DEV Community

Mark Michon for Bearer

Posted on • Updated on

How to scan your ruby or JS project for security improvements, for free.

Security tools are intimidating. They’re made for security teams that already know the jargon and the details like CWE identifiers. But what about developers? We have tools that check for vulnerable dependencies and tools that check for leaked secrets, but we’re missing easy—actionable—advice on making our code more secure.

Good news! There’s a free open-source tool that can scan your code, check for known risks, and give you a list of things that need fixing. All are sorted by how risky the code is—based on things like how sensitive the data is and how damaging a breach or leak would be. It’s called Bearer.

Here's why it's pretty rad:

  • Quick scans: most projects take under a minute, with big ones like forem, gitlab, etc taking between 3 and 10 minutes.
  • Your data never leaves your computer. The open source scanner reads your code, but doesn't send it or metadata to any servers.
  • Practical advice: Each triggered rule shows you where in your code the problem is, and links out to documentation on how to improve it.

TLDR: The workflow ends up looking like this:

bearer scan /your-project
Enter fullscreen mode Exit fullscreen mode

You can run that locally, or as part of CI/CD, and each time you’ll receive a summarized report. Let’s get into it.

Installing Bearer

There is a full list of ways to install Bearer in the docs, but the most common are using Brew or curl.

Homebrew:

brew install Bearer/tap/bearer
Enter fullscreen mode Exit fullscreen mode

Curl:

curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh
Enter fullscreen mode Exit fullscreen mode

Run your first scan

Now navigate to the project you’d like to scan, and run the scan command.

bearer scan .
Enter fullscreen mode Exit fullscreen mode

The app scans your project in a few stages. It starts by detecting and classifying sensitive data types, then feeds that data into whichever report type you use. The default is the Security report, which shows all the security risks found in your codebase by checking against a set of “Rules”.

You get a summary that looks a bit like this:

107 checks, 12 failures, 6 warnings

CRITICAL: 0
HIGH: 1 (CWE-798)
MEDIUM: 11 (CWE-201, CWE-209, CWE-313, CWE-315, CWE-319, CWE-326, CWE-331, CWE-532, CWE-539)
LOW: 0
WARNING: 6 (CWE-312)
Enter fullscreen mode Exit fullscreen mode

Plus each failure and warning shows you where it happened and has a link to docs on how to fix the problem.

MEDIUM: Sensitive data in a JWT detected. [CWE-315]
https://docs.bearer.com/reference/rules/ruby_lang_jwt
To skip this rule, use the flag --skip-rule=ruby_lang_jwt

File: lib/jwt.rb:6

 3     JWT.encode(
 4       {
 5         id: user.id,
 6         email: user.email,
 7         class: user.class,
 8       },
 9       nil,
    ...
 11     )
Enter fullscreen mode Exit fullscreen mode

These rules come from the OWASP top 10, popular CWEs, and some general best practices from the appsec community. It’s a quick way to get a second pair of eyes on your code—especially if you aren’t a security expert.

Check it out

It's a big ask to put something in your pipeline or test flow, but I really love just using it as a one-off scan as I'm building something new. Kind of like linting, but for security. Right now the main security scan supports ruby and JS/TS codebases. Give it a try—you can use our test repo if you like. Let us know what you think and if there's something you'd like to see added open an issue on GitHub.

Top comments (0)