Bearer CLI automated scan

Security & Privacy Assessment

This report packages the Bearer CLI scan results into a review-ready summary for auditors, including methodology, scope, and validation notes.

Scan completed: November 25 2025, 07:45:11 am (UTC+0000) | Report scope: Source code (repository workspace)

No critical, high, or medium findings were reported by Bearer in this scan. Keep this report as evidence and re-run after significant changes to maintain coverage.

Overall status

Total actionable findings across all severities

Severity distribution

Critical

0 (0%)

High

0 (0%)

Medium

0 (0%)

Low

0 (0%)

Warning

0 (0%)

Scan metadata

Tool Bearer CLI (static analysis)

Artifact Imported from `security-scan.html`

Scan scope Source code repository

Commit / tag Not specified in artifact

Execution environment Local run (static, non-executing)

Executive summary

Bearer CLI performed a static review of the codebase focusing on data handling, privacy, secrets, and security anti-patterns. The scan returned no actionable findings in this run.

No evidence of sensitive data exfiltration paths, insecure logging, or weak crypto primitives flagged by the rule set.
Results align with other automated checks noted in the repository (SonarQube, Docker Scout), indicating a clean baseline at scan time.
Integrating this scan into CI ensures regressions are caught before release; the current artifact is suitable for auditor evidence.

Recommendations for reviewers

Verify CI runs Bearer CLI with a non-zero exit code on new findings to block risky merges.
Pair this SAST output with SCA (dependency) and container scans already documented in the project for layered coverage.
Sample authentication, authorization, and data-export paths manually to confirm intended controls beyond static analysis.
Re-run the scan after major code, dependency, or framework upgrades and archive each report for traceability.

Methodology

Bearer CLI inspects source code without executing it, applying rules that track sensitive data types, potential leaks, and security weaknesses.

Static analysis: pattern and data-flow checks for sensitive data exposure, insecure transport/storage, secrets, and weak cryptography.
Privacy focus: rules tuned to detect personal data handling and logging issues alongside general security misconfigurations.
Non-invasive: no runtime execution or network calls are performed; findings are derived solely from code and configuration artifacts.

Limitations & validation

Use this report as one control among several. Items outside the scope of this artifact should be addressed through complementary checks.

Dependencies and container images require separate SCA/SBOM review (see Docker Scout and other tooling in the repository).
Dynamic behaviors, infrastructure configuration, and runtime secrets are not assessed by this static scan.
Rule coverage is limited to the Bearer policy set; custom application threats (business logic, abuse cases) need manual review.

Findings

Findings are grouped by severity and map to relevant CWE categories when present.

No findings were reported in this scan. Retain this section as evidence of coverage and re-run regularly to catch regressions.

Severity	Count	Notes
Critical	0	No exploitable issues detected.
High	0	No high-risk flaws identified.
Medium	0	No medium-severity findings.
Low	0	No low-severity items.
Warning	0	No informational notices.

Appendix: Severity scale

Use these definitions when triaging future findings from Bearer CLI or related static analysis tools.

Critical: Immediate exploitation risk or confirmed sensitive data exfiltration paths.
High: Issues that materially weaken authentication, authorization, or encryption boundaries.
Medium: Misconfigurations or code smells that could aid lateral movement or data exposure.
Low: Defense-in-depth gaps with limited direct impact.
Warning: Informational or hardening opportunities for future improvement.