diff --git a/.circleci/config.yml b/.circleci/config.yml
index e521c1e..cc0bfdb 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -62,7 +62,16 @@ jobs:
       - run:
           name: Brakeman
           command: bundle exec brakeman
-
+  bearer:
+    docker:
+      - image: cimg/ruby:3.2
+    environment:
+      # Set to default branch of your repo
+      DEFAULT_BRANCH: main
+    steps:
+      - checkout
+      - run: curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /tmp
+      - run: CURRENT_BRANCH=$CIRCLE_BRANCH SHA=$CIRCLE_SHA1 /tmp/bearer scan .
 workflows:
   version: 2
   build_and_test:
@@ -80,3 +89,4 @@ workflows:
       - brakeman:
           requires:
             - build
+      - bearer
diff --git a/bearer.yml b/bearer.yml
new file mode 100644
index 0000000..ebfd4b4
--- /dev/null
+++ b/bearer.yml
@@ -0,0 +1,32 @@
+disable-version-check: false
+log-level: info
+report:
+    fail-on-severity: critical,high,medium,low
+    format: ""
+    no-color: false
+    output: ""
+    report: security
+    severity: critical,high,medium,low,warning
+rule:
+    disable-default-rules: false
+    only-rule: []
+    # Tickets to remediate these rules and remove from this stanza:
+    #  ruby_lang_eval_linter - https://github.com/pulibrary/repecwp/issues/139
+    #  ruby_rails_default_encryption - https://github.com/pulibrary/repecwp/issues/140
+    skip-rule: [ruby_lang_eval_linter, ruby_rails_default_encryption]
+scan:
+    context: ""
+    data_subject_mapping: ""
+    disable-domain-resolution: true
+    domain-resolution-timeout: 3s
+    exit-code: -1
+    external-rule-dir: []
+    force: false
+    hide_progress_bar: false
+    internal-domains: []
+    parallel: 0
+    quiet: false
+    scanner:
+        - sast
+    skip-path: []
+    skip-test: true