Define security quality gates

Security quality gates (SQGs) set the baseline for specific quality criteria that APIs must reach. As part of performing an action like auditing the API definition or scanning the API implementation, the API must also meet the criteria of the SQG.

To view SQGs in your organization, click Security quality gates in the main menu of 42Crunch Platform on the left. You can see all SQGs already in your organization

The screenshot shows the default security quality gate in its default configuration.

Edit a default security quality gate

Each organization gets default SQGs for both API Security Audit and API Conformance Scan out of the box. Default SQGs are automatically applied to all APIs in your organization. Organization administrators cannot delete or remove the default SQGs, but can edit them as needed.

  1. On the default SQG you want, click > Update.
  2. Change the name of the SQG if you want, and click Configure audit criteria or Configure scan criteria, depending which default SQG you are updating.
  3. Edit the criteria as you want. Check the tooltips next to the criteria to see what their impact is.

    A screenshot showing the score and severity criteria for audit in the update dialog.

    The default SQGs are automatically applied to all APIs, and if you have integrated Security Audit with your CI/CD system, this may hinder CI/CD builds, especially with APIs that are just in the beginning of their development. As a workaround, you can remove severity restrictions from the default audit SQG, and set them in another audit SQG that you apply with tags to APIs as they mature. Note that this does not fix issues in your APIs, merely hides them from the audit SQG, and you need to remember to manually tag your APIs to apply the tighter quality criteria.

  4. Click Rejected issues, and select what issues, if any, cause the SQG to fail.
  5. When you are ready, click Update security quality gate.

The status of the SQG passing or failing is updated based on your changes the next time an action is performed on any API, such as running Security Audit or viewing an audit or scan report.

If you have integrated Security Audit with your CI/CD pipeline, the integration plugin automatically checks the status of SQGs applied to the APIs it discovered. If any of the SQGs fails, the CI/CD build fails too. CI/CD integration for API Conformance Scan is coming, but currently scan SQGs can only be enforced in 42Crunch Platform, not on your CI/CD.

The fail-on criteria you set in the CI/CD plugin are independent from the acceptance criteria defined in SQGs, and the plugin can fail even if SQGs pass. For example, CI/CD plugins by default fail APIs that do not have valid OpenAPI definitions, but in SQGs you need to specifically switch this on. This means that your CI/CD build can fail either because the criteria of a SQG or the criteria of the CI/CD plugin are not met, or both, and so just looking at SQGs to explain why a build has failed may not be enough.

Create additional security quality gates

You can also create additional SQGs and apply them to the APIs you want using tags.

  1. Before you start, make sure that the category and tag you want to associate with the new SQG already exists. See Create new tags and categories.

    We recommend adding a dedicated category for SQGs, so that it is easy to find the related tags. We also recommend that you do not allow users to create tags in this category, so that organization administrators stay in control of these.

  2. Go to the list of your SQGs, and do one of the following:
    • To start from the baseline defined in an existing SQG, such as your default SQG, go to the SQG you want, and click > Copy.
    • To start from scratch, click New security quality gate, and select which SQG you want to create.
  3. Enter a name for the rule, and select which category and tag it is associated with.

    The screenshot shows a new SQG that has been sassociated with a tag category and a tag.

  4. Configure the acceptance criteria that you want the SQG to impose. Check the tooltips next to the criteria to see what their impact is.
  5. When you are ready, click Create security quality gate.
  6. To apply your new SQG to an API, tag the API with the category:tag pair you associated with the SQG. See Apply tags to APIs.

Once the SQG is applied to the API, the status of it passing or failing is updated based on your changes the next time an action, such as running Security Audit or viewing the audit report, is performed on the API.

View approval reports from security quality gates

Once a SQG is applied to an API, the API must pass the quality criteria defined in the SQG. For example, when you run Security Audit on an API, the results from the audit are compared to the criteria of the audit SQG. The results from SQGs are listed in an approval report.

  1. In 42Crunch Platform, find the API you want, and click to view the API summary. The quickest way to find API definitions in 42Crunch Platform is to click Find API in the main menu. You can see if the security quality gates have passed or failed alongside the results from the latest audit or scan.

    You can also quickly check the overall status of which SQGs are passing and which failing when you view APIs in an API collection.

  2. Click Read report either on Security Audit or Conformance Scan, depending on which SQG you want (audit and scan SQGs are shown separately). You can see the latest report, with the overall status of the applied security quality gate shown above the issue list.

  3. To view the approval report from the applied SQGs, click Check the SQG approval report
    • Audit SQG: The criteria that failed are highlighted in red. You can also filter the audit report to show only the to-do list of issues that you must fix to pass the SQG.

      The screenshot shows a SGQ approval report for the Petstore API that has failed the audit criteria set in the default SQG: the audit score of the API is only 45/100 and is highlighted in red, because the SQG requires at least 70/100.

    • Scan SQG: A failed SQG is highlighted in red.

You can also download the approval report form each SQG as JSON, for example, to share it to other teams.

Manage handling of criteria from default and tag-based SQGs

Organization administrators can control when the default SQGs are overridden, to make it easier to understand why an API has failed a SQG and prevent unpredictable combinations of SQG criteria for the same feature. This can be done either for all SQGs in the organization, or as case-by-case basis for individual SQGs.

You can view how SQG criteria combine and which SQG takes precedence for which criteria on the API summary page.

The example screenshot shows how two SQGs, AC001 and AC003, combine for different sections: for the validation section, AC001 is the strictest SQG, but for minimum acceptable scores and allowed severity levels some criteria are stricter in AC001 and some in AC003, so both SQGs are listed for these.

For more details, see Combining criteria from multiple SQGs.

Manage default SQG override on organization level

For ease of use, you can define how default and tag-based are handled throughout your organization.

  1. Click next to your username, and click System preferences.
  2. In Handling of default customization rules and SQGs, switch the setting off or on according to the behavior you want:
    • To ignore the criteria from default SQGs on APIs that are tagged for another SQG of the same type, switch the setting off.
    • To allow combining the criteria from the default SQGs with the SQGs applied with tags, switch the setting on.

Your chosen handling is now applied to any SQGs in your organization.

Manage default SQG override on individual SQGs

If one-size-fits-all rule does not work for you, you can also only allow particular SQGs you have created to override the criteria from default SQGs, while rest of your SQGs keep using combined criteria.

  1. Find the SQG you want, and click > Update.
  2. On the first tab, switch on Override default SQG, and save your changes.

The SQG you selected now takes precedence over the default SQG of the same type: on APIs that have been tagged for it, only the quality criteria from this SQG determine if the API passes or fails.

Delete a security quality gate

You cannot delete the default SQGs, but you can delete the SQGs you have created yourself and that you no longer need. Just click > Delete on the SQG you want to remove.

Deleting a SQG permanently removes it from 42Crunch Platform. This action cannot be undone.

Deleting a SQG does not delete the category or tag associated with it, nor does it remove the tag from APIs where the SQG has been applied.

What is...

Security quality gates

Tags

API Security Audit

CI/CD integration

How to...

Audit API security

Tag APIs

Integrate CI/CD solutions with 42Crunch Platform