REST API Static Security Testing

This Azure DevOps extension allows you to add automated static application security testing (SAST) tasks automatically performed on API contract files during the CI/CD pipeline runs.

API contracts must be in OpenAPI (aka Swagger) format. Both JSON and YAML formats, and both v2 and v3 are supported.

The extension is using 42Crunch Security Audit functionality. 42Crunch Security Audit is a static analysis of the API definition that includes more than 200 checks on best practives and potential vulnerabilities in the way the API defines authentication, authorization, transport, data coming in and going out. See the API Security Encyclopedia for details.

You can create a free 42Crunch account at https://platform.42crunch.com/register and then follow the quick start guide to configure the extension.

Quick start

1. Add the extension
2. Add the task to the pipeline
3. Create the 42C_API_TOKEN variable
4. Create an API token in 42Crunch platform and copy its value into the variable
5. Save and run the pipeline
6. Click the links in the task output for detailed reports

See the quick start guide for details.

Discover APIs

By default, the extension locates all OpenAPI (also known as Swagger) files in the repository and submits them for static security testing. We support both JSON and YAML formats, OpenAPI v2 and v3.

You can fine-tune the behavior by creating 42c-conf.yaml file in the root of the repository and putting the corresponding settings in it:

• discovery: false - would prevent the extension from discovering new APIs. Instead, it will only pick the APIs listed in the mapping section.
• In the discovery section of the file, you can provide paths and masks to be included and excluded from discovery.

See the quick start guide for details.

Create per-branch reports

When discovery mode is used, the extension will automatically create a Collection in the 42Crunch platform and put the reports on the APIs audited in this run in there. By default, the collection name follows the RepoName BranchName convention, but you can change this in the task settings of the pipeline.

Fine-tune the success and failure criteria

Security audit for each API file produces a score between 1 and 100. 100 being the most secure, best defined API.

By default, the threshold is 75 but you can change it in the settings of the pipeline task.

You can also use various fields of the 42c-conf.yaml file to fine-tune the success/failure criteria. For example, on whether to accept invalid contract or have a cut-off on a certain level of issue severity.

See the quick start guide for details.

Support

Create support tickets at support.42crunch.com or ask your questions on the Q&A tab of the extension page in the Azure marketplace.