Freemium services

Freemium CI/CD integration for API Security Audit and API Conformance Scan allows you to try out the features before deciding on a subscription to 42Crunch Platform. The freemium integration is done through specific plugins:

  • 42Crunch REST API Static Security Testing (Freemium): Just like with the full version, the freemium plugin automatically checks that OpenAPI definitions which you push into your source control repository adhere to the OpenAPI Specification (OAS) and to catch any security issues your API might contain, but you do not need an account in 42Crunch Platform: instead of uploading the API definition to the platform, the audit takes place in your CI/CD pipeline and results are published in your repository.
  • 42Crunch Dynamic API Security Testing (Freemium): The freemium scan plugin checks your live API implementation for security vulnerabilities (such as OWASP API Security Top 10) and how the returned API responses match the contract set out in the API definition, to avoid data leaks and unexpected behaviour.

How the integration works

The audit plugin REST API Static Security Testing crawls through your repository to search for OpenAPI files and audits any that it discovers:

  1. The plugin checks your project for any .json, .yaml, and .yml files. When it finds a file, it checks if the file states that it is an OpenAPI file.
  2. On each OpenAPI file it found, the plugin performs a static analysis on the API definition against the OpenAPI Specification (OAS) to check that the definition adheres to the specification and to catch any security issues your API might contain:
    • OpenAPI format: Is your API a valid and well-formed OpenAPI file, and does it follow the best practices and the spirit of the OpenAPI Specification? Can it be correctly parsed, reviewed, or protected?
    • Security: How good are the security definitions in your API? Have you defined authentication and authorization methods, and is your chosen protocol secure enough?
    • Data validation: What is the data definition quality of your API? How well have you defined what data your API accepts as input or can include in the output it produces, and how strong are the schemas you have defined for your API and its parameters?
  3. The plugin then transforms the raw JSON report into a SARIF report and publishes that in GitHub Code Scanning. The results clearly indicate the issues found and their respective severity levels, so you can prioritize in which order to start fixing things.

Because the scan plugin Dynamic API Security Testing requires additional information on the API it needs to check, such as the URL where to target the requests and the credentials to authenticate to the API, you must add a separate step in your workflow for each API to scan so that the plugin knows which details to use for which API. For each API that you have included a step in your workflow, the scan plugin generates and sends test requests that reproduce the behavior of a potential attacker, and then uploads a SARIF report GitHub Code Scanning, just like the audit plugin.

Both OpenAPI Specification v2 and v3 are supported. The file size of your API should not exceed 10 MB.

Limitations to the freemium version

The basic functionality of the integration is the same, but the freemium version does have some limitations compared to the full version:

  • Organizations on freemium service are limited to 25 audits or scans per month and a repository, with a maximum of three repositories per organization. The quotas are reset every month.
  • Only the default security quality gates (SQGs) are included.
  • Only the standard data dictionary is included.

Supported CI/CD systems

The freemium integration is currently available for GitHub Actions. Support for other CI/CD systems will be added later.