web dashboard. The CLI integrates directly into development workflows, enabling scanning within IDEs, build pipelines, and version control systems. It implements static analysis with interfile data flow analysis to find complex security f

Bearerbearer

Features

Open-source alternatives to Bearer

securego/gosec

ajinabraham/nodejsscan

snyk/cli

crytic/slither

Star history

Open-source alternatives to Bearer

securego/gosec

ajinabraham/nodejsscan

snyk/cli

crytic/slither