You can integrate API Security Audit with your CI/CD pipeline to automate checking OpenAPI files with Security Audit from a simple Git push to your project repository. This safeguards the quality of the OpenAPI definitions in your project and mitigates potential security issues, as any new files or changes that developers check in are continuously audited.
CI/CD integration for Security Audit
The integration plugin REST API Static Security Testing is available off-the-shelf for the following CI/CD solutions:
- Azure Pipelines
- Bitbucket Pipelines
- GitHub Actions
- GitLab Pipelines
For more details and to get the extensions, see CI/CD Tools. REST API Static Security Testing is also available as a generic Docker image.
Security Audit is integrated through a plugin that adds a build task or job to your CI/CD pipeline. The plugin checks the quality of the OpenAPI files present in your project. If the detected APIs do not meet the criteria you define in the plugins or in your security quality gates in 42Crunch Platform, the plugin fails and aborts the build, so that bad APIs are not included in your project.
The CI/CD plugin works in two phases:
- Discovery: The plugin checks your project for any
.ymlfiles. When it finds a file, it checks if the file states that it is an OpenAPI file. If the file is
.yml, it is automatically converted to JSON. The discovered APIs are automatically uploaded to an API collection in 42Crunch Platform.
- Audit: Security Audit audits the uploaded APIs for their well-formedness and security. If the quality of the APIs meets your criteria, the task or job ends with a success, if they do not, the task fails. Your CI/CD pipeline processes the result as you have defined and the continues to the next task or job.
The plugin uses API tokens with specific access rights (scopes) to access 42Crunch Platform.
When the integration plugin runs, it uploads the API definitions it finds during the discovery phase to a particular API collection in your organization in 42Crunch Platform. By default when running on branch, the plugin uses the naming convention
<shortened-source-control-uri> Branch:<branch-name> for the created API collection, for example,
On subsequent runs, the plugin synchronizes the contents of the API collection with the APIs in your source control repository:
- APIs added to your repository are added to the collection.
- APIs removed from your repository are removed from the collection
- APIs found both in your repository and in the collection retain their API UUIDs in 42Crunch Platform but their contents are replaced with the contents of the files in your repository
Make sure that you do not accidentally overwrite things in the API definition that you would like to keep. The plugin will replace all contents in the APIs in 42Crunch Platform with the contents of the API files in your repository. Any changes that are not reflected in the OpenAPI file in your repository are lost from the platform.