You can integrate API Security Audit and API Conformance Scan with your CI/CD pipeline to automate checking OpenAPI files with from a simple Git push to your project repository. This safeguards the quality of the OpenAPI definitions in your project and mitigates potential security issues, as any new files or changes that developers check in are continuously audited.
CI/CD integration for Security Audit
The integration plugin REST API Static Security Testing is available off-the-shelf for the following CI/CD solutions:
- Azure Pipelines: A custom build task available on Visual Studio Marketplace
- Bamboo: An app available from Atlassian Marketplace
- Bitbucket Pipelines: A custom pipe available in Bitbucket Pipelines templates
- GitHub Actions: A custom action available in GitHub Marketplace
- GitLab Pipelines: A custom job available in Docker Hub
- Jenkins: A plugin for a build step available from Jenkins Update Center
Integration with other CI/CD solutions can be deployed on demand.
The CI/CD plugin works in two phases:
- Discovery: The plugin checks your project for any
.ymlfiles. When it finds a file, it checks if the file states that it is an OpenAPI file. If the file is
.yml, it is automatically converted to JSON. The discovered APIs are automatically uploaded to an API collection in 42Crunch Platform.
- Audit: Security Audit audits the uploaded APIs for their well-formedness and security. If the quality of the APIs meets your criteria, the task or job ends with a success, if they do not, the task fails. Your CI/CD pipeline processes the result as you have defined and the continues to the next task or job.
The plugin uses API tokens with specific access rights (scopes) to access 42Crunch Platform.
repository path--branch name for the created API collection, for example,
https://github.com/42Crunch/sample--sample. The exact name and pattern depends on your CI/CD system.
On subsequent runs, the plugin synchronizes the contents of the API collection with the APIs in your source control repository:
- APIs added to your repository are added to the collection.
- APIs removed from your repository are removed from the collection
- APIs found both in your repository and in the collection retain their API UUIDs in 42Crunch Platform but their contents are replaced with the contents of the files in your repository
Make sure that you do not accidentally overwrite things in the API definition that you would like to keep. The plugin will replace all contents in the APIs in 42Crunch Platform with the contents of the API files in your repository. Any changes that are not reflected in the OpenAPI file in your repository are lost from the platform.