IDE integration
The earlier you start thinking about the well-formedness and security of your APIs, the less you need to backtrack to fix issues later on. Follow best practices already when developing your OpenAPI definitions makes getting it right less of a chore. You can install the extension OpenAPI (Swagger) Editor to your IDE to integrate API Security Audit and API Conformance Scan with your integrated development environments (IDEs). This lets you start checking the quality of your OpenAPI definition already when you are working on it.
You can also integrate Security Audit with your CI/CD pipeline so that any changes to APIs in your project are automatically audited for security. For more details, see CI/CD integration.
Supported IDEs
The integration extension OpenAPI (Swagger) Editor is currently available for the following IDEs:
- Microsoft Visual Studio Code (VS Code)
- JetBrains IntelliJ IDEA
- Eclipse IDE
You can find links to more details for all supported options from the 42Crunch Platform landing page.
How IDE integration works
To integrate your IDE with 42Crunch Platform, you must first install the extension OpenAPI (Swagger) Editor to your IDE. After that, you can choose either the free but limited experience, or the full experience for paying customers.
- Paying customers use IDE tokens to configure the IDE extension to access and authenticate to 42Crunch Platform. You can create IDE tokens in 42Crunch Platform, either on the landing page or in your platform account settings. This documentation describes usage for paying customers.
- Free customers can use freemium tokens in their IDEs to configure using the more limited freemium service locally. For more details on the freemium service, see Freemium User FAQ.
Features
IDE integration brings two of the main features of 42Crunch Platform — Security Audit and Conformance Scan — directly into your IDE:
- Audit your API definition with Security Audit to validate its quality and security already when working on it.
- Use the Try It feature to simply test how the operation you are developing currently works by sending a single HTTP request and modifying, for example, the parameters, request body, or authentication settings used.
- Hone your scan configuration and test the impact of your changes on the happy path request. This helps in getting the happy paths right even before you start the actual scan.
- Scan the API operation to check that the API implementation has no vulnerabilities and that it behaves correctly, even in response to malformed requests.
Scanning individual API operations give focused results quickly on the API operation you are currently working on and avoids unnecessary noise during the development time. You can scan the full API in your IDE when you are ready with your development work to see if there are other issues to fix. There are three options how you can do this:
- 42Crunch API Security Tools (AST) binary: Automatically download the AST binary and run the scan locally on your machine.
- Conformance Scan on premises: Use the standard Conformance Scan v2 Docker images to run the scan in Docker locally on your machine (see Running Conformance Scan on premises).
- API Conformance Scan Jobs Manager: Add Scan Jobs Manager into your Kubernetes cluster to run Conformance Scan Docker images remotely as a Kubernetes job (see scand-manager repository).
In IDEs, you can currently only scan APIs locally on your machine, not from 42Crunch Platform. Only Scan v2 is supported.
Conformance Scan in IDEs does not currently take scan configurations from 42Crunch Platform, instead it generates a default scan configuration and stores it in your local file system. You can view this configuration in your IDE and edit it as necessary, all the while checking in practice how your changes affect the scan. Once satisfied with your scan configuration, if you have the API in question already in 42Crunch Platform, you can even upload the scan configuration for it and use it when running Scan v2 on that API.
VS Code integration
The OpenAPI (Swagger) Editor for VS Code makes creating and navigating OpenAPI definitions quicker and easier, and integrates Security Audit and Conformance Scan with VS Code.
With the OpenAPI extension, you can run Security Audit straight from the VS Code window: just click the 42C button at the top edge. You need a token to authenticate to Security Audit.
You can also find a tutorial video on OpenAPI (Swagger) Editor in VS Code here.
Audit report in VS Code
Like in 42Crunch Platform, running Security Audit from VS Code gives an audit score for the API definition and produces a report on the found issues. However, navigating a report is bit different from the platform UI.
The scoring, issue IDs, and the descriptions and remediations for all found issues are shown on the right. The status bar at the bottom left shows a quick overview on the severity levels of the found issues:
- : critical or high
- : medium
- : low
You can click on the icons to open the Problems view that shows the titles of critical, high, and medium issues.
The color blocks in the minimap show where in your API definition the issues occur, so you can easily hop to check the spot in your code. In the code, wavy lines in matching color mark the affected element and hovering on it shows all issues in that spot.
You can also open an audit report exported from 42Crunch Platform and view it in VS Code. See Load audit report from a file.
Conformance Scan in VS Code
Clicking Scan in VS Code opens the scan configuration, with all operations in your API listed by their operationId. Clicking on an operationId lets you view and edit the scan configuration for a particular operation. You can, for example:
- Create and edit scenarios, global preprocessing and postprocessing block, or custom tests. For more details, see Scan scenarios and playbooks.
- Populate environment variables used in your scan configuration with data from external sources, such as secrets.
- Change the scan runtime settings.
Not all scan settings might be available in the IDE.
You can find more information on Conformance Scan directly in your IDE on the Help tab.
If your API uses authentication, by default the scan in the IDE expects all security requirements to be required in any scan you perform and the scan fails unless you specify all SCAN42C_SECURITY_ environment variables for them. However, if you only want to scan a single operation and do not want to specify other security requirements than what the operation in question uses, you can mark the other security requirements as not required, and switch them back to required when you are done.
IntelliJ integration
The OpenAPI (Swagger) Editor for IntelliJ IDEA makes creating and navigating OpenAPI definitions quicker and easier, and integrates Security Audit with IntelliJ.
With the OpenAPI extension, you can run Security Audit straight from the IntelliJ window: just click the 42C button at the top edge. You need a token to authenticate to Security Audit, so on the first time you must provide your email address so that we can send you the token.
Audit report in IntelliJ
Like in 42Crunch Platform, running Security Audit from IntelliJ gives an audit score for the API definition and produces a report on the found issues. However, navigating a report is bit different from the platform UI.
The scoring, issue IDs, and the descriptions and remediations for all found issues are shown on the right.
You can click on the icons to open the Problems view that shows the titles of critical, high, and medium issues:
- : critical or high
- : medium
- : low
The color blocks in the minimap show where in your API definition the issues occur, so you can easily hop to check the spot in your code. In the code, wavy lines in matching color mark the affected element and hovering on it shows all issues in that spot.
You can also open an audit report exported from 42Crunch Platform and view it in IntelliJ. See Load audit report from a file.
Eclipse integration
The OpenAPI (Swagger) Editor for Eclipse IDE makes creating and navigating OpenAPI definitions quicker and easier, and integrates Security Audit with Eclipse.
With the OpenAPI extension, you can run Security Audit straight from the Eclipse window: just click the 42C button at the top edge of the workbench. You need a token to authenticate to Security Audit, so on the first time you must provide your email address so that we can send you the token.
Audit report in Eclipse
Like in 42Crunch Platform, running Security Audit from Eclipse gives an audit score for the API definition and produces a report on the found issues. However, navigating a report is bit different from the platform UI.
The scoring, issue IDs, and the descriptions and remediations for all found issues are shown on the right.
You can click on the icons to open the Problems view that shows the titles of critical, high, and medium issues:
- : critical or high
- : medium
- : low
The color blocks in the minimap in the editor show where in your API definition the issues occur, so you can easily hop to check the spot in your code. In the code, dashed lines in matching color mark the affected element and hovering on it shows all issues in that spot.