CI/CD integrations

You can integrate API Security Audit and API Conformance Scan with your CI/CD pipeline to automate checking OpenAPI files with from a simple Git push to your project repository. This safeguards the quality of the OpenAPI definitions in your project and mitigates potential security issues, as any new files or changes that developers check in are continuously audited.

CI/CD integration for Security Audit

The integration plugin REST API Static Security Testing is available off-the-shelf for the following CI/CD solutions:

Integration with other CI/CD solutions can be deployed on demand.

How the Security Audit integration works

Security Audit is integrated through a plugin that adds a build task or job to your CI/CD pipeline. The plugin checks the quality of the OpenAPI files present in your project. If the detected APIs do not meet the criteria you define, the plugin fails and aborts the build, so that bad APIs are not included in your project.

The CI/CD plugin works in two phases:

  • Discovery: The plugin checks your project for any .json, .yaml, and .yml files. When it finds a file, it checks if the file states that it is an OpenAPI file. If the file is .yaml or .yml, it is automatically converted to JSON. The discovered APIs are automatically uploaded to an API collection in 42Crunch Platform.
  • Audit: Security Audit audits the uploaded APIs for their well-formedness and security. If the quality of the APIs meets your criteria, the task or job ends with a success, if they do not, the task fails. Your CI/CD pipeline processes the result as you have defined and the continues to the next task or job.

The plugin uses API tokens with specific access rights (scopes) to access 42Crunch Platform.

When the integration plugin runs, it uploads the API definitions it finds during the discovery phase to a particular API collection in your organization in 42Crunch Platform. The plugin uses the naming convention repository path--branch name for the created API collection, for example, https://github.com/42Crunch/sample--sample. The exact name and pattern depends on your CI/CD system.

An example screenshot of five API collections where one collection is created through CI/CD integration and shows the repository information.

On subsequent runs, the plugin synchronizes the contents of the API collection with the APIs in your source control repository:

  • APIs added to your repository are added to the collection.
  • APIs removed from your repository are removed from the collection
  • APIs found both in your repository and in the collection retain their API UUIDs in 42Crunch Platform but their contents are replaced with the contents of the files in your repository

Make sure that you do not accidentally overwrite things in the API definition that you would like to keep. The plugin will replace all contents in the APIs in 42Crunch Platform with the contents of the API files in your repository. Any changes that are not reflected in the OpenAPI file in your repository are lost from the platform.