REST API Static Security Testing
This Azure DevOps extension allows you to add automated static application security testing (SAST) tasks automatically performed on API contract files during the CI/CD pipeline runs.
API contracts must follow the OpenAPI Specification (OAS, formely known as Swagger). Both OAS v2 and v3, and both JSON and YAML formats are supported.
The extension is powered by 42Crunch API Security Audit. Security Audit is a static analysis of the API definition that includes more than 200 checks on best practices and potential vulnerabilities in the way the API defines authentication, authorization, transport, data coming in and going out. See the API Security Encyclopedia for details.
See the documentation for details.
By default, the task locates all OpenAPI files in your project and submits them for static security testing. You can include or exclude specific paths from the discovery phase can omit the discovery phase completely by adding a task configuration file
All discovered APIs are uploaded to an API collection in 42Crunch Platform, named after the repository and branch/tag/PR where the APIs came from. This collection is created at the
first run of the task, and is tied to the repository name and branch/tag/PR name it was created from: the task uses the build variables
Fine-tune the build task
You can add a task configuration file
For more details, see the documentation.
The extension is maintained by firstname.lastname@example.org. If you run into an issue, or have a question not answered here, you can create a support ticket at support.42crunch.com.
If you’re reporting an issue, do include: