Azure DevOps task: 42Crunch REST API Static Security Testing (Freemium version)
The REST API Static Security Testing tasks locates REST API contracts that follow the OpenAPI Specification (OAS, formerly known as Swagger) and runs thorough security checks on them. Both OAS v2 and v3.0.x are supported, in both JSON and YAML format.
This task is working in freemium mode: organizations can run 25 audits per month per repository, with a maximum of three repositories per organization.
You can use this task in the following scenarios:
- Add an automatic static API security testing (SAST) task to your CI/CD workflows.
- Perform these checks on pull request reviews and/or code merges.
Discover APIs in your repositories
By default, this task will:
- Look for any
.json
and .yaml
or .yml
files in the repository.
- Pick the files that use OpenAPI (a.k.a Swagger ) 2.0 or 3.0x schemas.
- Perform security audit on each OpenAPI definition.
Requirements
This task is leveraging 42Crunch's Python CLI and requires a Python runtime. You must either use a base image which has Python 3.10 or later installed, or install Python using the UsePythonVersion@0
task.
enforceSQG
If set to true
, the task returns a failure when security quality gates (SQG) criteria have failed. Security quality gates are a set of rules that define the minimum security requirements for an API. This freemium task has default gate values which cannot be changed.
If set to false
, the task reports SQG failures scenarios without enforcing them, giving a grace period to development teams before breaking builds.
Default is false
.
logLevel
Sets the level of details in the task logs, one of: FATAL
, ERROR
, WARN
, INFO
, DEBUG
.
Default is INFO
.
sarifReport
Converts the audit raw JSON format to SARIF and saves the results into a specified file.
If not present, the SARIF report is not generated.
exportAsPDF
(Linux only)
If set, this task exports a summary of all the audit reports as a PDF file. If not present, the PDF report is not generated.
This option only works on Ubuntu-based agents.
Examples
Single step example
A typical new step in an existing workflow would look like this:
- task: APISecurityAuditFreemium@1
inputs:
enforceSQG: false
logLevel: INFO
sarifReport: '$(Build.Repository.LocalPath)/$(Build.BuildId)-auditreport.sarif'
exportAsPDF: '$(Build.Repository.LocalPath)/$(Build.BuildId)-auditreport.pdf'
Full pipeline example
A typical pipeline which checks out the contents of the repository, runs Security Audit on each of the OpenAPI files found in the workspace and saves the resulting SARIF file as an artifact would look like this:
trigger:
branches:
include:
- main
jobs:
- job: run_42crunch_audit
displayName: 'Run Audit'
pool:
vmImage: 'ubuntu-latest'
steps:
- task: UsePythonVersion@0
inputs:
versionSpec: '3.11'
addToPath: true
architecture: x64
- task: APISecurityAuditFreemium@1
inputs:
enforceSQG: false
sarifReport: '$(Build.Repository.LocalPath)/$(Build.BuildId)-auditreport.sarif'
exportAsPDF: '$(Build.Repository.LocalPath)/$(Build.BuildId)-auditreport.pdf'
- task: PublishBuildArtifacts@1
displayName: publishAuditSarif
inputs:
PathtoPublish: '$(Build.Repository.LocalPath)/$(Build.BuildId)-auditreport.sarif'
ArtifactName: 'CodeAnalysisLogs'
publishLocation: 'Container'
Limitations
The freemium version gives you full access to 42Crunch audit features. It does have usage limitations:
- Organizations on freemium service are limited to 25 audits per repository, with a maximum of three repositories per organization. The limit is reset every calendar month.
- Only the default security quality gates (SQGs) are included.
- Only the standard data dictionary is included.
Testing this task
If you want to easily test this task, you can fork this project. It contains several sample OpenAPI files with security issues.
Support
The task is maintained by the 42Crunch ecosystems team. If you run into an issue, or have a question not answered here, you can create a support ticket at support.42crunch.com and we will be happy to help.
When reporting an issue, do include:
- The version of the AzureDevOps task
- Relevant logs and error messages
- Steps to reproduce the issue