Define security quality gates

Security quality gates (SQGs) set the baseline for specific quality criteria that APIs must reach. As part of performing an action like auditing the API definition or scanning the API implementation, the API must also meet the criteria of the SQG.

To view SQGs in your organization, click Security quality gates in the main menu of 42Crunch Platform on the left. You can see all SQGs already in your organization

The screenshot shows the default security quality gate in its default configuration.

Edit a default security quality gate

Each organization gets default SQGs for both API Security Audit and API Conformance Scan out of the box that is automatically applied to all APIs in your organization. Organization administrators cannot delete or remove the default SQGs, but can edit them as needed.

  1. On the default SQG you want, click > Update.
  2. Change the name of the SQG if you want, and click Criteria for audit or Criteria for scan, depending which default SQG you are updating.
  3. Edit the acceptance criteria as you want. Check the tooltips next to the criteria to see what their impact is.

    A screenshot showing the audit criteria in the update dialog.

    The default SQGs are automatically applied to all APIs, and if you have integrated Security Audit with your CI/CD system, this may hinder CI/CD builds, especially with APIs that are just in the beginning of their development. As a workaround, you can remove severity restrictions from the default audit SQG, and set them in another audit SQG that you apply with tags to APIs as they mature. Note that this does not fix issues in your APIs, merely hides them from the audit SQG, and you need to remember to manually tag your APIs to apply the tighter quality criteria.

  4. When you are ready, click Update security quality gate.

The status of the SQG passing or failing is updated based on your changes the next time an action is performed on any API, such as running Security Audit or viewing an audit or scan report.

If you have integrated Security Audit with your CI/CD pipeline, the integration plugin automatically checks the status of SQGs applied to the APIs it discovered. If any of the SQGs fails, the CI/CD build fails too. CI/CD integration for API Conformance Scan is coming, but currently scan SQGs can only be enforced in 42Crunch Platform, not on your CI/CD.

The fail-on criteria you set in the CI/CD plugin are independent from the acceptance criteria defined in SQGs, and the plugin can fail even if SQGs pass. For example, CI/CD plugins by default fail APIs that do not have valid OpenAPI definitions, but in SQGs you need to specifically switch this on. This means that your CI/CD build can fail either because the criteria of a SQG or the criteria of the CI/CD plugin are not met, or both, and so just looking at SQGs to explain why a build has failed may not be enough.

Create additional security quality gates

You can also create additional SQGs and apply them to the APIs you want with tags.

  1. Before you start, make sure that the category and tag you want to associate with the new SQG already exists. See Create new tags and categories.

    We recommend adding a dedicated category for SQGs, so that it is easy to find the related tags. We also recommend that you do not allow users to create tags in this category, so that organization administrators stay in control of these. If you want, you can also restrict that category so that users can only apply a single tag from it and thus single SQG to any one API.

  2. Go to the list of your SQGs, click New security quality gate, and select which SQG you want to create.
  3. Enter a name for the rule, and select which category and tag it is associated with. Each category:tag pair can apply only a single SQG.

    The screenshot shows a new SQG that has been sassociated with a tag category and a tag.

  4. Configure the acceptance criteria that you want the SQG to impose. Check the tooltips next to the criteria to see what their impact is.
  5. When you are ready, click Create security quality gate.
  6. To apply your new SQG to an API, tag the API with the category:tag pair you associated with the SQG. See Apply tags to APIs. You can tag your API to apply as many SQGs to it as you want.

Once the SQGs are applied to APIs, the status of them passing or failing is updated based on your changes the next time an action is performed on any API, such as running Security Audit or viewing an audit or scan report.

View approval reports from security quality gates

Once a SQG is applied to an API, the API must pass the quality criteria defined in the SQG. For example, when you run Security Audit on an API, the results from the audit are compared to the criteria of the audit SQG. If your API has multiple SQGs applied to it, each of them is executed independently. The results from all SQGs are listed in an approval report.

  1. In 42Crunch Platform, find the API you want, and click to view the API summary. The quickest way to find API definitions in 42Crunch Platform is to click Find API in the main menu. You can see if the security quality gates have passed or failed alongside the results from the latest audit or scan.

    You can also quickly check the overall status of which SQGs are passing and which failing when you view APIs in an API collection.

  2. Click Read report either on Security Audit or Conformance Scan, depending on which SQGs you want (audit and scan SQGs are shown separately). You can see the latest report, with the overall status of the applied security quality gates shown above the report text. The badges on the banner show which types gates (audit or scan) failed or passed.

    If the API has not yet been scanned yet, the status of scan SQGs is not available.

  3. To view the approval reports from the applied SQGs:
    • Audit SQGs: Expand the SQG banner, and click on the tags of SQGs applied to the API to view their status. The criteria that failed are highlighted in red. You can also filter the audit report to show only the to-do list of issues that you must fix to pass the SQGs.

      The screenshot shows a SGQ approval report for the Petstore API that has failed the audit criteria set in the default SQG: the audit score of the API is only 45/100 and is highlighted in red, because the SQG requires at least 70/100.

    • Scan SQGs: click Get approval report, and click on the tags of SQGs applied to the API to view their status. SQGs that failed are highlighted in red.

You can also download the approval report form each SQG as JSON, for example, to share it to other teams.

Delete a security quality gate

You cannot delete the default SQGs, but you can delete the SQGs you have created yourself and that you no longer need. Just click > Delete on the SQG you want to remove.

Deleting a SQG permanently removes it from 42Crunch Platform. This action cannot be undone.

Deleting a SQG does not delete the category or tag associated with it, nor does it remove the tag from APIs where the SQG has been applied.