Bearer CLI: SAST That Actually Cares About Your Users’ Privacy
Hook
Most security scanners tell you about SQL injection risks. Bearer CLI tells you that your user’s email address flows from your PostgreSQL database through a logging library to Sentry—which might violate GDPR.
Context
The shift toward privacy regulations like GDPR, CCPA, and HIPAA created a blind spot in traditional application security. Conventional SAST tools excel at finding vulnerabilities—SQL injection, XSS, insecure deserialization—but they weren’t designed for a world where knowing where your users’ data goes is just as critical as knowing where your code is vulnerable. Security teams could identify every OWASP Top 10 risk in their codebase while remaining completely blind to privacy compliance gaps. Bearer CLI emerged from this reality, positioning itself as a dual-purpose tool that scans for both security vulnerabilities and sensitive data flows. Built in Go for performance and packaged as a standalone CLI, it’s part of Cygives, Cycode’s community hub for free security tools. The project offers transparent, built-in rules covering OWASP Top 10 and CWE Top 25, while uniquely tracking how PII (Personally Identifiable Information) and PHI (Protected Health Information) move through your application—from databases to third-party APIs. This dual focus addresses a gap that most open-source SAST tools ignore entirely.
Technical Insight
Bearer CLI’s architecture separates language-agnostic pattern matching from language-specific dataflow analysis. When you run a scan, the tool parses your source code across seven supported languages (Go, Java, JavaScript, TypeScript, PHP, Python, Ruby) and applies built-in security rules. These rules are fully documented and transparent—you can inspect exactly what patterns trigger each finding, unlike black-box commercial tools. The scanning process operates in two phases: vulnerability detection through pattern matching, and sensitive data classification through dataflow tracing.
Running a basic scan is straightforward. After installation, point Bearer CLI at your codebase:
# Scan current directory for security and privacy risks
bearer scan .
# Generate a privacy report for GDPR compliance
bearer scan . --report privacy
# Output results in JSON for CI/CD integration
bearer scan . --format json --output results.jsonThe privacy reporting capability distinguishes Bearer from traditional SAST tools. When enabled, it identifies sensitive data types (emails, credit cards, health records, geographic locations) and traces their flow through your application. The tool recognizes when sensitive data interacts with components like databases (PostgreSQL, MongoDB) and third-party services (OpenAI, Sentry), or gets logged. This generates artifacts useful for Data Protection Impact Assessments (DPIA) and Records of Processing Activities (RoPA)—regulatory requirements that traditional security scanners don’t address.
The built-in rules cover the full OWASP Top 10 spectrum. For A01 (Access Control), it detects path traversal and open redirect vulnerabilities. For A03 (Injection), it identifies SQL injection, XSS, and input validation gaps. The rules are written as code patterns that the parser matches against your source. For example, a SQL injection rule might flag:
// Bearer flags this: user input directly in query
const userId = req.params.id;
const query = `SELECT * FROM users WHERE id = ${userId}`;
db.execute(query);
// Bearer accepts this: parameterized query
const userId = req.params.id;
const query = 'SELECT * FROM users WHERE id = ?';
db.execute(query, [userId]);The tool’s multi-language support uses a unified rule engine, meaning security policies remain consistent whether you’re scanning a Python microservice or a Ruby monolith. This matters for polyglot architectures where different teams use different languages but need uniform security posture.
Bearer CLI outputs results in multiple formats: human-readable terminal output with severity indicators, JSON for automated processing, and appears to support SARIF (Static Analysis Results Interchange Format) for integration with GitHub Security tab and other platforms. The progress indicators and real-time feedback make it developer-friendly compared to enterprise SAST tools that often feel like black boxes. The open-source CLI handles single-file analysis effectively, but cross-file dataflow analysis—tracking how data moves between modules—is reserved for Bearer Pro, the commercial offering by Cycode. This limitation is significant: complex vulnerabilities that span multiple files (like a password hash generated in one module but logged in another) won’t be caught by the CLI version.
Gotcha
Bearer CLI’s pattern-based approach inherits the classic SAST limitation: false positives. Since it analyzes code statically without execution context, it may flag secure code that appears vulnerable based on syntax alone. If you’re using a custom validation library that Bearer doesn’t recognize, it might report unvalidated input even when your code is safe. The inverse problem—false negatives—also exists. Runtime-specific vulnerabilities like race conditions, business logic flaws, or issues that emerge only under specific execution paths won’t appear in Bearer’s reports.
The most significant limitation is the lack of cross-file dataflow analysis in the open-source version. Modern applications rarely contain vulnerabilities in isolation. A typical exploit chain might involve user input accepted in one file, passed through multiple modules, and eventually used unsafely in a database query three layers deep. Bearer CLI analyzes each file independently, so it won’t trace data flows that cross file boundaries. This capability exists exclusively in Bearer Pro, along with support for additional languages like C#, Kotlin, and Elixir. For teams needing comprehensive dataflow analysis without paying for the commercial tier, this is a hard stop. The privacy compliance features, while innovative, also have limitations. Bearer can tell you that email addresses flow to Sentry, but it can’t interpret your legal basis for that processing or whether you have proper consent mechanisms. It generates inputs for compliance documentation, not the documentation itself. Finally, like all static analyzers, Bearer can’t detect vulnerabilities in dependencies or runtime environments—you’ll need complementary tools like dependency scanners and DAST (Dynamic Application Security Testing) for complete coverage.
Verdict
Use Bearer CLI if you’re building applications that handle sensitive user data and need both security scanning and privacy compliance tracking in a single tool—especially valuable for teams navigating GDPR, HIPAA, or similar regulations who want transparent, documented rules rather than black-box analysis. It excels in polyglot environments where consistent security policies across languages matter, and shines in CI/CD pipelines thanks to multiple output formats and lightweight architecture. The free tier offers genuine value for security-conscious teams on limited budgets. Skip it if you require deep cross-file dataflow analysis without budget for the commercial version, if you’re already invested in an enterprise SAST platform with advanced analysis capabilities, or if your application doesn’t process sensitive data (making the privacy features unnecessary overhead). Also skip if you need runtime vulnerability detection or comprehensive dependency scanning—Bearer is purely a static analyzer and should complement, not replace, dynamic testing tools and SCA (Software Composition Analysis) solutions.
