How to scan your ruby or JS project for security improvements, for free.

Security tools are intimidating. They’re made for security teams that already know the jargon and the details like CWE identifiers. But what about developers? We have tools that check for vulnerable dependencies and tools that check for leaked secrets,…


This content originally appeared on DEV Community and was authored by Mark Michon

Security tools are intimidating. They’re made for security teams that already know the jargon and the details like CWE identifiers. But what about developers? We have tools that check for vulnerable dependencies and tools that check for leaked secrets, but we’re missing easy—actionable—advice on making our code more secure.

Good news! There’s a free open-source tool that can scan your code, check for known risks, and give you a list of things that need fixing. All are sorted by how risky the code is—based on things like how sensitive the data is and how damaging a breach or leak would be. It’s called Bearer.

Here's why it's pretty rad:

  • Quick scans: most projects take under a minute, with big ones like forem, gitlab, etc taking between 3 and 10 minutes.
  • Your data never leaves your computer. The open source scanner reads your code, but doesn't send it or metadata to any servers.
  • Practical advice: Each triggered rule shows you where in your code the problem is, and links out to documentation on how to improve it.

TLDR: The workflow ends up looking like this:

bearer scan /your-project

You can run that locally, or as part of CI/CD, and each time you’ll receive a summarized report. Let’s get into it.

Installing Bearer

There is a full list of ways to install Bearer in the docs, but the most common are using Brew or curl.

Homebrew:

brew install Bearer/tap/bearer

Curl:

curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh

Run your first scan

Now navigate to the project you’d like to scan, and run the scan command.

bearer scan .

The app scans your project in a few stages. It starts by detecting and classifying sensitive data types, then feeds that data into whichever report type you use. The default is the Security report, which shows all the security risks found in your codebase by checking against a set of “Rules”.

You get a summary that looks a bit like this:

107 checks, 12 failures, 6 warnings

CRITICAL: 0
HIGH: 1 (CWE-798)
MEDIUM: 11 (CWE-201, CWE-209, CWE-313, CWE-315, CWE-319, CWE-326, CWE-331, CWE-532, CWE-539)
LOW: 0
WARNING: 6 (CWE-312)

Plus each failure and warning shows you where it happened and has a link to docs on how to fix the problem.

MEDIUM: Sensitive data in a JWT detected. [CWE-315]
https://docs.bearer.com/reference/rules/ruby_lang_jwt
To skip this rule, use the flag --skip-rule=ruby_lang_jwt

File: lib/jwt.rb:6

 3     JWT.encode(
 4       {
 5         id: user.id,
 6         email: user.email,
 7         class: user.class,
 8       },
 9       nil,
    ...
 11     )

These rules come from the OWASP top 10, popular CWEs, and some general best practices from the appsec community. It’s a quick way to get a second pair of eyes on your code—especially if you aren’t a security expert.

Check it out

It's a big ask to put something in your pipeline or test flow, but I really love just using it as a one-off scan as I'm building something new. Kind of like linting, but for security. Right now the main security scan supports ruby and JS/TS codebases. Give it a try—you can use our test repo if you like. Let us know what you think and if there's something you'd like to see added open an issue on GitHub.


This content originally appeared on DEV Community and was authored by Mark Michon


Print Share Comment Cite Upload Translate Updates
APA

Mark Michon | Sciencx (2023-03-28T00:35:22+00:00) How to scan your ruby or JS project for security improvements, for free.. Retrieved from https://www.scien.cx/2023/03/28/how-to-scan-your-ruby-or-js-project-for-security-improvements-for-free/

MLA
" » How to scan your ruby or JS project for security improvements, for free.." Mark Michon | Sciencx - Tuesday March 28, 2023, https://www.scien.cx/2023/03/28/how-to-scan-your-ruby-or-js-project-for-security-improvements-for-free/
HARVARD
Mark Michon | Sciencx Tuesday March 28, 2023 » How to scan your ruby or JS project for security improvements, for free.., viewed ,<https://www.scien.cx/2023/03/28/how-to-scan-your-ruby-or-js-project-for-security-improvements-for-free/>
VANCOUVER
Mark Michon | Sciencx - » How to scan your ruby or JS project for security improvements, for free.. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2023/03/28/how-to-scan-your-ruby-or-js-project-for-security-improvements-for-free/
CHICAGO
" » How to scan your ruby or JS project for security improvements, for free.." Mark Michon | Sciencx - Accessed . https://www.scien.cx/2023/03/28/how-to-scan-your-ruby-or-js-project-for-security-improvements-for-free/
IEEE
" » How to scan your ruby or JS project for security improvements, for free.." Mark Michon | Sciencx [Online]. Available: https://www.scien.cx/2023/03/28/how-to-scan-your-ruby-or-js-project-for-security-improvements-for-free/. [Accessed: ]
rf:citation
» How to scan your ruby or JS project for security improvements, for free. | Mark Michon | Sciencx | https://www.scien.cx/2023/03/28/how-to-scan-your-ruby-or-js-project-for-security-improvements-for-free/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.