diff --git a/.circleci/config.yml b/.circleci/config.yml
index 73d4929..468c3b8 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -74,6 +74,17 @@ jobs:
       - run:
           name: Run Rspec
           command: bundle exec rspec
+  bearer:
+    docker:
+      - image: cimg/ruby:3.2
+    environment:
+      # Set to default branch of your repo
+      DEFAULT_BRANCH: main
+    steps:
+      - checkout
+      - run: curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /tmp
+      - run: CURRENT_BRANCH=$CIRCLE_BRANCH SHA=$CIRCLE_SHA1 /tmp/bearer scan .
+
 workflows:
   version: 2
   build_accept_deploy:
@@ -82,3 +93,4 @@ workflows:
           matrix:
             parameters:
               ruby-version: ["3.1.3"]
+      - bearer
\ No newline at end of file
diff --git a/bearer.yml b/bearer.yml
new file mode 100644
index 0000000..29f2790
--- /dev/null
+++ b/bearer.yml
@@ -0,0 +1,33 @@
+disable-version-check: false
+log-level: info
+report:
+    fail-on-severity: critical,high,medium,low
+    format: ""
+    no-color: false
+    output: ""
+    report: security
+    severity: critical,high,medium,low,warning
+rule:
+    disable-default-rules: false
+    only-rule: []
+    # Tickets to remediate these rules and remove from this stanza:
+    #   ruby_rails_open_redirect - https://github.com/pulibrary/DSS/issues/479
+    #   ruby_rails_password_length - https://github.com/pulibrary/DSS/issues/480
+    #   ruby_rails_default_encryption - https://github.com/pulibrary/DSS/issues/481
+    skip-rule: [ruby_rails_open_redirect, ruby_rails_password_length, ruby_rails_default_encryption]
+scan:
+    context: ""
+    data_subject_mapping: ""
+    disable-domain-resolution: true
+    domain-resolution-timeout: 3s
+    exit-code: -1
+    external-rule-dir: []
+    force: false
+    hide_progress_bar: false
+    internal-domains: []
+    parallel: 0
+    quiet: false
+    scanner:
+        - sast
+    skip-path: []
+    skip-test: true