REST API Static Security Testing

This Azure DevOps extension allows you to add automated static application security testing (SAST) tasks automatically performed on API contract files during the CI/CD pipeline runs.

API contracts must follow the OpenAPI Specification (OAS, formely known as Swagger). Both OAS v2 and v3, and both JSON and YAML formats are supported.

The extension is powered by 42Crunch API Security Audit. Security Audit is a static analysis of the API definition that includes more than 200 checks on best practices and potential vulnerabilities in the way the API defines authentication, authorization, transport, data coming in and going out. See the API Security Encyclopedia for details.

You can create a free 42Crunch account at https://platform.42crunch.com/register and then follow the quick start guide to configure the extension.

This extension requires Node v16 or later.

Quick start

1. Add the build task to your Azure DevOps organization.
2. Add the task to the Azure pipeline.
3. Create a variable called 42C_API_TOKEN.
4. Create an API token in 42Crunch Platform, and copy the token value into the 42C_API_TOKEN variable.
5. Save and run the pipeline.
6. Click the links in the task output for detailed reports.

See the documentation for details.

Discover APIs

By default, the task locates all OpenAPI files in your project and submits them for static security testing. You can include or exclude specific paths from the discovery phase can omit the discovery phase completely by adding a task configuration file 42c-conf.yaml in the root of your repository and specifying rules for the discovery phase. For more details, see the documentation.

All discovered APIs are uploaded to an API collection in 42Crunch Platform, named after the repository and branch/tag/PR where the APIs came from. This collection is created at the first run of the task, and is tied to the repository name and branch/tag/PR name it was created from: the task uses the build variables Build.Repository.Uri and Build.SourceBranchName to pull the correct details directly from your source control. During the subsequent task runs, the APIs in the collection are kept in sync with any changes in your repository.

Fine-tune the build task

You can add a task configuration file 42c-conf.yaml in the root of your repository, and to fine-tune the success/failure criteria. For example, you can choose on whether to accept invalid API contracts, or define a cut-off on a certain level of issue severity.

For more details, see the documentation.

Support

The extension is maintained by support@42crunch.com. If you run into an issue, or have a question not answered here, you can create a support ticket at support.42crunch.com.

If you’re reporting an issue, do include:

• The version of the build task
• Relevant logs and error messages
• Steps to reproduce the issue