Cerbi Scanner

Cerbi Scanner 1.1.0 - free, read-only, no account

What are your logs leaking? Find out in five minutes.

Most codebases log more than anyone realizes - PII, secrets, API keys, raw payloads, object dumps. One free command scans your repo and hands you the number. No account, no signup, nothing leaves your machine.

GitHub account required for Codespaces. Codespaces usage may count against your GitHub quota.

Free scanner - no account, no signup, nothing leaves your machine

Get your findings count in about five minutes.

Don't take our word for it - run one command against your own repo. Cerbi Scanner statically scans C#, Go, Java, Node/TypeScript, and Python for unsafe logging and hands you a concrete number: how many log statements are shipping PII, secrets, or payload dumps into your pipeline today. Start in report mode, then flip one flag to gate CI/CD.

Install once, scan anywhere

dotnet tool install -g Cerbi.Scanner

Report mode generates JSON, SARIF, and Markdown output without stopping anything. Use it for a first scan and demos.

mkdir -p scan-results
cerbi-scanner scan \
--path . \
--policy policies/cerbi-policy.yml \
--fail-on none \
--format json --output scan-results/findings.json \
--sarif scan-results/findings.sarif \
--summary scan-results/build-summary.md
ScansC#GoJavaNode/TypeScriptPython

What the scanner finds

  • PII and secrets in log statements
  • Raw payload and object dumps
  • Unsafe structured fields
  • High-cardinality fields that inflate ingest cost
  • Read-only by default - never modifies your source
  • Outputs JSON, SARIF, and Markdown

Try it without installing anything

The demo repo ships intentionally unsafe logging in all five languages plus a working policy. Open it in Codespaces, run one scan, and read real findings in about five minutes.

GitHub account required. Codespaces usage may count against your GitHub quota.

Findings become governance evidence

JSON for automation, SARIF for GitHub code scanning, Markdown for build summaries. When findings matter across teams, CerbiShield adds centralized policy, scoring, audit history, and runtime enforcement.

See CerbiShield

One scanner, three ways to run it

Pick the path that matches where your code lives.

Every path runs the same engine against the same policy file - same findings, same output formats. Start wherever is easiest; nothing locks you in.

Start here

CLI on your machine

You want to scan a repo right now, locally.

One dotnet tool install, one scan command. Works on any repo in C#, Go, Java, Node/TypeScript, or Python. Read-only - nothing leaves your machine.

dotnet tool install -g Cerbi.ScannerCerbi.Scanner on NuGet
Azure DevOps

Azure DevOps extension

Your team's pipelines live in Azure DevOps.

A native Azure Pipelines task from the Visual Studio Marketplace. Add the task to your pipeline, point it at your policy file, and gate builds without scripting the CLI yourself.

Get it on Visual Studio Marketplace
GitHub CI

GitHub Actions

Your CI runs in GitHub.

Run the CLI inside a workflow step - the demo repo ships a working GitHub Actions example you can copy, plus the same policy file the other paths use.

cerbi-scanner scan --path . --fail-on errorCopy the workflow from the demo repo

Not sure yet? Skip the install entirely - the Codespaces demo above runs the CLI against an intentionally unsafe repo in your browser, and everything you learn there transfers to all three paths.

Detection coverage

What the scanner finds.

Cerbi Scanner analyzes log call sites statically - no instrumentation, no runtime hooks. It surfaces patterns that developers miss during code review and that ingest-time masking never catches.

Sensitive fields

PII · PHI · CREDENTIALS

Passwords, tokens, SSNs, credit cards, PHI, PII, and other fields that should not land in logs.

Raw body or payload logging

RAW PAYLOADS

Request bodies, response bodies, webhook payloads, and serialized objects that may contain hidden sensitive data.

Risky object destructuring

OBJECT DUMPS

Patterns like {@user}, full DTO dumps, and object serialization that expose more than the developer intended.

