Cerbi Scanner 1.1.0 - free, read-only, no account
What are your logs leaking? Find out in five minutes.
Most codebases log more than anyone realizes - PII, secrets, API keys, raw payloads, object dumps. One free command scans your repo and hands you the number. No account, no signup, nothing leaves your machine.
GitHub account required for Codespaces. Codespaces usage may count against your GitHub quota.
Free scanner - no account, no signup, nothing leaves your machine
Get your findings count in about five minutes.
Don't take our word for it - run one command against your own repo. Cerbi Scanner statically scans C#, Go, Java, Node/TypeScript, and Python for unsafe logging and hands you a concrete number: how many log statements are shipping PII, secrets, or payload dumps into your pipeline today. Start in report mode, then flip one flag to gate CI/CD.
Install once, scan anywhere
Report mode generates JSON, SARIF, and Markdown output without stopping anything. Use it for a first scan and demos.
What the scanner finds
- PII and secrets in log statements
- Raw payload and object dumps
- Unsafe structured fields
- High-cardinality fields that inflate ingest cost
- Read-only by default - never modifies your source
- Outputs JSON, SARIF, and Markdown
Try it without installing anything
The demo repo ships intentionally unsafe logging in all five languages plus a working policy. Open it in Codespaces, run one scan, and read real findings in about five minutes.
GitHub account required. Codespaces usage may count against your GitHub quota.
Findings become governance evidence
JSON for automation, SARIF for GitHub code scanning, Markdown for build summaries. When findings matter across teams, CerbiShield adds centralized policy, scoring, audit history, and runtime enforcement.
One scanner, three ways to run it
Pick the path that matches where your code lives.
Every path runs the same engine against the same policy file - same findings, same output formats. Start wherever is easiest; nothing locks you in.
CLI on your machine
You want to scan a repo right now, locally.
One dotnet tool install, one scan command. Works on any repo in C#, Go, Java, Node/TypeScript, or Python. Read-only - nothing leaves your machine.
dotnet tool install -g Cerbi.ScannerCerbi.Scanner on NuGetAzure DevOps extension
Your team's pipelines live in Azure DevOps.
A native Azure Pipelines task from the Visual Studio Marketplace. Add the task to your pipeline, point it at your policy file, and gate builds without scripting the CLI yourself.
Get it on Visual Studio MarketplaceGitHub Actions
Your CI runs in GitHub.
Run the CLI inside a workflow step - the demo repo ships a working GitHub Actions example you can copy, plus the same policy file the other paths use.
cerbi-scanner scan --path . --fail-on errorCopy the workflow from the demo repoNot sure yet? Skip the install entirely - the Codespaces demo above runs the CLI against an intentionally unsafe repo in your browser, and everything you learn there transfers to all three paths.
Detection coverage
What the scanner finds.
Cerbi Scanner analyzes log call sites statically - no instrumentation, no runtime hooks. It surfaces patterns that developers miss during code review and that ingest-time masking never catches.
Sensitive fields
PII · PHI · CREDENTIALSPasswords, tokens, SSNs, credit cards, PHI, PII, and other fields that should not land in logs.
Raw body or payload logging
RAW PAYLOADSRequest bodies, response bodies, webhook payloads, and serialized objects that may contain hidden sensitive data.
Risky object destructuring
OBJECT DUMPSPatterns like {@user}, full DTO dumps, and object serialization that expose more than the developer intended.
Missing required fields
SCHEMA GAPSLogs missing required governance fields such as service, environment, tenant, correlation ID, or event name.
Disallowed fields
POLICY VIOLATIONSFields explicitly banned by policy because they create security, privacy, compliance, or cost risk.
Dynamic templates and serialized logging
DYNAMIC PATTERNSLogging patterns that make governance harder because the structure is unstable or hidden until runtime.
Bad logs start in code
Bad logs start in code. Cerbi governs them there.
Most tools clean logs after they already exist. Cerbi applies policy while the log event is being created - redacting sensitive fields, tagging violations, and keeping existing sinks working.
All sensitive fields forwarded to Splunk, Datadog, and every downstream sink.
Sensitive fields governed at emission. Violations recorded. Nothing sensitive leaves the process.
Govern logging behavior before bad logs are created.
14-day free trial · No credit card · One-line setup
Scanner first. Runtime governance next.
Cerbi Scanner
Scan code
One CLI command
Find risky log calls
Detects sensitive fields
Generate report
Violation evidence
CerbiStream + CerbiShield
Add governance policy
cerbi.json rules
Enforce before emission
CerbiStream intercepts
Send governance evidence
CerbiShield dashboard
The scanner is free and proves the risk in your own repos - no account, no code upload. CerbiShield is what you deploy when the findings report lands in a security review and someone asks: “How do we keep this fixed?” Runtime governance enforces the same policy in-process, so sensitive fields never reach Splunk, Datadog, Azure Monitor, ELK, or any other sink again.
Scope
What Cerbi is not.
Clarity on scope is part of a credible product. Cerbi does one thing well: governs logging behavior at the source.
Not a SIEM
Cerbi does not collect, correlate, or alert on security events. It governs what is written to logs at the source. Your SIEM receives cleaner, more consistent data as a result.
Not a log storage platform
Cerbi has no log storage. Your existing destinations (Splunk, Datadog, Azure Monitor, Elastic, Seq) remain unchanged. Cerbi sits before them, not instead of them.
Not a replacement for your observability stack
Cerbi does not replace Datadog, New Relic, Grafana, or any observability vendor. It makes the data those platforms receive more accurate, consistent, and policy-compliant.
Not a log router or transport layer
Cerbi does not proxy or relay log traffic. There are no additional network hops on the hot path. CerbiStream is in-process; CerbiShield is async and out of band.
What it is
- A runtime SDK that governs log events before emission
- A governance control plane for policy management and audit
- A source-side filter that reduces ingestion noise and cost
- A compliance tool that enforces schema at the point of creation
When findings matter across teams, add CerbiShield.
Centralized policy, scoring, governance evidence, audit history, and runtime enforcement - deployed into your Azure tenant. The scanner proves the risk; CerbiShield governs it continuously.
