Not getting all issues with a file

[danielwatrous-zendesk]

Description & Reproduction

I generated the following file to test bearer

import os

# --- HARDCODED SECRETS (Do not use in production) ---

# Database Credentials
DB_CONNECTION = {
    "db_user": "admin_service",
    "db_pass": "P@ssw0rd2026!_SecureAccess",
    "host": "db.internal.company.com",
    "port": 5432
}

# Simulated Cloud Provider API Key (High Entropy)
AWS_CONFIG = {
    "api_key": "AKIAJ2L3EXAMPLE456789XYZ",
    "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    "region": "us-east-1"
}

# --- PERSONALLY IDENTIFIABLE INFORMATION (PII) ---

# Dictionary containing sensitive user data for testing PII scanners
USER_RECORD = {
    "user_id": 10293,
    "full_name": "Jane Alice Smith",
    "email": "jane.smith@example.org",
    "phone_number": "+1-555-010-9988",
    "social_security_number": "999-00-1234",
    "date_of_birth": "1992-05-14",
    "home_address": "1234 Maple Avenue, Springfield, IL, 62704"
}

def connect_to_service():
    print(f"Connecting to database at {DB_CONNECTION['host']}...")
    # Logic to use the credentials would go here
    pass

if __name__ == "__main__":
    connect_to_service()
    print("Application started successfully.")

I expected to get a lot of issues with this file, but I don't

Expected Behavior

I was expecting it to call out that there are other passwords, PII and so on.

Actual Behavior

Analyzing codebase
⠋  (27/-) [0s] 
Loading rules
Scanning target bad.py
 └ 100% [===============] (1/1) [0s]
Running Detectors
Generating dataflow
Evaluating rules
 └ 100% [===============] (234/234) [0s]   


Security Report

=====================================

Rules: 
https://docs.bearer.com/reference/rules [v0.48.4]

Language  Default Rules  Custom Rules  Files  
Python    88             0             1      


HIGH: Hard-coded secret detected. [CWE-798]
https://docs.bearer.com/reference/rules/gitleaks
To ignore this finding, run: bearer ignore add 449faec69801973b3d7630479cfd4169_0

Detected: AWS Access Token

File: bad.py:15

 15     "api_key": "AKIAJ2L3EXAMPLE456789XYZ",
=====================================

89 checks, 1 findings

CRITICAL: 0
HIGH: 1 (CWE-798)
MEDIUM: 0
LOW: 0
WARNING: 0

Possible Fix

Your Environment

• Operating System and version: MacOS
• Output of 'bearer version':

bearer version 2.0.1, build db06eee42c91ec397b4866b2446f30917093c412

[elsapet]

Hey @danielwatrous-zendesk, thanks for raising this 🐻

Bearer is primarily a SAST scanner and as a result its secrets detection is quite limited. We detect some patterns such as api_key, but for a full security solution, it is expected that Bearer will be run in conjunction with some secrets detector to ensure maximum coverage.

As for the PII cases, we do not raise on static values like "jane.smith@example.org". Instead, we look at the actual objects and fields (such as a User class with an email field), and also track how this data is being used and where it ends up (data flow). This means that we catch real-world instances where PII is being exposed or leaked.

Something like the following, for example, where PII is being leaked to the logs is picked up by our scanner:

import logging
myLogger = logging.getLogger(__name__)

def bad(user):
  myLogger.info(f"User '{user.email}' logged in")

To keep your example, we would match on something like this instead, because the dictionary contains what we count as sensitive data (user.email) alongside static values and it's being passed to a logger

import logging
myLogger = logging.getLogger(__name__)

USER_RECORD = {
    "user_id": 10293,
    "full_name": "Jane Alice Smith",
    "email": user.email,
    "phone_number":"+1-555-010-9988",
    "social_security_number": "999-00-1234",
    "date_of_birth": "1992-05-14",
    "home_address": "1234 Maple Avenue, Springfield, IL, 62704"
}

myLogger.info(USER_RECORD)