Missing required fields

SCHEMA GAPS

Logs missing required governance fields such as service, environment, tenant, correlation ID, or event name.

Disallowed fields

POLICY VIOLATIONS

Fields explicitly banned by policy because they create security, privacy, compliance, or cost risk.

Dynamic templates and serialized logging

DYNAMIC PATTERNS

Logging patterns that make governance harder because the structure is unstable or hidden until runtime.

Bad logs start in code

Bad logs start in code. Cerbi governs them there.

Most tools clean logs after they already exist. Cerbi applies policy while the log event is being created - redacting sensitive fields, tagging violations, and keeping existing sinks working.

Without Cerbi
01event="UserLoginFailed" email="jane@company.com"
02password="SuperSecret123" token="abc123xyz"
03ip="192.168.1.42" userId="usr_8472hx"
04level="ERROR" service="auth-api" ts="2025-01-14T09:41:02Z"
05// No governance record. Data is in Splunk, Datadog, and every sink.

All sensitive fields forwarded to Splunk, Datadog, and every downstream sink.

With Cerbi
01event="UserLoginFailed" email="[REDACTED]"
02password="[BLOCKED]" token="[REDACTED]"
03ip="[MASKED]" userId="[REDACTED]"
04level="ERROR" service="auth-api" ts="2025-01-14T09:41:02Z"
05GovernanceViolations=["SensitiveField:email","SensitiveField:password","SensitiveField:token","SensitiveField:ip"]

Sensitive fields governed at emission. Violations recorded. Nothing sensitive leaves the process.

Govern logging behavior before bad logs are created.

14-day free trial · No credit card · One-line setup

Scanner first. Runtime governance next.

Phase 1

Cerbi Scanner

Free - no account

Scan code

One CLI command

Find risky log calls

Detects sensitive fields

Generate report

Violation evidence

Phase 2

CerbiStream + CerbiShield

Paid - your Azure tenant

Add governance policy

cerbi.json rules

Enforce before emission

CerbiStream intercepts

Send governance evidence

CerbiShield dashboard

The scanner is free and proves the risk in your own repos - no account, no code upload. CerbiShield is what you deploy when the findings report lands in a security review and someone asks: “How do we keep this fixed?” Runtime governance enforces the same policy in-process, so sensitive fields never reach Splunk, Datadog, Azure Monitor, ELK, or any other sink again.

Scope

What Cerbi is not.

Clarity on scope is part of a credible product. Cerbi does one thing well: governs logging behavior at the source.

Not a SIEM

Cerbi does not collect, correlate, or alert on security events. It governs what is written to logs at the source. Your SIEM receives cleaner, more consistent data as a result.

Not a log storage platform

Cerbi has no log storage. Your existing destinations (Splunk, Datadog, Azure Monitor, Elastic, Seq) remain unchanged. Cerbi sits before them, not instead of them.

Not a replacement for your observability stack

Cerbi does not replace Datadog, New Relic, Grafana, or any observability vendor. It makes the data those platforms receive more accurate, consistent, and policy-compliant.

Not a log router or transport layer

Cerbi does not proxy or relay log traffic. There are no additional network hops on the hot path. CerbiStream is in-process; CerbiShield is async and out of band.

What it is

  • A runtime SDK that governs log events before emission
  • A governance control plane for policy management and audit
  • A source-side filter that reduces ingestion noise and cost
  • A compliance tool that enforces schema at the point of creation

When findings matter across teams, add CerbiShield.

Centralized policy, scoring, governance evidence, audit history, and runtime enforcement - deployed into your Azure tenant. The scanner proves the risk; CerbiShield governs it continuously.

See CerbiShield

[ cerbi ] · Start now

One NuGet package. No pipeline changes. Policy-as-code governance that runs in-process before sensitive data ever reaches Splunk, Datadog, or Azure Monitor.

14-day free trial/No credit card/Works with Serilog · NLog · MEL
Free Log Scanner - Find PII & Secrets in Application Logs | Cerbi