OpenAPI Editing with API quality, Conformance and Security TestingThis Visual Studio Code (VS Code) extension adds rich support for the OpenAPI Specification (OAS) (formerly known as the Swagger specification) and makes it easier and faster to navigate your OpenAPI definitions. The extension also comes with the 42Crunch API testing tools (Audit and Scan) so that you can check the quality, conformance and security of your APIs directly in VS Code. Stop malformed data and security vulnerabilities sneaking into your code and prevent API attacks such as BOLA, BPLA and other OWASP API Top 10 risks. You can use these API testing tools by registering for our Freemium service within the extension, with free monthly test allowances. Simply click on the Audit or Scan icon in the Editor tool. 42Crunch subscribers with an account on the 42Crunch platform have unlimited usage of Audit and Scan and can also directly access API collections and security risk assessment reports. Both OAS v2 and v3.0.x are supported, in JSON or YAML format. OpenAPI EditingThe plugin supports code navigation, linting, SwaggerUI or ReDoc preview, IntelliSense, schema enforcement and generation, schema definition links and snippets.
Activating API AuditA static analysis that lets you check the quality and security of your API definition as you work on it. Video explainer Activating API ScanA dynamic conformance and security tool that tests the API for conformance to the API definition and security vulnerabilities. Video explainer The free version of API Scan runs locally in your own environment and requires no API file to be uploaded. FreemiumThis service lets users of our OpenAPI editor extension who are not customers run the API Audit and Scan tests on their APIs. Support and Documentation:We’ve recently launched our developer community where you’ll be able to help, get tips-n-tricks and keep up to speed with all the latest developments: https://developers.42crunch.com/ Quick startAfter installing the plugin, open any JSON or YAML file that contains an OpenAPI definition. The plugin automatically detects that this is an OpenAPI file, and the /API button is shown in the left-hand panel. We also encourage you to watch this video that gives you a full tour of the editor and its different features. Editor featuresThis extension makes it easier and faster to navigate your OpenAPI definitions, especially when they get longer. You can home in on elements in the OpenAPI explorer view, or jump directly to the target of a reference in the API. You can also add new elements to your API directly in the OpenAPI explorer directly where they are needed. Filling in the details is quicker with IntelliSense support for OpenAPI elements. Creating OpenAPI files
Watch this video on editor basics. Navigating an API definition
Add new elements in the OpenAPI explorer
Use IntelliSenseAs you start typing OpenAPI elements or their values, the context-sensitive list of available options is displayed in the IntelliSense menu. In JSON OpenAPI files, just type double-quote ( You can also use the corresponding VS Code hotkey (Ctrl+Space on Windows, Cmd+Space on Mac) to open the IntelliSense menu. Jump to a referenceUse Go to Definition to locate the targets of references easily. To jump to view the definition from a reference in your API, either Ctrl+click a reference, or right-click a reference and click Go to Definition in the shortcut menu. Sort entries in the navigation paneBy default, entries in the OpenAPI Explorer pane are sorted alphabetically. If you want to instead have them sorted in the order they are in the OpenAPI file, change the corresponding setting:
Preview OpenAPI documentationYou can get a documentation-style preview of the API you are editing by clicking the Preview button at the top right: The extension supports two popular OpenAPI documentation generators: SwaggerUI and ReDoc. To change the default OpenAPI Preview rendering engine:
Execute operations with "Try it"With "Try it", you can invoke operations defined in your OpenAPI directly from VS Code:
Try it comes with a number of limitations:
Generate JSON schemas based on the response content"Try it" can be used to generate JSON Schema based on the body of the response.
Configure authentication for external references in OpenAPI filesIf you use references to schemas served by an authenticated HTTP service (such as an Schema Registry service or a repository), you'll need to configure the list of approved hosts in the extension settings. To do this:
In case some of the approved hosts requires authentication, you can configure it in the OpenAPI > External References section of the
After configuring all hosts you need to refer to, all OpenAPI references to any of the approved hosts will be dynamically resolved when linting or previewing your API. Static API Security TestingYou can use this OpenAPI extension to check the quality and security of your API definition as you work on it. This feature is powered by 42Crunch Audit. 42Crunch Audit performs a static analysis of the API definition that includes more than 300 checks on best practices and potential vulnerabilities related to authentication, authorization as well as data constraints. Watch this video to learn more about 42Crunch Audit. You can run the audit service in freemium or platform mode:
Getting a Freemium TokenTo run Security Audit from VS Code, you need a token. The first time you try to audit or scan an API, you are asked to provide your email address or an API token from the platform. Once you supply the address, the extension requests the token to be sent to your mailbox. Paste the token you received in the prompt in VS Code, and you are all set. Watch this short video which takes you through those steps. Running an auditYou can use OpenAPI extension to check the quality of your API as you work on it. You can run the audit directly from VS Code by clicking the 42C button in the upper right corner. Alternatively, you can run an audit for an individual endpoint. Navigating the issues in the audit reportAfter the audit finishes, you get the audit report directly in the VS Code view, side by side with your code. The report viewer provides handy ways to navigate the found issues, even if the report is quite long. Priority issuesLook here for issues that require the most attention.
Those two lists will often overlap and in certain cases be identical, but this is totally normal. Full issue listThe full issue list contains all issues found. The list can be filtered in two ways:
SQG results are not visible yet to all Freemium users.
Issues detailsFor each issue, you have access to full information about the issue, why it is relevant and recommendations on how to address the issue. Watch this video to learn more about audit and how to navigate issues. Fixing issuesMany of the issues reported by 42Crunch Audit have fixes associated with them. These are code snippets that you can insert into the OpenAPI file and then customize with the appropriate value.
(New!) Dynamic API Security testing42Crunch Audit performs a security analysis that does not require any live API, just the definition itself. 42Crunch Scan leverages the OpenAPI definition to:
Watch this video to learn more about 42Crunch Scan. APIs which thoroughly enforce compliance to an established contract are far more resilient to all types of attacks. You must only use 42Crunch Scan against APIs that you own, not those of third parties. Launching 42Crunch ScanScans are run at the operation level only. We recommend you use the 42Crunch API Security Testing Binary to run scans. The alternative is to run a docker image locally. 42Crunch customers can also leverage our scand manager, by deploying an API-driven scan engine on Kubernetes. In order to run a scan, you will need :
When you first launch a scan, you are presented with the scan configuration viewer. The scan configuration is generated automatically from the OpenAPI file you chose to scan.
Once the scan has run, you are presented with a results page. The summary shows if the scan got a testing baseline by running the HappyPath test. Additional testing results are visible from the tests list. For each issue, you can easily reproduce the problem using a curl request. Miscellaneous commands
Network requirementsTo execute the 42Crunch Freemium services, you need access to the following URL: https://stateless.42crunch.com. You may need to ask your administrators to add a firewall rule to allow the connection. Known issues
FeedbackSubmit your bug reports at GitHub project Issues. And, needless to say, your reviews at VS Code marketplace mean the world to us! |